I have a Stateless Service Fabric application that opens port 13000 for TCP connections. The project locally works fine. I have created a Managed Azure Service Fabric and publish the project. I have allowed TCP connection at port 13000 at Networking tab but, when I try to connect, I am getting connection timeout. I have also created a http listener at port 8001 just for testing which I also allowed at networking tab and it also gets timeout error.
"loadBalancingRules": [
{
"frontendPort": 13000,
"backendPort": 13000,
"protocol": "tcp",
"probeProtocol": "tcp"
},
{
"frontendPort": 8001,
"backendPort": 8001,
"protocol": "tcp",
"probeProtocol": "http",
"probeRequestPath": "\\"
},
Should I configure anything else in order those ports to be public available (ex. Network Security Group, Load balancer)
• I tried to deploy a sample ‘Voting’ stateless fabric application to Azure as shown below and tried to access it with the below settings done in the load balancer and the NSG associated with the virtual network in which the related virtual machines and the resources are deployed in the cluster.
I configured the virtual network with below settings and the NSG with the following configurations to allow the accessibility of the ‘Voting’ stateless application through the configured port: -
Virtual network address space: 172.16.0.0/20
Service Fabric subnet address space: 172.16.2.0/23
The following inbound traffic rules are enabled in the ‘Microsoft.Network/networkSecurityGroups’ resource: -
ClientConnectionEndpoint (TCP): 19000
HttpGatewayEndpoint (HTTP/TCP): 19080
SMB: 445
Internodecommunication: 1025, 1026, 1027
Ephemeral port range: 49152 to 65534 (need a minimum of 256 ports).
Ports for application use: 80 and 443
Application port range: 49152 to 65534 (used for service to service communication. Other ports aren't opened on the Load balancer).
Block all other ports
Similarly, if other application ports are needed, you'll need to adjust the ‘Microsoft.Network/loadBalancers’ resource and the ‘Microsoft.Network/networkSecurityGroups’ resource to allow the traffic in.
For more information regarding it, please refer to the below link as follows: -
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-tutorial-create-vnet-and-windows-cluster
Related
How we should open port 22 on aks loopback IP.
We are trying to do telnet on loopback IP using port 22 which is working fine on any Linux VM but on AKS we are getting the error Connection closed.
• Note that AKS clusters have unrestricted outbound (egress) internet access. This level of network access allows nodes and services you run to access external resources as needed. If you wish to restrict egress traffic, a limited number of ports and addresses must be accessible to maintain healthy cluster maintenance tasks. The simplest solution to securing outbound addresses lies in the use of a firewall device that can control outbound traffic based on domain names. Azure Firewall, for example, can restrict outbound HTTP and HTTPS traffic based on the FQDN of the destination. You can also configure your preferred firewall and security rules to allow these required ports and addresses.
Thus, you can configure an inbound rule and an outbound rule to allow traffic on port 22, i.e., SSH for destination IP address as 127.0.0.1 (Loopback IP address). To do so, kindly refer to the documentation link below: -
https://learn.microsoft.com/en-us/azure/aks/limit-egress-traffic#adding-firewall-rules
According to the above link, you must deploy a firewall and create a UDR hop to Azure firewall and associate it to AKS. Thus, in this way, if you configure the Azure firewall with the AKS cluster, you will be able to control the ingress and egress port traffic.
I have an Azure Container Service (Swarm). I am running a docker-compose with multiple http aspi and websites in it's definition. How can I configure the the swarm agent to allow inbound traffic to those apis? (they are running on different ports). By default I can access an api or a website under the 80 port only.
By default the Load Balancer has ports 80, 8080 and 443 open.If you
want to connect on another port you will need to open that port on the
Azure Load Balancer for the Agent Pool.
There is a document shows you how to open more ports for your applications in Azure Container Service.
I've changed RDP port to 8080 in registry on my Azure Virtual Machine (Windows Server). Now it is not accessible from outside, I cant connect it.
Azure VM is managed by Resource Manager (not Classic VM).
UPDATE:
Turning secuiruty rules so allow all not helped.
I've changed RDP port to 8080 in registry on my Azure Virtual Machine
(Windows Server)
We can use CustomScriptextension to check if RDP listening on port 8080.
netstat -ant | findstr "8080"
If your port not listening on Port 8080, we may need to restart RDP service.
If RDP listening on port 8080, we can use CustomScriptextension to disable windows firewall.
netsh advfirewall set allprofiles state off
About Extension, we create a ps1 file with the command, and upload it via Azure portal.
Azure has to know to allow traffic through to your VM. By default, on a Windows VM, only RDP is open. But you (for some reason) changed the RDP port in Windows Server. You need to do this with the network interface as well, via the VM settings (which has nothing to do with Windows itself):
Via Settings, go to Network Interfaces
Select your network interface and go to Network Security Group
From network security group, add an inbound rule for port 8080 (or modify the existing RDP rule to be port 8080).
It used to be possible to change your RDP port in Classic portal using endpoints. but in RM portal you cannot change your RDP port.
If you are trying to secure your box or by pass the security firewall to connect to your box, I recommend using Azure Load Balancer NAT rules, you can create a NAT rule to translate a custom port to 3389, and then you can only allow connectivity from LB to your VM, this a trick I use when I want to by pass the corporate's firewall, for example port 443.
Make sure you attach the LB to your VM from the NAT rule section
To access any port from public ip client -
Enable port in Azure firewall (if installed)
Enable Port in Network Security Group (add inbound rule) rule like 8080 -> 8080 or rule like 80 -> 8080
Enable Port in Windows Firewall of VM (on azure) -- most important if port is other than 80 and 443. - e.g. 8080, 8090 etc..
I have a Virtual Machine created in the new azure portal (portal.azure.com)
Now I can connect to by using the Remote Desktop by the port 3389, without any problems.
I am asking for a guide to setting my virtual machine can be remoted over the port 443 also (since the working network just allows outcoming 443 only)
With the classic portal, I just need to add an "end point" and that works.
However with the new portal, in the "network security group", I tried to modify the "inbound security rules", changed the default value 3389 to 443, but I got no luck.
Edited: captured screenshots
New VM created as "Azure Resource Manager" (ARM) have different options and features but they lost end-points. Endpoints, in classic deployment, allowed to remap internal ports to external ports, changing the value.
Now, in ARM, to have a similar behaviour, you have to use LoadBalancer. Read at the end of https://blogs.msdn.microsoft.com/mast/2016/02/04/azure-networking-public-ip-addresses-in-classic-vs-arm/ for an example to map external 50000 to internal 80.
As I understand them, Network Security Groups don't actually do any port mapping, just allow/deny access to certain ports. If you want the RDP server to still listen on 3389 and for external RDP requests to go to 443, you'll need to use Azure Load Balancer with NAT rules (https://azure.microsoft.com/en-us/documentation/articles/load-balancer-get-started-internet-arm-ps/#create-lb-rules-nat-rules-a-probe-and-a-load-balancer). Alternatively, you could configure your RDP server to listen on port 443. It's up to you which you prefer :).
Please, I am trying to do some that should be simple... but it is not working.
I have 03 VMs in the same subnet.
The Subnet has a security group that I created HTTP/80 inbound OK.
Now, I need to open SQL to my second VM in the same subnet.
I already try to change the security group of my VM running SQL to the same of the IIS server.
I did do my Windows firewall inbound rule too. No way.
I tried to created another rule to test if my security group was forwarding correctly, without success.
This is my SQLIN rule:
Priority: 2100 / Source: Any / Protocol: TCP / Source port: 1433 / Target: CIDR Block: x.x.x.x/32 (server vm azure ip (internal) / Target port: 1433 / Action: ALLOW.
I can access my SQL through my VPN, but I need to open to the Internet.
The another test to check if my security group is doing what I create in the rules... is... I try to open RDP through port 3390... and redirect to 3389 (because in this security group I already have 3389 published to another server...)
The rule
Priority: 2120 / Source: Any / Protocol: TCP / Source port: 3390 / Target: CIDR block: x.x.x.x/32 (server vm azure ip interrna) / Target port: 3389 / Action: ALLOW.
I did not have sucess in both rules.
Again: Subnet is associated to this security group, and BOTH VMs are associated to this sec group.
If the 2 VMs are on the same subnet then you don't need to open up the NSG for the machines to talk to each other - you should just be able to use the windows firewall rules. Make the SQL VM private by making sure it doesn't have a public IP, or use the NSG here. I suspect the problem is with windows firewall from the IIS box or into the SQL box.