We develop an application that fetches data from our client's databases by means of Azure Hybrid Connection.
The problem is that when client whitelists just Azure Relay address on their firewall - connection is becoming unstable, it may work one second and fail the other one (with the following error: "The specified network name is no longer available.". When they open web ports for any addresses - everything works fine.
I suspect HCM is doing calls not only to the configured Azure Relay, but maybe to some other Microsoft addresses.
When configuring firewall rules on HCM side, what addresses (besides Azure Relay address) the client should whitelist?
Related
We have a sql server firewall setup with no IP access and "Allow Azure Services" flag also set to off.
I understand this means no azure services and no external clients will be able to access the sql server and database.
however, when i try Import Database option on sql server, with bacpac stored in azure storage, we get a strange error of an IP that needs to be given access in sql server firewall. The error reads.
Client with IP address 65.52.129.125 is not allowed to access the server.
While our azure infra is in West Europe, there is no mention of what this IP belongs to and what is the purpose of it.
The same error of course also occurs from Infra as a code approach and CI-CD Pipelines. and I think adding an IP without any information is risky.
Has anyone faced this before? or if anyone knows , what is azure database import using underneath for which this IP needs access and will it always be the same?
65.52.129.0 - 65.52.129.255 is an IP address range owned by Microsoft Corporation and located in Netherlands.
Please read the following explanation about why you should enable Azure Services access on the firewall at least while doing export/import operations. When you finish import/export operations, then disable Azure Services access.
"The IP address space used for outbound connections from the Import/Export Service infrastructure to the target logical server is not documented, and is subject to change at any time. Therefore, given that connections to the target Azure SQL Database server are gated by server firewall, the only fully reliable way to ensure that the Import/Export service will be able to connect is to enable the firewall rule that allows access from all Azure services (or, equivalently, from the 0.0.0.0 IP address). Obviously, opening the firewall to a large IP address space is a network security risk. Security conscious organizations will want to mitigate this risk by disabling this firewall rule as soon as the import operation completes successfully..."
Source is here.
I'm trying to setup a VPN connection from a VLAN in Azure to on-premise. We have two different ISP's on-premise and I want to setup Azure with a VPN connecting to both so that if the primary ISP is down Azure will try to connect using the secondary.
The problem is that I can't add two gateways to a single VLAN, and the one gateway will not let me add two VPN connection with the same IP address range. I can understand that if I wanted both to be active, but I want one to be standby and only used if the first disconnects.
Is this even possible? Any pointers would be great?
I have been looking at https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#a-name--activeactiveonpremamultiple-on-premises-vpn-devices but that only covers active-active setup which is not what I want.
I want both VNET resouces and on-premise resources to reach each other via the same IP addresses no matter if it's the primary or secondary VPN that's connected.
I know that Azure has fail over on it's side via a standby gateway, but I want fail over when on-premise is down, not Azure.
Update
I know that Azure has fail over on it's side via a standby gateway,
but I want fail over when on-premise is down, not Azure.
Unfortunately, there is not an auto solution for on-premise failover, you could manually perform, which is the same as If the on-premises gateway IP change need to update the same entry. You need to update the local network gateway (Including the On-premises gateway IP and private range ) on the Azure side and the ISP settings where VPN is connected on the on-premise side. Please expect some downtime, because IPSEC session of ISAKMP, PH1 and PH2 Will again take place.
Besides, If you have more than one ISP and need a redundant connection to the Azure. Azure now supports redundant Site to Site VPNs.
Support multiple tunnels between a VNet and an on-premises site with automatic failover based on BGP
You can establish multiple connections between your Azure VNet and
your on-premises VPN devices in the same location. This capability
provides multiple tunnels (paths) between the two networks in an
active-active configuration. If one of the tunnels is disconnected,
the corresponding routes will be withdrawn via BGP and the traffic
automatically shifts to the remaining tunnels.
The following diagram shows a simple example of this highly available setup:
NOTE
BGP is supported on Azure VpnGw1, VpnGw2, VpnGw3, Standard and HighPerformance VPN gateways. Basic SKU is NOT supported.
BGP is supported on Route-Based VPN gateways only.
Is it possible to change the port that the azure server uses? I currently only see the ability to add IP addresses that can be used to access the server. Or is it required that firewalls allow port 1433 outbound traffic?
Assuming you're referring to SQL Database Service and its associated firewall, no: You may only add IP addresses to the firewall, for access.
There is no ability to change the port that the service listens on. You'll need to allow for outbound traffic on port 1433, if you want to access the database remotely.
Also, just FYI - port 1433 is the standard SQL Server port.
Note: The inability to change the listening port is strictly for the SQL Database service. This restriction doesn't exist for SQL Server running in a VM, since you have total control of inbound ports and related port-mapping via network security groups.
A year+ later a lot has changed with Azure. There are a ton of offerings to help "bypass" internal firewalls for port 1433 and integrating with the services in Azure.
Azure is attempting to help developers with Synchronous Hybrid Connectivity� to on premise datasources or visa versa. My personal opinion would be for you to use On-Premises Data Gateway. Here are a few options to help with the port 1433 constants:
WCF Relay
Service Bus offered relays almost from the beginning of Azure
Built on the WCF capability. Security was originally ACS, but now SAS
can be consumed by lots of different tech, eg biztalk, soap, rest, crm online and is very reusable
Hybrid Connections
Built on Web Sockets so not confined to Windows. API accessible for other scenarios.
Azure Virtual Network
Point-to-site virtual private network (VPN):
Established between a single PC connected to your network and the VNet.
Uses the SSTP protocol to provide encrypted communication over the Internet between the PC and the VNet. The latency for a point-to-site VPN is less predictable, since the traffic traverses the Internet.
Site-to-site VPN:
Established between your VPN device and an Azure VPN Gateway.
Connection is an IPSec/IKE VPN that provides encrypted communication over the Internet between your on-premises device and the Azure VPN gateway.
The latency for a site-to-site connection is less predictable, since the traffic traverses the Internet.
Azure ExpressRoute:
Established between your network and Azure, through an ExpressRoute partner.
This connection is private. Traffic does not traverse the Internet.
On-Premises Data Gateway
Acts as a bridge between Azure PaaS and on-prem resources. Works with connectors for Logic Apps, Power Apps, Flow & Power BI:
When you connect to SQL azure database,it connects through port 1433 by default and you can't change it..
You have to enable outbound rule to allow traffic for SSMS to connect with Azure
My Azure web role can, using remote desktop, connect with a browser (IE) to google.com and to a DMZ server on our corporate network.
My web role cannot connect via HTTP GET (IE) to a non-DMZ box behind the firewall. My web role cannot ping this box either. My service is hosted in north/central, allegedly all published IP ranges of north/central have been granted access to the target IP by our CorpIT people. They claim they are seeing no traffic via their sniffer from my compute instance IP when I attempt to ping or HTTP GET against the target local IP.
CorpIT wants help from the Microsoft side but we have no Microsoft relationship. I'm convinced this is the outcome of months of slapdash thirdhand firewall rules applied to the target environment in question. What can I do to further elucidate this for CorpIT?
thx in advance!
You can try to run a trace route or get a network trace from the Azure instance and see what you get back from where. You could also create a support case with microsoft:
https://support.microsoft.com/oas/default.aspx?&c1=501&gprid=14928&&st=1&wfxredirect=1&sd=gn
I wouldn't bet on using the IP ranges to make your applications work correctly. Windows Azure already provides you with some services that allow you to solve these types of issues:
Windows Azure Connect: Allows you to create an IPSec secured connection between your servers and your hosted services. This means you won't need to add rules to the firewall for incoming traffic.
Windows Azure Service Bus Relay: Allows you to expose WCF services to the cloud without having to add rules to the firewall for incoming traffic. Choosing this option might add some extra work for you to do, you might need to create a WCF service if you don't already have one and change the code in your Web Role to connect to this WCF Service.
We have a existing application to be migrated to the windows azure.
Currently, it will access another web services in other network, and the firewall in front of the web service, it will trust the IP of it and open the port only for that application.
Which IP should I trust after migrated to Windows Azure? or other approach suggested?
Thanks a lot.
Currently Windows Azure does not offer a fixed IP address, so any IP based filter would be subject to potential risk if the IP address should change (which it can without notice).
I would recommend you explore either leveraging the service bus to create a peer-to-peer connection between the services, or possibly Azure Connect (an ipsec based VPN style connection).