Channels
pacc-may-31-2023
prefect-ai
pacc-clearcover-june-12-2023
marvin-in-the-wild
data-ecosystem
geo-israel
pacc-june-14-2023
geo-japan
prefect-cloud
ppcc-may-16-2023
prefect-azure
prefect-docker
prefect-recipes
gratitude
geo-nyc
geo-bay-area
geo-boston
geo-london
geo-dc
geo-chicago
geo-berlin
geo-texas
geo-seattle
geo-colorado
prefect-community
data-tricks-and-tips
prefect-aws
prefect-gcp
introductions
find-a-prefect-job
prefect-dbt
random
events
ask-marvin
show-us-what-you-got
prefect-getting-started
prefect-integrations
prefect-contributors
best-practices-coordination-plane
announcements
prefect-server
prefect-ui
prefect-kubernetes
Title
c
Christopher Chong Tau Teng
10/27/2021, 8:27 AMHi, I am facing issue with connecting the UI to graphQL endpoint. I ran Prefect server using Docker in a GCP VM, which doesn’t have any public IP as it sits behind a bastion host. I can connect to UI via ssh tunnelling, however on UI it says
Couldn't connect to *Prefect Server* at *<http://localhost:4200/graphql>*Starting prefect_postgres_1 ... done
Starting prefect_hasura_1 ... done
Starting prefect_graphql_1 ... done
Starting prefect_towel_1 ... done
Starting prefect_apollo_1 ... done
Starting prefect_ui_1 ... done
Attaching to prefect_postgres_1, prefect_hasura_1, prefect_graphql_1, prefect_towel_1, prefect_apollo_1, prefect_ui_1
postgres_1 |
postgres_1 | PostgreSQL Database directory appears to contain a database; Skipping initialization
postgres_1 |
postgres_1 | 2021-10-27 07:37:38.603 UTC [1] LOG: listening on IPv4 address "0.0.0.0", port 5432
postgres_1 | 2021-10-27 07:37:38.603 UTC [1] LOG: listening on IPv6 address "::", port 5432
postgres_1 | 2021-10-27 07:37:38.608 UTC [1] LOG: listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
postgres_1 | 2021-10-27 07:37:38.637 UTC [26] LOG: database system was shut down at 2021-10-27 07:22:26 UTC
postgres_1 | 2021-10-27 07:37:38.646 UTC [1] LOG: database system is ready to accept connections
graphql_1 |
graphql_1 | Running Alembic migrations...
graphql_1 | INFO [alembic.runtime.migration] Context impl PostgresqlImpl.
graphql_1 | INFO [alembic.runtime.migration] Will assume transactional DDL.
apollo_1 | Checking GraphQL service at <http://graphql:4201/health> ...
apollo_1 | Checking GraphQL service at <http://graphql:4201/health> ...
graphql_1 | Applied Hasura metadata from /prefect-server/services/hasura/migrations/metadata.yaml
graphql_1 |
graphql_1 | Database upgraded!
ui_1 | :space_invader::space_invader::space_invader: UI running at localhost:8080 :space_invader::space_invader::space_invader:
ui_1 | 2021/10/27 07:37:43 [notice] 11#11: using the "epoll" event method
ui_1 | 2021/10/27 07:37:43 [notice] 11#11: nginx/1.20.1
ui_1 | 2021/10/27 07:37:43 [notice] 11#11: built by gcc 8.3.0 (Debian 8.3.0-6)
ui_1 | 2021/10/27 07:37:43 [notice] 11#11: OS: Linux 5.8.0-1038-gcp
ui_1 | 2021/10/27 07:37:43 [notice] 11#11: getrlimit(RLIMIT_NOFILE): 1048576:1048576
ui_1 | 2021/10/27 07:37:43 [notice] 11#11: start worker processes
ui_1 | 2021/10/27 07:37:43 [notice] 11#11: start worker process 12
ui_1 | 2021/10/27 07:37:43 [notice] 11#11: start worker process 13
ui_1 | 2021/10/27 07:37:43 [notice] 11#11: start worker process 14
ui_1 | 2021/10/27 07:37:43 [notice] 11#11: start worker process 15
towel_1 | {"severity": "INFO", "name": "prefect-server.Scheduler", "message": "Scheduled 0 flow runs."}
apollo_1 | Checking GraphQL service at <http://graphql:4201/health> ...
graphql_1 | {"severity": "INFO", "name": "prefect-server.GraphQL Server", "message": "Using uvicorn log level = 'debug'"}
graphql_1 | INFO: Started server process [9]
graphql_1 | INFO: Waiting for application startup.
graphql_1 | INFO: Application startup complete.
graphql_1 | INFO: Uvicorn running on <http://0.0.0.0:4201> (Press CTRL+C to quit)
apollo_1 | Checking GraphQL service at <http://graphql:4201/health> ...
graphql_1 | INFO: 172.20.0.6:58278 - "GET /health HTTP/1.1" 200 OK
apollo_1 | {"status":"ok","version":"2021.09.02"}
apollo_1 | GraphQL service healthy!
apollo_1 |
apollo_1 | > @ serve /apollo
apollo_1 | > node dist/index.js
apollo_1 |
apollo_1 | Building schema...
graphql_1 | INFO: 172.20.0.6:58282 - "POST /graphql/ HTTP/1.1" 200 OK
apollo_1 | Building schema complete!
apollo_1 | Server ready at <http://0.0.0.0:4200> :rocket: (version: 2021.09.02)
apollo_1 | Sending telemetry to Prefect Technologies, Inc.: {"source":"prefect_server","type":"startup","payload":{"id":"f2c00771-6424-45bf-ac6b-ce0a742526d5","prefect_server_version":"2021.09.02","api_version":"0.2.0"}}
graphql_1 | INFO: 172.20.0.4:55152 - "GET /health HTTP/1.1" 200 OKdocker-compose upprefect server configcurl -X POST -H "Content-Type: application/json" -d '{"query": "{ hello }"}' <http://localhost:4200/graphql>{"data":{"hello":":wave:"}}FYI the only modification I have made to the docker-compose.yaml file is that I map UI and Postgres ports to different ports on my VM, as ports 8080 and 5432 are used by other container services.
ui:
ports:
- 8081:8080
postgres:
ports:
- 5431:5432I have tried connecting to my VM internal IP address, but it still fails to connect
a
Anna Geller
10/27/2021, 9:41 AM@Christopher Chong Tau Teng to the best of my knowledge, you need to choose between:
• either running Server on a bastian host for improved security and accept that you won’t have a UI (unless you are an absolute networking pro who can configure SSH tunnels and SOCKS proxies),
• or running server on a machine with public IP assigned and having the UI exposed to the public,
• or switch to Prefect Cloud, where you don’t need to configure any of it, and you get a secure platform with hybrid execution model out of the box.
I would highly recommend the last option. There is 10000 task runs each month completely for free, you have authentication, scale, high availability and security.
If you really need Server and want to restrict traffic to the UI exposed to the public, perhaps you can configure the networking so that this UI is only available from the company’s VPN?
Perhaps this can help as well: https://coda.io/@lauralorenz-at-prefect/devops-guide-to-a-perfect-prefect-server
c
Christopher Chong Tau Teng
10/27/2021, 10:09 AM@Anna Geller Thanks for your answer. Few questions:
1. Can you elaborate more on the SSH tunnel and Socks proxies part? Does it require me to modify the way UI is calling Apollo endpoint from the source code?
2. Correct me if I am wrong - the reason why UI can only work with machine with public IP, is because UI in client browser need to be able to access Apollo endpoint — which needs to be public?
a
Anna Geller
10/27/2021, 10:16 AMAs a user, you need to access UI from your browser from your machine. You can’t do that if the underlying webserver that powers this UI is in a bastion host, unless networking is configured. Forgive me but I’m not a DevOps person and I believe making this setup work would require some involved DevOps networking work I don’t know enough about to support you.
c
Christopher Chong Tau Teng
10/28/2021, 2:44 AM@Anna Geller thanks for your reply. My team would like to explore how to configure the networking so that UI can call the server behind a bastion host. Is there anyone from your team who’s well versed in DevOps that can give us some guidance?
@Anna Geller FYI i managed to make it work (got some help from my senior DevOps) by configuring another ssh tunnel to allow client browser to reach apollo endpoint. Thanks for your help again =D
a
Anna Geller
10/28/2021, 9:01 AMGreat to hear, @Christopher Chong Tau Teng!