I want to know the usefulness of Azure FWs, knowing that any collaborator will have to connect to the VPN beforehand to access the cloud, Azure FW in this case it will be mandatory ?
If the question you are asking is "do I need to setup Azure FW in order to setup a VPN to an Azure VNET?", then the answer is no you don't have to.
Azure FW allows you to perform both east-west and north-south traffic inspection.
"East-West" traffic refers to traffic within a data center -- i.e.
server to server traffic.
"North-South" traffic is client to server
traffic, between the data center and the rest of the network (anything
outside the data center).
You can read more about Azure FW here.
Related
We are considering using Azure Analysis Services for the BI requirements. Currently, the databases are deployed behind a firewall in a VNET. Since AAS do not have either VNET support or has static IP address range, how do we connect to the databases behind the firewall? I have seen one solution where folks are talking about using the gateway (https://azure.microsoft.com/en-gb/blog/azure-analysis-services-integration-with-azure-virtual-networks-vnets/). But apart from using Gateway, what are the other options I have?
You need to
Install On-Premises Data Gateway on VM
Add VM Virtual Network to SQL firewall settings
Set AAS to use On-Premises Data Gateway
Force all AAS traffic through gatway. This is important.
As for other options I don't think there are any that are good in terms of security. AAS IP can change during restarts so you can't make it this way. Unless you write script which changes IP every time but its cumbersome.
At this time gateway is our current production solution for this scenario.
For dev/test you can always examine the connection failure error from AAS to SQL Database, extract the IP address and add a firewall exception for that IP address, or a small range containing it.
I have a IPSEC connection from On-PREM to Azure via VPN gateway. I want to monitor all traffic, aka src/dest, ports, and data that ever enters or leaves that VPN gateway. How would I accomplish this under Azure?
You could check out Azure Network Watcher. It will log the flows from your networks. It won't provide exact transfer amounts of traffic, but it will show traffic distribution and patterns.
Included in the Azure Network Watcher is also packet capture and if I remember right it also will show what ports the traffic is going over as well as source and destination IPs.
There are also some easily found Power-Bi templates that will read the logs and let you do some interactive digging.
https://learn.microsoft.com/en-us/azure/network-watcher/
Not at the moment - your only options are
To log traffic via NSGs for resources attached to VNETs
deploy a 3rd party VPN gateway with associated Route tables.
Logging is the biggest restraint I've run into with the native VPN GATEWAY.
Hopefully this will improve with time.
We have a client who wants to connect their premises to Azure. Their main hindrance at this point is determining the best way to connect to Azure given their current connectivity configuration. They have two redundant ISP connections going to the head office for internet access. They want to be able to configure a VPN connection to Azure that would operate in a similar way i.e. if ISP A went down it would seamlessly use ISP B and vice versa. The normal multi-site VPN configuration does not fit this since there is one local network behind which means the network behind separate VPNs over each ISP would have overlapping IP address ranges which is not supported. Is such a configuration possible? (See diagram below)
Either that or is there a way to abstract the two ISP connections onto one VPN connection to Azure.
They’re currently considering using a Cisco ASA device to help with this. I’m not familiar with the features of this device so I cannot verify if it will solve their issue. I know there is also a Cisco ASAv appliance in the Azure marketplace don't know if that could also be a part of a possible solution if they went with such a device.
required vpn configuration
The Site-to-Site VPN capability in Azure does not allow for automatic failover between ISPs.
What you could do are the following
- Have automation task created that would re-create the local network and gateway connection upon failover. Manual and would take some RTO to get it up and running
- Use the Cisco CSRs to create a DMVPN mesh. You should be able to achieve the configuration you want using that option. You would use UDRs in Azure to ensure proper routing
I havent done it in Azure, but here is what you do in AWS (And I am sure there would be parallel in Azure)
Configure a "detached VGW" (virtual Private gateway) in aws. Use DMVPN cloud to connect CSRs to multi-site on-prem.
Also, for failover between ISPs you could have a look at DNS load balancing via a parallel to AWS's Route 53 in Azure.
Reference thread :
https://serverfault.com/questions/872700/vpc-transit-difference-between-detached-vgw-and-direct-ipsec-connection-csr100
I've a single Web Role Cloud Service instance running the South East Asia, with a SQL Azure Database running in the same region. I am hitting a firewall issue and the connection is blocked unless I add the Cloud Services public virtual IP to the SQL server firewall.
From everything I've read, if the two systems are in the same region, and 'Allowed Windows Azure Services' is enabled (which adds 0.0.0.0 to the firewall), then the two should be able to communicate internally?
I have some concerns about things being routed inappropriately (is data going outside the network / am I being charged for it), and having to reconfigure the firewall should the VIP change.
Is there some other address I am supposed to access the SQL azure instance by (currently hitting blah.database.windows.net)?
Your understanding is correct. If I were you I would open a support ticket with Microsoft; I have heard of this issue before, although I never experienced it myself. This sounds like an issue, so report it and watch your next invoice carefully.
Firstly,
Allowed Windows Azure Services - Will allow only azure services to access the database.
Secondly,
To be able to access the database server from any other endpoint, you need to add firewall rules to allow those specific IP ranges. If you want to connect from a machine with ip, 132.99.xx.xx you need to add a rule with start IP and end IP as 132.99.xx.xx
Hope this helps!
My Azure web role can, using remote desktop, connect with a browser (IE) to google.com and to a DMZ server on our corporate network.
My web role cannot connect via HTTP GET (IE) to a non-DMZ box behind the firewall. My web role cannot ping this box either. My service is hosted in north/central, allegedly all published IP ranges of north/central have been granted access to the target IP by our CorpIT people. They claim they are seeing no traffic via their sniffer from my compute instance IP when I attempt to ping or HTTP GET against the target local IP.
CorpIT wants help from the Microsoft side but we have no Microsoft relationship. I'm convinced this is the outcome of months of slapdash thirdhand firewall rules applied to the target environment in question. What can I do to further elucidate this for CorpIT?
thx in advance!
You can try to run a trace route or get a network trace from the Azure instance and see what you get back from where. You could also create a support case with microsoft:
https://support.microsoft.com/oas/default.aspx?&c1=501&gprid=14928&&st=1&wfxredirect=1&sd=gn
I wouldn't bet on using the IP ranges to make your applications work correctly. Windows Azure already provides you with some services that allow you to solve these types of issues:
Windows Azure Connect: Allows you to create an IPSec secured connection between your servers and your hosted services. This means you won't need to add rules to the firewall for incoming traffic.
Windows Azure Service Bus Relay: Allows you to expose WCF services to the cloud without having to add rules to the firewall for incoming traffic. Choosing this option might add some extra work for you to do, you might need to create a WCF service if you don't already have one and change the code in your Web Role to connect to this WCF Service.