YD

    YD

    1 year ago
    is there a simple way, like a pinging some ip address, that can tell me if I have access from inside a production environment to the cloud service ?
    Kevin Kho

    Kevin Kho

    1 year ago
    ping <http://api.prefect.io|api.prefect.io>
    YD

    YD

    1 year ago
    if it is not, accessible what needs to be enabled, opened ?
    Wilson Bilkovich

    Wilson Bilkovich

    1 year ago
    The tool
    tcptraceroute
    can help you see where it is being blocked, along the way ‘out’ of your infrastructure.
    The most common situation is probably being in a cloud env where you’re not connected to a NAT or internet-gateway of any kind, in which case you’ll need to enable something that that or use a proxy.
    YD

    YD

    1 year ago
    is there a particular port I need to ask our net-ops to open ?
    Wilson Bilkovich

    Wilson Bilkovich

    1 year ago
    Hmm, api.prefect.io is currently listening on a surprising number of ports
    YD

    YD

    1 year ago
    I do not have permissions to run
    tcptraceroute
    Wilson Bilkovich

    Wilson Bilkovich

    1 year ago
    port 443 is probably all you need, but to be safe it might make sense to request also ports 80 and 8080
    YD

    YD

    1 year ago
    I can’t even ping google… I’ll check with sec-opts
    Wilson Bilkovich

    Wilson Bilkovich

    1 year ago
    Unfortunately if you can’t run tcptraceroute you probably also can’t use
    tcpdump
    or
    lsof
    either, hmm.
    Can you
    curl <http://www.google.com|www.google.com>
    even? Some organizations block ping requests
    YD

    YD

    1 year ago
    yes, was able to do the
    curl
    Wilson Bilkovich

    Wilson Bilkovich

    1 year ago
    Ok that’s good, that means you at least have a route to the internet. If you can connect to google but not prefect.io, it does sound like there’s a block your admins will need to remove
    Kevin Kho

    Kevin Kho

    1 year ago
    Wilson is right you should only need port 443
    YD

    YD

    1 year ago
    I can also do
    lsof
    OK… port 443 inbound ? outbound ?
    Wilson Bilkovich

    Wilson Bilkovich

    1 year ago
    lsof -i TCP
    will let you see if you’re making connections to anything other than 443, but Kevin confirms that that should be enough, so probably not worth your time
    that would be outbound to port 443 from any source port
    No need to allow any inbound traffic other than that related to your outbound traffic
    YD

    YD

    1 year ago
    lsof -i TCP
    returned nothing outbound to port 443… Got it, thanks
    Wilson Bilkovich

    Wilson Bilkovich

    1 year ago
    openssl s_client -connect <http://api.prefect.io:443|api.prefect.io:443> -showcerts
    is one way you can test the connection once they open it up
    YD

    YD

    1 year ago
    thanks
    this test actually does not work in a different environment, where I can do
    ping <http://api.prefect.io|api.prefect.io>
    and I can connect to the cloud
    I get
    getaddrinfo: Servname not supported for ai_socktype
    connect:errno=0
    Wilson Bilkovich

    Wilson Bilkovich

    1 year ago
    Interesting; it works for me. I wonder if my platform is special in any way
    YD

    YD

    1 year ago
    our server is CentOS Linux release 7.8.2003 (Core)
    works now… there is something in the characters of
    -showcerts
    , when I copied and paste
    But… it also works on the machine that I can’t do
    ping <http://api.prefect.io|api.prefect.io>
    from
    Kevin Kho

    Kevin Kho

    1 year ago
    The machine that can’t ping
    <http://api.prefect.io|api.prefect.io>
    and ping other sites like
    <http://google.com|google.com>
    ?
    YD

    YD

    1 year ago
    no, can’t ping www.google.com either
    Kevin Kho

    Kevin Kho

    1 year ago
    Are you responsible for that VM? Or you have a DevOps team?
    YD

    YD

    1 year ago
    devops… I am trying to install a local python 3.9 and start an agent… (if I can do it without root)
    Kevin Kho

    Kevin Kho

    1 year ago
    I think you might need to ask them to open the port for HTTP? Prefect doesn’t support Python 3.9 officially just so you know
    YD

    YD

    1 year ago
    OK.. this is not urgent thanks I can connect from the main environment
    well.. actually it looks like I can see an agent that I started on the machine that can’t ping. I had to create a new service account and API key. If I see the agent, does it means I can run flows? or there still might be something that will block the flows ?
    Kevin Kho

    Kevin Kho

    1 year ago
    Yes you should be able to. It may block some of the code in the flows