I'm trying to connect to my Mongo CosmosDB instance through Azure Bastion. Our IT department blocks all outbound traffic thats not on port 443 so in order for me to be able to access anything I have to tunnel it through port 443 first.
I have a bit of script that looks like this:
COSMOS_ID=$(az cosmosdb list --resource-group $RES_NAME | jq -r '.[] | .id')
az network bastion tunnel \
--resource-group $RES_NAME \
--name $RES_NAME \
--target-resource-id $COSMOS_ID \
--resource-port 10255 \
--port 10255 \
--debug
Which emits this output:
Opening tunnel on port: 10255
Tunnel is ready, connect on port 10255
Ctrl + C to close
I'm then using mongo compass and the connection string found in the azure portal, replacing the cosmosdb host name with localhost, immediately upon attempting to connect I see this error in the terminal, and the tunnel process exits:
Exception in thread Thread-1 (_start_tunnel):
Traceback (most recent call last):
File "/usr/local/Cellar/python#3.10/3.10.4/Frameworks/Python.framework/Versions/3.10/lib/python3.10/threading.py", line 1009, in _bootstrap_inner
self.run()
File "/usr/local/Cellar/python#3.10/3.10.4/Frameworks/Python.framework/Versions/3.10/lib/python3.10/threading.py", line 946, in run
self._target(*self._args, **self._kwargs)
File "/usr/local/Cellar/azure-cli/2.37.0/libexec/lib/python3.10/site-packages/azure/cli/command_modules/network/custom.py", line 8482, in _start_tunnel
tunnel_server.start_server()
File "/usr/local/Cellar/azure-cli/2.37.0/libexec/lib/python3.10/site-packages/azure/cli/command_modules/network/tunnel.py", line 184, in start_server
self._listen()
File "/usr/local/Cellar/azure-cli/2.37.0/libexec/lib/python3.10/site-packages/azure/cli/command_modules/network/tunnel.py", line 117, in _listen
auth_token = self._get_auth_token()
File "/usr/local/Cellar/azure-cli/2.37.0/libexec/lib/python3.10/site-packages/azure/cli/command_modules/network/tunnel.py", line 104, in _get_auth_token
raise exp
msrestazure.azure_exceptions.CloudError: Unexpected internal error
If I enable debug logging I get a lot of output but these are the last 3 lines before the exception:
urllib3.connectionpool: Starting new HTTPS connection (1): bst-210816cd-d967-41ee-8f90-31ee6af4574d.bastion.azure.com:443
urllib3.connectionpool: https://bst-210816cd-d967-41ee-8f90-31ee6af4574d.bastion.azure.com:443 "POST /api/tokens HTTP/1.1" 500 None
msrest.exceptions: Unexpected internal error
I have added the bastion subnet to cosmosdb's firewall and I have added the port to the NSG... I think. The problem I'm having is just not knowing if I misconfigured something or if this is just completely not supported.
Should I be able to just tunnel directly to cosmos? If not then why not, or what other solutions would be available for me to connect to cosmos tunneled through port 443?
As I found this question when searching for a solution having the same problem, and after some fiddling, The answer is, yes you can!
It took some experimenting but it works with 2 tunnels. Connect to the bastion host (which is also a VM) with enabling an ssh-tunnel to itself to connect via another more sophisticate ssh client and then use this ssh client to "lay" the tunnel to the DB:
You need ssh capability on the bastion host which you should already have if you can connect via az network bastion ssh
maybe put your pub ssh-key to ~/.ssh/authorized_keys (with the usual restricted directory and file permissions) to enable pwd less auth
login via:
az network bastion tunnel --name $the_bastion_host_name --resource-group $your_resource_group --target-resource-id /subscriptions/$your_subscription_id/resourceGroups/$the_resource_group_name/providers/Microsoft.Compute/virtualMachines/$the_jumphost_resource_name --resource-port "22" --port "2222"
replace the vars accordingly to your setup, subscription and resource names
the last command should connect to your bastion/jump host and also open a tunnel #port 2222#localhost to connect via another ssh client!
keep this running/open
have your (cosmos) db connection string ready (from azure portal)
login via standard ssh client (or adjust using putty or similar):
ssh -L 20255:$your_db_name.mongo.cosmos.azure.com:10255 -p 2222 the_bastion_host_account_name#localhost
so we connect via ssh on port 2222 at localhost (which is actually sshd at the bastion host by the command before) with our bastion host username (+credentials) and open the local port 20255 to be tunneled by bastion host's sshd to the (cosmos) db instance's Port 10255 in the remote vnet
can use other local ports by changing the 1st port after the -L but adjust the connection string in the next step
adjust according to your db-name/host and Port (which should be 10255 default)
have the db connection string handy (again)
now use your local client to connect to:
mongodb://azure_dbname:leaveTheBase64CodedCredentialsfromAzurePortalHere==#localhost:10255/?ssl=true&replicaSet=globaldb&retrywrites=false&maxIdleTimeMS=120000&appName=#db_app_name_from_azure_portal#
in nosql-booster I had to deselect replicaset and use "single server" even if "replicaSet=global" in the azure portal db connection string. But the connection initiation failed with some protocol errors when using replica-set setup
The answer is no, you can't. It only works with VMs.
The solution I came up with is to essentially create a VM, run sockd on it, use bastion to establish the port forwarding, then configure your local client to use a socks5 proxy to localhost.
Related
I created a VM in Microsoft Azure with Ubuntu 20 in which I run a Tomcat Server exposed to Port 443 and 80 (redirecting to 443), Neo4j on Port 7474, and Jenkins on Port 8081.
I can't access neither of those ports, although I set all the Inbound Port Rules like this:
When I try to reach IP:PORT, I always get this:
I am kinda new to Azure. It is possible to log in to the servier via SSH in the Terminal. Can anyone help me? How can I access my Server?
Have you tried to access to the VMs by using SSH and looking whats going on with the logs ?!
Yes, you can connect to a terminal by SSH:
ssh -i <private key path> username#ipaddress
If you don't config your SSH key, you can use create you password on the Azure portal.
In your VM, on the left, you have many options, and one name reset password.
I am trying to create a VM with the Azure CLI and ssh into it from Azure Cloud Shell. I have followed the official guide (https://learn.microsoft.com/en-us/azure/virtual-machines/linux/quick-create-cli) by running these commands:
$ az group create --name myGroupName --location westus2
$ az vm create --resource-group myGroupName --name myVmName --image UbuntuLTS --admin-username azureuser --generate-ssh-keys
However, when try to connect via ssh with the public IP address reported by the second command above, the connection times out:
$ ssh -vvv azureuser#publicIpAddress
OpenSSH_7.2p2 Ubuntu-4ubuntu2.10, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "publicIpAddress" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to publicIpAddress [publicIpAddress] port 22.
debug1: connect to address publicIpAddress port 22: Connection timed out
ssh: connect to host publicIpAddress port 22: Connection timed out
Any suggestions on what I am doing wrong?
In addition, I have tried running these commands in Powershell on my local machine. I have found that after I create a new resource group, and then launch a VM, I am able to ssh into the VM using Powershell. But when I disconnect from the VM and then try to ssh back into it, I am unable to re-connect since it results in the timeout error. If I try to create a new VM under the same resource group, I am unable to ssh into it at all. If instead, I create a new resource group and a new VM, I can ssh into it the first time, but not on subsequent tries.
As far as I know, you could check if there is an NSG automatically associated with your VM NIC or subnet by Azure policy or others in your current subscription after you create the Azure VM. Probably, it adds some inbound port rules in the NSG to blocking the network connection. If you want to SSH into your Azure VM. it must have a higher priority inbound rule to allow access port 22 as below. You also could add your client public IP as the source in the rule to narrow the limitation.
Try testing your connection in the azure portal
It points you to the exact inbound rules inside Networking tab which might be blocking your connections.
Realized that I had lost my connection due to a change of NIC:s in my VM, so if this is the case for you too you should take a look at that and disassociate the old public ip address (connected to your old nic) and associate it again but with the new nic. Hope this helps someone else :)
In my case, it solves the problem reset the SSH configuration in Reset password > Reset only configuration > Update button:
Apart from the above steps, You might want to start the OpenSSH SSH Server service manually from Windows Services.
Services.exe -> OpenSSH SSH Server -> Start the service and set the startup type from Manual to Automatic.
Installed ElasticSearch on a linux VM in Azure, put in on a Vnet with a public IP and a security group with ports 9200 and ssh 22 open.
I can ssh into the VM. On the VM itself, I can reach port 9200.
But on my PC, when I try to hit the {public IP}:9200, I get a 502 bad gateway? Anyone know why?
Ok, needed to set the following line in the /etc/elasticsearch/elasticsearch.yml file;
BEFORE
#
#network.host: 192.168.0.1
#
AFTER
#
network.host: [_local_, _site_]
#
I am trying to access my Linux machine from anywhere in the world. I have tried originally port forwarding and then ssh'ing in; however, I believe my school's WiFi won't allow port forwarding (every time I ran it, it would tell me connection refused). I have setup an account with ngrok and I can remotely SSH in, but now I am wondering if it is possible to RDP. I tried connecting via the Microsoft Remote Desktop app on Mac, but it instantly crashes. I have also looked at trying to connect with localhost, but it's not working. So far, I have tried (with xxxx being the port):
ssh -L xxxx:localhost:xxxx 0.tcp.ngrok.io
and
ssh -L xxxx:localhost:xxxx <user>#0.tcp.ngrok.io
but my computer won't allow it and after about 2 or 3 times, it warns me of a possible DNS Spoofing. Is there anyway that I can run a remote desktop of my linux machine that I have ssh tunneled to (from my mac) on ngrok? Thank you!
First you'll need to sign up with ngrok if you haven't already and you'll be given an authtoken. You'll need to install this by running
./ngrok authtoken <insert your token here>
This will save your token to a file located ../username/.ngrok/ngrok.yml
Then you'll need to ask ngrok to create a TCP tunnel from their servers to your local machine's Remote Desktop port which should be 3389 by default
ngrok tcp 3389
Give it 30 seconds or so then jump to http://localhost:4040/status to see what the tcp address ngrok has allocated you. It should look something like tcp://1.tcp.ngrok.io:158764
Now you should be able to remote into your machine using address 1.tcp.ngrok.io:158764
I'm trying to connect to an AWS ec2 instance but I keep being refused.
I'm using the same computer, the same wifi but suddenly when I connect to one of my ec2 instance, it fails.
when I connect, it says..
ssh -i successintoeflcom.pem ec2-user#52.68.152.179
ssh: connect to host 52.68.152.179 port 22: Connection refused
ssh -v successintoeflcom.pem ec2-user#52.68.152.179
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 26: Applying options for *
ssh: Could not resolve hostname successintoeflcom.pem: nodename nor servname provided, or not known
I looked at /etc/ssh_config line 26, and found
Host *
SendEnv LANG LC_*
something got to be wrong, but I haven't found a way to make it right.
I also tried deleting the ec2 instance and make new one with new ssh key and new EIP but it did not work.
honestly, I'm new to ssh settings. Any help would be appreciated.
PS
For some reason, I was able to connect to other ec2 instance that is on other aws account, which I use for work.
Start with checking the VPC configuration: ensure the internet gateway is associated properly with the subnet; ensure the SSH port (22) is opened in both the security group and the network ACL.
You can follow the guide and the troubleshooting described in the blog-post configure VPC and create SSH connection to a Linux-based EC2. It touches the traffic rules configuration and explains how to define the SSH keys properly.
Check the Security groups inbound settings, make sure ssh protocol
enabled with source as anywhere. Because your System IP address might
change.
Check with .pem file permission. It should be set with chmod 600.