Nightscout on Google Cloud increasing outgoing traffic and costs

[gigich]

There is a discussion on facebook group about increasing network traffic outgoing from nightscout instance on Google Cloud.
At the moment there is not really clearance, if it is a billing bug from Google, or there is really unwanted traffic on the instances.

Anyway I tried to reduce the traffic by implementing more restrictive firewall-Rules, especially for outgoing.
For that, I deactivated the default rules from the documentation and set an own firewall policy with following rules:

The first rule with prio 10 I set the geolocation to my country (Switzerland), so there should be no other access from other countries.

For the Dexcom Bridge I did allow the following fqdn:
shareous1.dexcom.com
shareous2.dexcom.eu
shareous1.dexcom.eu

In the logs I saw some access from nightscout itself (status page?) to following ips:
132.226.247.73
216.239.36.174
18.245.113.41
3.162.163.117
130.211.227.168
3.162.163.95

For those it would be great to know the fqdn so I could set that rule by names as well.

Probably it needs some more rules, but I think it could help by reducing the risk of unwanted traffic.

I would be happy to get some more insides and comments on that toppic.

@Navid200
Could you help us?

Best Regards, Lukas

[Navid200]

I may need tips from you for setting up the firewall for everyone or adding it to the guide assuming the charge is for a real traffic.

Do you know if the use of firewall is free or included in the free tier program?

[gigich]

Hi
Thanks for answering that fast here.
I had a support chat with a google support engineer and he told me, firewall is free.

I can do some documentation with printscreens how to setup the firewall rules, but probably first it would be good to know all the connections needed outgoing from the nightscout server. I think especially the status-page and the setup will need some outgoing traffic for certificate and dns.
What are the urls needed for all that?

Lukas

[Navid200]

Are you saying you need the ip address of everything in order to set up the firewall?
That is not going to work. A follower's ip address could change, no?
I mean if your follower uses a browser at an internet cafe versus their smart phone, they are going to use different ip address, right?

[gigich]

I think at the moment it is more an issue on outgoing traffic. Accessing by a follower is incoming traffic.
As I wrote below, the feature of using domain names in the rulesets needs Standard Firewall Rules, which are not free, but I am still not sure about this.

[Navid200]

No, a follower is outgoing traffic. if the follower uploads treatments, yes, that would be incoming. But, a follower seeing readings, that is outgoing traffic.

The point I hope I have clarified is that the reported traffic is unreasonably high. If it is an error, even if we set up a firewall, there could still be an erroneous charge. We have to wait for feedback from Google or other people who have been charged reporting it on public forums.

[gigich]

Pricing:
https://cloud.google.com/firewall/pricing
Essiantials seems to be free, Standard generates costs.
Differences:
https://cloud.google.com/firewall/docs/about-firewalls#firewall-essentials
It seems, that using FQDN is only on Standard possible, but on creating the ruleset I can not really see any differences, So I will check if I can find out some more details.

The strange thing anyway is, that multiple users talk about increasing outgoing traffic of multiple GB since december. For me it started on 24th december, but my nightscout site on Google is just a backup. No one is accessing the site. It just graps the data from Dexcom Share servers, no other data is done.
The only issue I had is a broken dns name and an invalid certificate. But could this be the reason?

Lukas

[Navid200]

There is a spike in traffic to South America for everyone. Some may not have noticed it yet.
The traffic started on December 23 and ended on December 31.

It is not that this traffic has never exited before.
Traffic to South America existed ever since we started this project two years ago. But, it was within the limits of the free tier program.
This is the first time that the traffic has increased so much.
The traffic is about 2GB for a period of only 7-8 days.

As I have explained in the facebook groups, it is my hope that this is just a Google mistake.

I reached out to Google in a chat session. A ticket was opened by the billing department and raised to the technical level. So, I am waiting for a response now.

Considering no one has our API_SECRET, this traffic is theoretically caused by the Nightscout front page where you are askes for the API_SECRET. Downloading that page only causes kilobytes of data. For that to sum up to 2GB in only 7 days, you will need someone to continuously ping your site over and over again. Even then, I am not sure that much traffic can be caused.
That's why I think this has got to be an error. At least, I hope it is.

At this point, any work that can help us set up a firewall, is great. But, if this turns out to be an error, it may be unnecessary.