Ingress filtering from an external cloud service to the internal network


We have a hybrid cloud model that includes an external cloud service that needs to reach back into our internal network. The application documentation states that this connection cannot go through a proxy server. I am not in a position to redesign this solution or change the parameters. My question to NANOG is how to manage (filter/secure) the ingress traffic from the external cloud service. Past network guy managed inbound firewall rules based on the cloud-providers source IP address, but this wasn't sustainable and led to multiple outages as the external (source) IP has changed from time to time. I can define the destination ports well enough, but not the source IP addresses.

Any ideas on how I can filter this type of inbound traffic from an internet-based service?


Is it possible for you to get a private/direct connect service from your network perimeter to the cloud provider and eliminate using the public connectivity?

Or because its Internet-based you have to use public connectivity?

James W. Breeden
Managing Partner

Arenal Group: Arenal Consulting Group | Acilis Telecom | Pines Media
PO Box 1063 | Smithville, TX 78957
Email: | office 512.360.0000 |

Unfortunately, a private connection or VPN to the cloud service provider is not available right now, but I can see how that could help solve my problem. :slight_smile:

Since you can't change the design you may not be able to put some kind of
overlay solution in place, which is just a fancy way of saying a VPN
solution. What if you look at it in a different way and put some kind of
endpoint security cloud solution like Illumio.

But if you at least had the freedom to put something like this:

in place or 20 other similar solutions. As in you do VPN, but right from
the cloud instance itself or another instance. There is also a set of
various solutions that do specialized metadata like Cilium, but they get
into container networking and that is definitely application redesign.

You can usually run OpenVPN from a cloud host. The source IP changing possibly should require only one open exception to the local VPN termination point.

Better, find a cloud that doesn't do that shit with changing endpoints and gives you real VPNs. What sort of cloud doesn't these days?...?...

I just read an article about these people. They are even more interesting
than Illumio or these other VPN solutions. The important part is that you
get to stitch tunnels together on some other host, so the changing IP of
endpoints is irrelevant.

According to my application guy, this is true of the Microsoft O365 hybrid solution. It requires direct inbound connections on various ports from largely undefined IP space. I imagine the private VPN limitation (i.e., not having a VPN) is on our side and MS provides something like this...

Thank you all. I have more than enough research to do now to further learn about everyone’s suggestions.