Useful Tidbits (2) - Communicating with FCM Server in an Air-Gapped Network

#Getting Started

The air-gapped network related post I wrote last time got more views than expected, so I prepared another one.

Today, I'm going to share the domain list needed when you have to use the Firebase Cloud Message API provided by Google Firebase in an air-gapped network.

#Architecture

I think almost all developers will develop services with a similar configuration.

App Server (or PUSH sending server) -> Google FCM Server

Due to firewall service policies, outbound traffic opening is required.

#Required Opening List

The outbound policies required for the service are configured as follows.

Domain Port

fcm.googleapis.com 443

#An Interesting Incident

Roughly speaking, my mind went blank

But I had a feeling that Google probably wouldn't block at this level of traffic.

(Because I've seen services with much larger traffic)

So when I inquired with the internal infrastructure team, there was something funny.

"It was automatically blocked because the internal security equipment falsely detected it as a DDOS request"

It's not wrong.

We have a dedicated PUSH transmission server that, upon receiving requests from external services, queues them and sends requests at a maximum speed of over 2,000 TPS, so I thought it could be detected as an attack.. but it was a funny incident.

If you're in a similar situation, be sure to check your security equipment.

#

#Wrapping Up

I think many similar issues will occur in air-gapped networks.

From the perspective of infrastructure organizations that want to minimize security vulnerabilities, it can't be helped, but it is inconvenient.

I hope the "Useful Tidbits" category helps reduce some of your struggles.

Hang in there, developers and operators who develop and operate services in air-gapped networks across the country!