https://prefect.io logo
Join Slack
Powered by
is there a simple way, like a pinging some ip addr...
# ask-community
y
is there a simple way, like a pinging some ip address, that can tell me if I have access from inside a production environment to the cloud service ?
k
ping <http://api.prefect.io|api.prefect.io>
y
if it is not, accessible what needs to be enabled, opened ?
w
The tool 
tcptraceroute
can help you see where it is being blocked, along the way ‘out’ of your infrastructure.
The most common situation is probably being in a cloud env where you’re not connected to a NAT or internet-gateway of any kind, in which case you’ll need to enable something that that or use a proxy.
y
is there a particular port I need to ask our net-ops to open ?
w
Hmm, api.prefect.io is currently listening on a surprising number of ports
y
I do not have permissions to run 
tcptraceroute
w
port 443 is probably all you need, but to be safe it might make sense to request also ports 80 and 8080
y
I can’t even ping google… I’ll check with sec-opts
w
Unfortunately if you can’t run tcptraceroute you probably also can’t use 
tcpdump
or 
lsof
either, hmm.
Can you 
curl <http://www.google.com|www.google.com>
even? Some organizations block ping requests
y
yes, was able to do the 
curl
w
Ok that’s good, that means you at least have a route to the internet. If you can connect to google but not prefect.io, it does sound like there’s a block your admins will need to remove
k
Wilson is right you should only need port 443
y
I can also do 
lsof
OK… port 443 inbound ? outbound ?
w
lsof -i TCP
will let you see if you’re making connections to anything other than 443, but Kevin confirms that that should be enough, so probably not worth your time
that would be outbound to port 443 from any source port
No need to allow any inbound traffic other than that related to your outbound traffic
y
lsof -i TCP
returned nothing outbound to port 443… Got it, thanks
w
openssl s_client -connect <http://api.prefect.io:443|api.prefect.io:443> -showcerts
is one way you can test the connection once they open it up
y
thanks
this test actually does not work in a different environment, where I can do 
ping <http://api.prefect.io|api.prefect.io>
and I can connect to the cloud
I get
Copy code
getaddrinfo: Servname not supported for ai_socktype
connect:errno=0
w
Interesting; it works for me. I wonder if my platform is special in any way
y
our server is CentOS Linux release 7.8.2003 (Core)
works now… there is something in the characters of 
-showcerts
, when I copied and paste
But… it also works on the machine that I can’t do 
ping <http://api.prefect.io|api.prefect.io>
from
k
The machine that can’t ping 
<http://api.prefect.io|api.prefect.io>
and ping other sites like 
<http://google.com|google.com>
?
y
no, can’t ping www.google.com either
k
Are you responsible for that VM? Or you have a DevOps team?
y
devops… I am trying to install a local python 3.9 and start an agent… (if I can do it without root)
k
I think you might need to ask them to open the port for HTTP? Prefect doesn’t support Python 3.9 officially just so you know
y
OK.. this is not urgent thanks I can connect from the main environment
well.. actually it looks like I can see an agent that I started on the machine that can’t ping. I had to create a new service account and API key. If I see the agent, does it means I can run flows? or there still might be something that will block the flows ?
k
Yes you should be able to. It may block some of the code in the flows
2 Views
Open in Slack
PreviousNext
Powered by