Circle CI accessing internal VPC

Hi,

We currently have end to end tests running from our Circle CI setup, however we can only set it up to speak to services that are accessible from the outside world.

Is there any way to setup Circle CI to access internal web services (eg: REST apis) within our companies internal VPC

As a pipeline step we need to make http requests to one of our internal search apis.

Any help would be greatly appreciated

Thoughts that come to mind:

  • Mock the REST API in your CircleCI tests
  • Add a public proxy, with IP filtering, to your web services
  • Tunnel from your CI via a VPN to a security-isolated LAN so you can access your API

Hi,

I dont think mocking the api calls is good because it means its not a true end to end test (more of an integration test in that case)

Does circle CI have an IP range we can use so we can restrict requests that goto a public proxy server ?

Also have you got any tech details on how we can run a vpn through a circle ci agent ?

I don’t know if this is documented anywhere. I don’t think it is accessible in the container though - perhaps you could wget a dummy file on your web server to get the IP. Maybe it goes through a proxy and so always will be the same?

I’d have to research this, the same as you. Look into OpenVPN - client in CircleCI, server on the public edge of your LAN.

New idea

Could you just take a copy of your API and a snapshot of your database, and put that on a public server?

Seems there is a blog article on saying a VPN isnt possible:
https://circleci.com/blog/vpns-and-why-they-don-t-work/

Could you just take a copy of your API and a snapshot of your database, and put that on a public server?

This is not as easy as it sounds when there is a bunch of different apis, each with different backing dbs etc - not feasible :frowning:

It does hint at the end to say there is an alternative, which they were to cover in a future article - see if they posted the follow-up?

There’s no mention of the Machine executor either, so I wonder if the article predates CircleCI 2.0. You could switch to a Machine, which is a proper VM rather than a Docker container; there’s presently no charge for this service.

I don’t know whether a Machine can cope with a VPN, but I’d assume so - I’m guessing it’s a VMWare guest or something like that.

I’m wondering, in any case, whether a proxy would be better than a VPN. The latter might be regarded as a security risk, since it would open your LAN out to a (trusted) third party, and you might want to set up an isolated LAN to mitigate that extra risk.

A proxy is just HTTP(S) and can be easily filtered.

Speaking to circle ci support - I can use a VPN (eg: https://wiki.ubuntu.com/VPN)
Also to connect to a VPN I need to use a machine[1] executor. There is no way to connect to a vpn from a docker image due to security reasons.

Yeah true - I think the http proxy is probably safer (As its only https)

thanks for the help !

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.