Static IPs, whitelisting

Question

Right now I’m using firewall rules on my AWS RDS db and external Redis db to only allow incoming connections from my droplets.
Switching to the App Platform, how can this be handled? Since there doesn’t seem to be an option to assign a static IP (or a set of IPs) to the containers that are spun up, I would have to update the list of allowed IPs each time in an after deploy job I guess?
Is that the recommended approach?
If so, how can I access the container’s IP in the job? I don’t see a env var for this…

Answer 1

cbaker November 24, 2020

App Platform apps do not have a static-IPs. We’ve heard requests for static IPs as an add-on feature and are considering it. In the mean time, we recommend using TLS encryption and strong authentication to secure connections to external resources.

Reply Report

manuelmeurer November 24, 2020

Ok thanks!

I could imagine that lots of people have this requirement. Since DO already provides floating IPs for droplets, I kinda expected to be able to assign an IP to an app/container as well. :)

Is there a way to access the container’s IP in an after-deploy job?
Reply Report
- SamTP November 24, 2020
  
  I have the same issue. I set up a managed Postgres cluster and I want it shared by a couple of App Platform apps, so I want to restrict access to just those apps.
  
  After you’ve deployed your App Platform app, I found that you can go to the Console tab and run ifconfig and look for the IP address listed under inet addr.
  
  Doesn’t seem very useful if we can’t guarantee that it will always have the same IP, though.
  
  If I could create a managed Postgres instance in the same VPC as my App Platform applications then I could use the private connection hostname instead of the public one, but it doesn’t look like we can group App Platform and other managed resources into the same VPC, unless anyone knows different?
  
  Reply Report
  
  cbaker November 24, 2020
  
  The IPs shown with ifconfig (or ip addr) are not publicly routable and will change as new updates are deployed or during maintenance.
  
  VPC support is not currently available but is on our roadmap. We’re also looking at allowing App Platform applications to be listed as trusted-sources for our managed databases. Both features are being researched and no firm timeline has been publicly released.
  
  Reply Report
  
  SamTP November 24, 2020
  
  Agreed - that shows the IP of the container, but it’s not usable in this scenario.
  
  It’s a shame - this is a complete show-stopper. We can’t afford to have our databases publicly accessible.
  
  Reply Report
- cbaker November 24, 2020
  
  You might be able to find the public IP using a tool like OpenDNS’s myip by running dig +short myip.opendns.com @resolver1.opendns.com.
  
  That said, I would caution you in using this approach for building firewall rules. First, and most importantly, traffic from other App Platform apps may egress with the same public IP address. Also, there’s not necessarily a 1-to-1 mapping of app instances to public IP addresses. App Platform may reschedule containers if the underlying host becomes unhealthy, for maintenance, or rebalancing resources. When possible, to avoid downtime we first start the new replacement containers before terminating the old. This means two or more containers may be running for a brief period. We also use a similar strategy when rolling out new deployments of your app.
  
  For this same reason, we cannot assign a floating-IP or other stable IP directly to your application. It defeats the technologies we use to keep your application up and safe.
  
  Our long-term plans include VPC support for App Platform which would let you communicate with your database on a private network. We’re also considering allowing App Platform apps to be specified as trusted-sources in the managed database product.
  
  Reply Report
  
  SamTP November 24, 2020
  
  Both would be great. Is it worth people upvoting these suggestions to get them prioritised?
  
  https://ideas.digitalocean.com/ideas/APPX-I-97
  and
  https://ideas.digitalocean.com/ideas/APPX-I-73
  
  Reply Report
  
  cbaker November 24, 2020
  
  Upvotes on ideas do help us prioritize features.
  
  Reply Report
  
  manuelmeurer November 25, 2020
  
  Ok wow, I didn’t know about https://ideas.digitalocean.com/!
  You should mention this more often when answering questions in this community, @cbaker! ;)
  
  Reply Report
  
  manuelmeurer November 25, 2020
  
  For the record, here’s the entry on DO Ideas about fixed IPs: https://ideas.digitalocean.com/ideas/APPX-I-87
  
  Upvote, people!
  
  Reply Report
simbyone2 January 9, 2021

Please add static IP a lot of services require static IP :(
Reply Report

Answer 2

manuelmeurer November 24, 2020

Ok thanks!

I could imagine that lots of people have this requirement. Since DO already provides floating IPs for droplets, I kinda expected to be able to assign an IP to an app/container as well. :)

Is there a way to access the container’s IP in an after-deploy job?
Reply Report
- SamTP November 24, 2020
  
  I have the same issue. I set up a managed Postgres cluster and I want it shared by a couple of App Platform apps, so I want to restrict access to just those apps.
  
  After you’ve deployed your App Platform app, I found that you can go to the Console tab and run ifconfig and look for the IP address listed under inet addr.
  
  Doesn’t seem very useful if we can’t guarantee that it will always have the same IP, though.
  
  If I could create a managed Postgres instance in the same VPC as my App Platform applications then I could use the private connection hostname instead of the public one, but it doesn’t look like we can group App Platform and other managed resources into the same VPC, unless anyone knows different?
  
  Reply Report
  
  cbaker November 24, 2020
  
  The IPs shown with ifconfig (or ip addr) are not publicly routable and will change as new updates are deployed or during maintenance.
  
  VPC support is not currently available but is on our roadmap. We’re also looking at allowing App Platform applications to be listed as trusted-sources for our managed databases. Both features are being researched and no firm timeline has been publicly released.
  
  Reply Report
  
  SamTP November 24, 2020
  
  Agreed - that shows the IP of the container, but it’s not usable in this scenario.
  
  It’s a shame - this is a complete show-stopper. We can’t afford to have our databases publicly accessible.
  
  Reply Report
- cbaker November 24, 2020
  
  You might be able to find the public IP using a tool like OpenDNS’s myip by running dig +short myip.opendns.com @resolver1.opendns.com.
  
  That said, I would caution you in using this approach for building firewall rules. First, and most importantly, traffic from other App Platform apps may egress with the same public IP address. Also, there’s not necessarily a 1-to-1 mapping of app instances to public IP addresses. App Platform may reschedule containers if the underlying host becomes unhealthy, for maintenance, or rebalancing resources. When possible, to avoid downtime we first start the new replacement containers before terminating the old. This means two or more containers may be running for a brief period. We also use a similar strategy when rolling out new deployments of your app.
  
  For this same reason, we cannot assign a floating-IP or other stable IP directly to your application. It defeats the technologies we use to keep your application up and safe.
  
  Our long-term plans include VPC support for App Platform which would let you communicate with your database on a private network. We’re also considering allowing App Platform apps to be specified as trusted-sources in the managed database product.
  
  Reply Report
  
  SamTP November 24, 2020
  
  Both would be great. Is it worth people upvoting these suggestions to get them prioritised?
  
  https://ideas.digitalocean.com/ideas/APPX-I-97
  and
  https://ideas.digitalocean.com/ideas/APPX-I-73
  
  Reply Report
  
  cbaker November 24, 2020
  
  Upvotes on ideas do help us prioritize features.
  
  Reply Report
  
  manuelmeurer November 25, 2020
  
  Ok wow, I didn’t know about https://ideas.digitalocean.com/!
  You should mention this more often when answering questions in this community, @cbaker! ;)
  
  Reply Report
  
  manuelmeurer November 25, 2020
  
  For the record, here’s the entry on DO Ideas about fixed IPs: https://ideas.digitalocean.com/ideas/APPX-I-87
  
  Upvote, people!
  
  Reply Report
simbyone2 January 9, 2021

Please add static IP a lot of services require static IP :(
Reply Report

Answer 3

tarunnarang1992 May 18, 2021

Facing the same issue. I need to redirect the non-www to www domain using the App platform of digital ocean. I had to migrate because of this reason of static Ip’s. Can DO team share when it will be published for end-users?

Reply Report

Related

Question

Static IPs, whitelisting

Related

Leave a comment

Looking for something else?

Sign up for our newsletter

Related

Question

Static IPs, whitelisting

Related

Leave a comment

Related

question

Why am I getting a Deploy Error: Health Checks?

question

How can I see the build logs for my application if the build was skipped for a deployment?

question

How can I use private git submodules in my app?

question

What does a "Development Database" mean in the context of the App Platform?

Looking for something else?