We have multiple P2S virtual network gateways confgured. The VPN uses OpenVPN and Azure AD authentication. Each gateway has its own virtual network for customer/project private resources.
We have a conditional access policy configured to give only specific users access to the Azure VPN enterprise application via an Azure AD security group. This however means that the users in the group will have access to all resources as long as they have the customer/project VPN XML file (for the Azure VPN Client).
Is there a way to have more fine-grained control over this? So for example create a security group and assign it to a specific P2S VPN?
We know this can be done with a NSG and restrict IPs but these are dynamic so we can't really use this.
Related
If I am setting up an Azure SQL Database in a vnet which Azure App Service and Azure Function will access. Is using both Subnet Delegation and Service Endpoints the right way to go? I didn't fully understand the documentation.
Regarding subnet delegation, I read this Microsoft article and this stackoverflow post, which stated:
When you delegate a subnet to an Azure service, you allow that service to establish some basic network configuration rules for that subnet, which help the Azure service operate their instances in a stable manner.
That sounds like a good thing but makes me wonder how it worked efficiently w/o subnet delegation.
As for Service Endpoints, I read this Microsoft article, which states:
Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
Does that mean I cannot reach the Azure SQL Database from my home machine w/a firewall rule?
They both sound like they have the same benefits and I'm struggling to understand the difference. I suppose the larger question is should I enable both for the simple architecture outlined above.
In the Microsoft service endpoints documentation they also mention:
Microsoft recommends use of Azure Private Link for secure and private access to services hosted on Azure platform. For more information, see Azure Private Link.
For some reason that seems like an Azure to on-premise thing.
• You cannot use a ‘Subnet Delegation’ along with a ‘Private endpoint’ since that subnet is delegated for the said service, in your case, the Azure SQL Database. Through a subnet delegation, you can define the NSG association for it, as well as associate multiple delegated subnets to a common NSG. You can also define the IP Address space for the delegated subnet, the route table association with it, the custom DNS entry configuration in Azure DNS as well as define the minimum number of IP Addresses available for that delegated subnet. Similarly, with regards to service endpoint, these stated functions are not available.
• In service endpoint, you do not have control over the routing mechanism as well as the IP address related allotment, reservation, or configuration. Also, managing DNS entries for the resources managed through them and controlling them through a firewall or NAT gateway isn’t required unlike a subnet delegation because all these things are managed by Microsoft Azure’s backbone network on your behalf.
Thus, both have their own features and specifications for enabling you to configure according to your own requirements.
Does that mean I cannot reach the Azure SQL Database from my home machine w/a firewall rule?
Yes, you will have to create a firewall rule to allow the access from on-premises system to Azure SQL Server/Database and configure the service endpoint accordingly to allow the VPN client IP Addresses for accessing the same over public internet.
Also, through Azure private link, you won’t be able to connect from on-premises to Azure as it uses a private IP address and a private DNS zone entry related to it to connect to Azure resources in the same virtual network.
To know more regarding the configuration of Azure service access from on-premises network, kindly refer to the below given link: -
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#secure-azure-service-access-from-on-premises
Also, refer to the below snapshots regarding the configuration and selection of service endpoint for a particular subnet: -
I have an Azure Storage account and need to enable the storage firewall.
I have added the outbound IP addresses of my App Service, but the firewall still prevents access. (I know that these addresses can change, but they change predictably, so I can live with that.)
Is there a solution to grant an App Service access to the Storage account other than disabling the firewall (and other than using an ASE, which isn't an option)?
So it turns out that in a new Azure Storage account with a new App Service, setting the storage firewall to the outbound IPs of the App Service does work as expected. Unless the client browser is actually doing the download, adding the client's IP is not required.
Edit
This only works reliably when the storage account is in a different data centre to the App Service. When they are both in the same data centre, an internal outbound address (e.g. 10.x.x.x) is presented from the App Service to the Storage account. Internal addresses cannot be added to the Storage firewall.
If you access your web app service from on-premises networks, you need to grant access from your on-premise networks to your storage account with a public Internet-facing IP address used by your network. You can get more details from Grant access from an internet IP range
If you have VNet Integration with your apps. You should first enable service endpoints for storage in the VNet. You can refer to Grant access from a virtual network.
I am attempting to link my Azure AD to a Network to enable Azure Directory Services. I have created a network but every time I try to enable the Azure Directory Services no networks show up under the 'CONNECT DOMAIN SERVICES TO THIS VIRTUAL NETWORK' dropdown menu. Does anyone know what might be causing this issue?
According to your description, I guess you create your virtual network in Azure new portal(ARM module).
For now, Azure AD Domain Services cannot be enabled in virtual networks created using Azure Resource Manager.
In your scenario, I think we should use VNet peering or site-to-site VPN to connect classic Vnet and ARM vnet. You can connect a Resource Manager-based virtual network to the Azure classic virtual network in which you have enabled Azure AD Domain Services. This connection enables you to use the managed domain with your workloads deployed in the Resource Manager-based virtual network.
More information about select a virtual network for AD DS, please refer to the link.
I have VNET with DMZ and multiple internal subnets configured. There is security requirement to block all the outbound internet connection for the internal subnets.
Now, this VM needs to access Azure blob storage which hosted in the same region.
I am wondering to access Azure Blob storage without outbound internet connection.
Pondering on questions like
1) Can I attach Azure Storage account in my azure VNET
2) Can there is existing solution, where I am access internet via JUMP-BOX network configuration, where my VM internet traffic goes via Jump box
3) Can this be achieve via Network ACLs or some better solution?
Now, this question is mix of networking and azure services, not sure of the right forum for this, server-fault or stack-overflow?
Azure Storage uses a public endpoint, as it's a multi-tenant service. You cannot add your Azure storage account to your VNet, since this is not an endpoint you control.
You'll need to access storage directly, via its <storagename>.blob.core.windows.net endpoint. How you ultimately accomplish that is up to you.
I want to be able to provision Azure VMs and attach them to on-premise AD. I have read the Azure documentation and there is a requirement for a site-to-site VPN connection.In my case, having a VPN device is not feasible. Would it be possible to do the same with a point-to-site VPN connection? I haven't seen any guidance on the Azure website regarding the same.
https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-install-replica-active-directory-domain-controller/
While I haven't considered using Point-to-site where my point would be my whole on-premises network, I can assure you that you do not need a special VPN device to make Site-to-Site VPN with Azure.
Check this dedicated article on how to create Azure Site-to-Site VPN with Windows Server Routing and Remote Access.