Channels
announcements
ask-marvin
best-practices-coordination-plane
data-ecosystem
data-tricks-and-tips
events
find-a-prefect-job
geo-bay-area
geo-berlin
geo-boston
geo-chicago
geo-colorado
geo-dc
geo-israel
geo-japan
geo-london
geo-nyc
geo-seattle
geo-texas
gratitude
introductions
marvin-in-the-wild
pacc-clearcover-june-12-2023
pacc-may-31-2023
ppcc-may-16-2023
prefect-ai
prefect-aws
prefect-azure
prefect-cloud
prefect-community
prefect-contributors
prefect-dbt
prefect-docker
prefect-gcp
prefect-getting-started
prefect-integrations
prefect-kubernetes
prefect-recipes
prefect-server
prefect-ui
random
show-us-what-you-got
Title
b
Blake Enyart
04/25/2022, 3:40 PMPerhaps my Google search skills aren't quite up to the task, but I'm trying to find the IP range that Prefect Cloud uses to communicate with other services. Right now, we were running into difficulties using the AirbyteConnectionTask without opening our AWS Security Group up to public access for the task to work which we aren't super excited about.
I have the logs added in the thread, but in summary, it fails and shows the below stack trace when we only have port 22 open to a specific IP range and it succeeds when we open up the SG. Has anybody else run into this using the AirbyteConnectionTask?
Removed the EC2 IP for potential security impact at this time from the stack trace.
k
Kevin Mullins
04/25/2022, 3:46 PMPrefect Cloud itself wouldn’t communicate to other services. This would all occur on the Prefect Agent that picked up the flow. For instance, in my environment I use the Kubernetes agent which gets the egress IP I have configured for the cluster.
What type of agent are you using?
đź‘Ť 1
b
Blake Enyart
04/25/2022, 3:55 PMWe are using the local agent. This was my understanding of the communication mechanism in Prefect as well.
With that, what should we do? Because it does work when we open the security group and it doesn't work when we only have it open to port 22.
Is there any other information I can send over or details on this that would provide additional context?
It is specifically the health checks for Airbyte sent to the EC2 instance we have Airbyte hosted on that are failing. So when we have public communication it works fine, but when we shut it down to just port 22 it fails
k
Kevin Mullins
04/25/2022, 3:57 PMIf I am understand correctly, that local agent had to be installed somewhere (your laptop for dev, a server or vm, ec2, etc.). Where the local agent was installed would dictate the networking configuration. Do you happen to know where the local agent was installed/is running?
b
Blake Enyart
04/25/2022, 3:59 PMThe local agent is installed on the EC2 instance hosting Airbyte
k
Kevin Mullins
04/25/2022, 4:01 PMGotcha, that’s interesting, It should be using that EC2's public ip address. I haven’t worked with AWS in a minute but I think you may want to look at how that EC2 instance is configured to see if it is part of a virtual network of some sort. That virtual network should be added to networking rules to allow it access. In this case since it sounds like the same server I’m wondering if it’s bouncing out and getting a public IP address
As a test, you could find out what the public IP address is of the EC2 instance and add a rule to the security group allow it for that ip address to the necessary ports that Airbyte uses.
b
Blake Enyart
04/25/2022, 4:06 PMJust to make sure I'm understanding this, the security group attached to the EC2 instance which hosts Airbyte should have an ingress rule which allows traffic from the public IP address attached to the EC2 instance?
Is that correct?
k
Kevin Kho
04/25/2022, 4:07 PMThe discussion so far is right that the Agent machine just needs HTTP out in order to ping Prefect Cloud, and then it finds a flow to run and then execute it. So you shouldn’t need the IP ranges of Prefect Cloud in order to execute anything.
I am confused why the Airbyte task would go through the internet if they are in the same box? Wouldn’t it hit a local port on the same machine? You can do
localhostk
Kevin Mullins
04/25/2022, 4:07 PMI was gonna say my guess is because the URL is using the full public EC2 instance IP address.
:upvote: 1
Yea, you could technically use “localhost”, but seems like there may be some scalability type decisions there, can you always assume airbyte will be on the same machine as the agent, do you need multiple agents/airbyte servers, etc
Prolly should have led with that. I was thinking from the perspective of a solution that would work if it started on the same machine but moved to another or expanded in other ways, using vnet type rules would prolly be ideal between ec2 instances imho
k
Kevin Kho
04/25/2022, 4:12 PMAhhh I understand what you are saying
k
Kevin Mullins
04/25/2022, 4:13 PMBut, that was a bit presumptuous of me lol. I could see labeled agents always on the airbyte hosts where localhost would be fine. So that may be the best first step. Sorry for any confusion