Develop Reference

Azure CLI - Set Azure Application Gateway Backend settings

I have created a Powershell script that calls the Az module..."az network application-gateway probe create" - https://learn.microsoft.com/en-us/cli/azure/network/application-gateway/probe?view=azure-cli-latest#az-network-application-gateway-probe-create
I have read the documentation on the above command but can't work out how to set 'backend settings' - the field marked below by the black line as shown below - any thoughts?
The 'Backend Settings' field is a drop-down box that does list the 'http settings' I want to set the value to - remember I want to do this via; ARM or CLI not manually via the Azure Portal..

I tried to reproduce the same in my environment and got the results successfully like below:
To create the Probe and associated Backend settings, I used the below command while creating probe via CLI:
$probe = New-AzApplicationGatewayProbeConfig -Name probe01 -Protocol Http -HostName 'XXX.com' -Path '/path/path.htm' -Interval 30 -Timeout 120 -UnhealthyThreshold 8
$poolSetting = New-AzApplicationGatewayBackendHttpSettings -Name poolsetting01 -Port 80 -Protocol Http -CookieBasedAffinity Disabled -Probe $probe -RequestTimeout 80
I created the application gateway with all the required parameters like below:
$appgw = New-AzApplicationGateway -Name appgwtest -ResourceGroupName appgw-rg -Location 'West US' -BackendAddressPools $pool -Probes $probe -BackendHttpSettingsCollection $poolSetting -FrontendIpConfigurations $fipconfig -GatewayIpConfigurations $gipconfig -FrontendPorts $fp -HttpListeners $listener -RequestRoutingRules $rule -Sku $sku
In the Portal, Application Gateway created successfully with Backend settings like below:
To add a new probe to an existing application gateway and set Backend Settings, please use the below commands:
$appgw = Get-AzApplicationGateway -Name applicationgatewayname -ResourceGroupName ResourceGroupName
$probe = Add-AzApplicationGatewayProbeConfig -ApplicationGateway $appgw -Name probetest -Protocol Http -HostName 'XXX.com' -Path '/path/custompath.htm' -Interval 30 -Timeout 120 -UnhealthyThreshold 8
$appgw = Set-AzApplicationGatewayBackendHttpSettings -ApplicationGateway $appgw -Name $appgw.BackendHttpSettingsCollection.name -Port 80 -Protocol Http -CookieBasedAffinity Disabled -Probe $probe -RequestTimeout 120
Set-AzApplicationGateway -ApplicationGateway $appgw

Azure - Add http listener to existing ApplicationGateway through ps command

I am trying to add a new listener to existing Azure application gateway using powershell script. Here's the command I have used.
Add-AzApplicationGatewayHttpListener -ApplicationGateway $Appgw -Name $listenerName -FrontendIPConfiguration $fipconfig -FrontendPort $port -SslCertificate $cert -HostName $hostName -Protocol "Https" -Debug
All the variables are correctly initialized. Command executes well and return ApplicationGateway object which seems normal. However the newly added listener is not visible in Azure portal. After watching carefully the new listener in ApplicationGateway object (in powershell) it just show below resource path,
/subscriptions/<subscription-id>/resourceGroups/ResourceGroupNotSet/providers/Microsoft.Network/applicationGateways/ApplicationGatewayNameNotSet/httpListeners/<new-listener-name>
two things doesn't seem normal here,
ResourceGroupNotSet
ApplicationGatewayNameNotSet
Can anyone please suggest what could be the reason behind this? and why the listener is not shown in portal at all?

According to my test, if we want to add HTTP listener to existing Azure Application gateway with Powershell, we need to run the command Set-AzApplicationGateway -ApplicationGateway $appgw after you run the command Add-AzApplicationGatewayHttpListener. Because the command Add-AzApplicationGatewayHttpListener just will create a new HTTP listener but it will not update the application gateway.
Connect-AzAccount
$AppGWname ="stantest"
$groupName="stan"
$ipName="appGwPublicFrontendIp"
$portName="port_80"
$listenerName="test1"
$appgw= Get-AzApplicationGateway -Name $AppGWname -ResourceGroupName $groupName
$FEC= Get-AzApplicationGatewayFrontendIPConfig -Name $ipName -ApplicationGateway $appgw
Add-AzApplicationGatewayFrontendPort -ApplicationGateway $appgw -Name $portName -Port 80
$port =Get-AzApplicationGatewayFrontendPort -ApplicationGateway $appgw -Name $portName
Add-AzApplicationGatewayHttpListener -ApplicationGateway $appgw -Name $listenerName -FrontendIPConfiguration $FEC -FrontendPort $port -Protocol Http
Set-AzApplicationGateway -ApplicationGateway $appgw

Can I set target VM in azure powershell when adding inbound nat rule?

In an azure RM load-balancer I can create a nat rule FTP using powershell, but would also like to set the target virtual machine using powershell. The only way I know how to set the target is in the portal.
I have two VMs in the load balancer. I tried using Add-AzLoadBalancerInboundNatRuleConfig, but don't see a parameter for target VM.
My script:
$lb | Add-AzLoadBalancerInboundNatRuleConfig -Name $EndpointName -FrontendIPConfiguration $feip -Protocol "Tcp" -FrontendPort $i -BackendPort $i
If it's not possible to set the target in powershell, what alternatives are there besides the portal?
I found the answer. The key is to add the LoadBalancerInboundNatRuleId to the Ip Configuration.
Here's a function to get the LoadBalancerInboundNatRuleId that I created for this purpose:
Function natRuleID ($sourcePortName) {
return "/subscriptions/$subscriptionID/resourceGroups/$rgName/providers/Microsoft.Network/loadBalancers/$lbName/InboundNatRules/$sourcePortName"
}
And here is my sample script that adds two load balancer nat rules and then sets the target network interface for a virtual machine:
# Add Load Balancer Nat Rules:
$lb = Get-AzLoadBalancer -Name $lbName -ResourceGroupName $rgName
$feip = Get-AzLoadBalancerFrontendIpConfig -Name $feipName -LoadBalancer $lb
$lb | Add-AzLoadBalancerInboundNatRuleConfig -Name $natRuleRdpName-FrontendIpConfiguration $feip -Protocol tcp -FrontendPort $rdpPortNumber -BackendPort 3389
$lb | Add-AzLoadBalancerInboundNatRuleConfig -Name $natRuleFtpName -FrontendIPConfiguration $feip -Protocol "Tcp" -FrontendPort $ftpPublicPortForImplicit990 -BackendPort 990
$lb | Set-AzLoadBalancer #save the new LB rules
# Set nat rule targets:
Function natRuleID ($sourcePortName) {
return "/subscriptions/$subscriptionID/resourceGroups/$rgName/providers/Microsoft.Network/loadBalancers/$lbName/InboundNatRules/$sourcePortName"
}
$rules = #()
$rules = $rules += natRuleID($natRuleFtpName)
$rules = $rules += natRuleID($natRuleRdpName)
$nic = Get-AzNetworkInterface -Name $nicName -ResourceGroupName $rgName
$nic | Set-AzNetworkInterfaceIpConfig -Name $ipConfigName -LoadBalancerInboundNatRuleId $rules
$nic | Set-AzNetworkInterface #save the new ipConfig rules

For the Load Balancer Nat rules, it describes like this:
Standard Load Balancer backend pools expand to any virtual machine
resource in a virtual network. It can contain up to 1000 backend
instances. A backend instance is an IP configuration, which is a
property of a NIC resource.
So there are two steps to create for the VM:
create the nat rule in the load balancer, the PowerShell command is Add-AzLoadBalancerInboundNatRuleConfig, Azure CLI command is az network lb inbound-nat-rule create.
associate the nat rule to the VM nic, the PowerShell command is Add-AzNetworkInterfaceIpConfig, Azure CLI command is az network nic ip-config inbound-nat-rule add.
You can add the Nat rule in one step in the portal, but you need to do two steps through command. And you also need to pay attention to that the NSG rule is also necessary to allow the traffic to the port.

Gary, I understand the issue you are facing, I am also trying to configure Target VM and Network IP Configuration (incase VM is associated with two NICs) through PS.
However I am not able to do so, since the commandlet "Add-AzLoadBalancerInboundNatRuleConfig" doesn't come with Target VM Parameter.
I was able to get the FrontendIPs and Inbound NAT Rules. However to set the Target VM and NIC associated to those inbound nat rules is a challenge.
"Add-AzLoadBalancerInboundNatRuleConfig" doesn't show the inbound nat rule in the LB Settings section though.
Below Script will help you get existing Target VM Name and NIC.
$lb = Get-AzLoadBalancer -ResourceGroupName $rgname -Name $lbname
$lbinboudnatrule = Get-AzLoadBalancerInboundNatRuleConfig -LoadBalancer $lb
foreach($lbrule in $lbinboudnatrule)
{
$bip = $lbrule.BackendIPConfiguration.Id -split '/subscriptions/---------------/Microsoft.Network/networkInterfaces/'
$info = $bip -split '-----------/ipConfigurations/'
$wrapper = New-Object PSObject -Property #{ NATRuleName = $lbrule.Name; TargetVirtualMachine = $info[1]; NetworkIPConfiguration = $info[2]}
$wrapper | Export-csv -Path C:/Temp/lb.csv -Append -NoTypeInformation
}

You need to set it up on the NSG, below is a snippet sample from a script i created to do similar for RDP port.
Add-AzureRmNetworkSecurityRuleConfig -Name $ruleName -NetworkSecurityGroup $nsg -Access Allow -Description "Allowing RDP connection from current location" -DestinationAddressPrefix * -DestinationPortRange $port -Direction Inbound -Priority $priorityNew -Protocol * -SourceAddressPrefix $current_IP -SourcePortRange *
$hout = Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $nsg

How to configure OpenPorts option for New-AzureRmVm to create VM without default network security group RDP port(3389,5985).

I'd like to create Windows Server VM which has source filtered RDP port using Powershell.
New-AzureRmVM and Add-AzureRmNetworkSecurityRuleConfig partially work for me.
New-AzureRmVM create VM with nsg rule for default RDP port which allow any source. I have to delete them after the script run.
I tried to set -OpenPorts option to $null or None.
Is this possible? Or, any other method to achieve this?

Unfortunately, it seems you cannot delete the RDP NGS rule through setting the -OpenPorts to $null or None when you create the VM using PowerShell command New-AzureRmVM.
-OpenPorts
A list of ports to open on the network security group (NSG) for the created VM. The default value depends on the type of image
chosen (i.e., Windows: 3389, 5985 and Linux: 22).
When you create the windows VM, the default port is opened according to the image type. But you can change the NSG rule to filter the traffic when you creating.
# Create an inbound network security group rule for port 3389
$nsgRuleRDP = New-AzureRmNetworkSecurityRuleConfig -Name myNetworkSecurityGroupRuleRDP -Protocol Tcp `
-Direction Inbound -Priority 1000 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * `
-DestinationPortRange 3389 -Access Allow
# Create a network security group
$nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName $resourceGroup -Location $location `
-Name myNetworkSecurityGroup -SecurityRules $nsgRuleRDP
Set the -SourceAddressPrefix, -SourcePortRange, -DestinationAddressPrefix and the -Access as you want to filter the traffic. For more details, see Create a fully configured virtual machine with PowerShell.

You can change Azure VM default RDP port. For more details, please refer to the blog.
Write-host "What Port would you like to set for RDP: " -ForegroundColor Yellow -NoNewline;$RDPPort = Read-Host
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP\" -Name PortNumber -Value $RDPPort
New-NetFirewallRule -DisplayName "RDP HighPort" -Direction Inbound –LocalPort $RDPPort -Protocol TCP -Action Allow

IPv6 DNS query on Azure

I need to launch an IPv6 DNS query from my Azure VM. I need to control all the parameters of this query. I can do it via network calls or via the dig command. Can I do this with Azure? This probably: can the load balancer support an outbound IPv6 DNS query?

We needed to confirm that our DNS servers handled queries coming in over IPv6, and Azure was one of the cloud providers we could use. It wasn't easy, but I eventually got it to work.
In order to get outgoing IPv6 service from an Azure VM, the VM needs to be created in an availability set with a load balancer that has public dynamic IPv6 addresses, inbound NAT rules for both IPv4 and IPv6, and load balancing rules for same. Existing VMs can't be reconfigured to support this. Azure seems to create some some of tunnel between the configured load balancer and the VMs you put in the same availability set. This isn't obvious from the VM's perspective, except in that you can only communicate over IPv6 with the outside Internet and not with the other VMs in your Azure submit.
IPv6 support isn't currently possible to configure through the Azure portal. I made heavy use of the following two links to get this working:
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-ipv6-overview
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-ipv6-internet-ps
You'll need a Windows VM to run much of the above; PowerShell for Linux and AzureRM.NetCore.Preview does not have feature parity with PowerShell in Windows.
I had to hack at the above example for some time before coming up with the following ... you may need to hack it some more to work in your environment.
Note that I ran this script from within Powershell ISE so I could pre-configure the environment with $mySecureCredentials and Login-AzureRMAccount as necessary.
The below will create a Centos 7.3 VM that can initiate IPv6 DNS queries against the Internet. Note that you'll have to enable your IPv6 interfaces in the guest after rebooting. Unfortunately my rep is too low to post more than 2 links, so search for 'azure linux dhcp ipv6' to see how enable DHCPv6 client configuration on your VM.
$resgroupName = 'YourResourceGroup'
$location = 'east US' # of course, select your preferred location
# you will need some secure credentials. run something like:
# $mySecureCredentials = Get-Credential -Message "Type the username and password of the local administrator account."
# you will also need to log into azure (Login-AzureRMAccount)
# IP addresses, load balancer config
$publicIPv4= New-AzureRmPublicIpAddress -name 'lb-pub-ipv4' -ResourceGroupName $resgroupName -location $location `
-Allocationmethod Static -IpAddressVersion IPv4 -domainnamelabel my-lbnrpipv4
$publicIPv6 = New-AzureRmPublicIpAddress -name 'lb-pub-ipv6' -ResourceGroupName $resgroupName -location $location `
-AllocationMethod Dynamic -IpAddressVersion IPv6 -DomainNameLabel my-lbnrpipv6
$FEIPConfigv4 = New-AzureRmLoadBalancerFrontendIpConfig -name "LB-Frontendv4" -PublicIpAddress $publicIPv4
$FEIPConfigv6 = New-AzureRmLoadBalancerFrontendIpConfig -name "LB-Frontendv6" -PublicIpAddress $publicIPv6
$backendpoolipv4 = New-AzureRmLoadBalancerBackendAddressPoolConfig -name "BackendPoolIPv4"
$backendpoolipv6 = New-AzureRmLoadBalancerBackendAddressPoolConfig -name "BackendPoolIPv6"
# This script assumes you already have a virtual network defined - replace myRG-vnet with the name of the virtual network you want to use.
$vnet = Get-AzureRmVirtualNetwork -name myRG-vnet -ResourceGroupName $resgroupName
# I assume you want to use the default subnet.
$backendSubnet = Get-AzureRmVirtualNetworkSubnetConfig -name default -virtualnetwork $vnet
# Create NAT rules for load balancer
# Even if you don't actually need any inbound rules, some rules appear to be necessary to make outbound IPv6 work.
# Inbound SSH
$inboundNATRule1v4 = New-AzureRmLoadBalancerInboundNatRuleConfig -name "NicNatRulev4" -FrontendIpConfiguration $FEIPConfigv4 -Protocol TCP -FrontendPort 22 -BackendPort 22
$inboundNATRule1v6 = New-AzureRmLoadBalancerInboundNatRuleConfig -name "NicNatRulev6" -FrontendIpConfiguration $FEIPConfigv6 -Protocol TCP -FrontendPort 22 -BackendPort 22
$lbrule1v4 = New-AzureRmLoadBalancerRuleConfig -name "HTTPv4" -FrontendIpConfiguration $FEIPConfigv4 -BackendAddressPool $backendpoolipv4 -Protocol TCP -FrontendPort 80 -BackendPort 80
$lbrule1v6 = New-AzureRmLoadBalancerRuleConfig -name "HTTPv6" -FrontendIpConfiguration $FEIPConfigv6 -BackendAddressPool $backendpoolipv6 -Protocol TCP -FrontendPort 80 -BackendPort 80
$NRPLB = New-AzureRmLoadBalancer -ResourceGroupName $resgroupName -name 'myNrpIPv6LB' -location $location `
-FrontendIpConfiguration $FEIPConfigv4,$FEIPConfigv6 -BackendAddressPool $backendpoolipv4,$backendpoolipv6 `
-LoadBalancingRule $lbrule1v4,$lbrule1v6 -inboundNatRule $inboundNATRule1v4,$inboundNATRule1v6
$nic1IPv4 = New-AzureRmNetworkInterfaceIpConfig -name "IPv4IPConfig" -PrivateIpAddressVersion "IPv4" -subnet $backendSubnet -LoadBalancerBackendAddressPool $backendpoolipv4 -LoadBalancerInboundNatRule $inboundNATRule1v4
$nic1IPv6 = New-AzureRmNetworkInterfaceIpConfig -name "IPv6IPConfig" -PrivateIpAddressVersion "IPv6" -LoadBalancerBackendAddressPool $backendpoolipv6 -LoadBalancerInboundNatRule $inboundNATRule1v6
$nic1 = New-AzureRmNetworkInterface -Name 'myNrpIPv6Nic0' -IpConfiguration $nic1IPv4,$nic1IPv6 `
-resourceGroupName $resgroupName -location $location
New-AzureRmAvailabilitySet -name "myNrpIPv6AvSet" -resourcegroupname $resgroupName -location $location
$avset1 = Get-AzureRmAvailabilitySet -resourcegroupname $resgroupName -name 'myNrpIPv6AvSet'
try {
New-AzureRmStorageAccount -ResourceGroupName $resgroupName -name 'mynrpipv6stacct' -location $location -skuname `
"Standard_LRS" -erroraction stop
} catch {
echo "new storage account failed, let's just hope it was a dup and gets found anyway"
}
# find my existing storage account
$storAcct = Get-AzureRmStorageAccount -resourcegroupname $resgroupName -name 'mynrpipv6stacct'
if ($storAcct -eq $null) {
throw "I could not find a storage accoount"
}
$nic1 = Get-AzureRmNetworkInterface -ResourceGroupName $resgroupName -name 'myNrpIPv6Nic0'
$vm1 = New-AzureRmVMConfig -vmName 'myNrpLinuxIPv6VM1' -vmSize 'Standard_d1' -AvailabilitySetId $avset1.Id
$vm1 = Set-AzureRmVMOperatingSystem -vm $vm1 -Linux -ComputerName 'myNrpLinuxIPv6VM1' -Credential $mySecureCredentials
$vm1 = Set-AzureRmVMSourceImage -VM $vm1 -PublisherName OpenLogic -Offer CentOS -Skus '7.3' -Version "latest"
$vm1 = Add-AzureRmVMNetworkInterface -VM $vm1 -Id $nic1.Id -Primary
$osDisk1Uri = $storAcct.PrimaryEndpoints.Blob.ToString() + "vhds/myNrpLinuxIPv6VM1osdisk.vhd"
$vm1 = Set-AzureRmVMOSDisk -VM $vm1 -Name 'myNrpLinuxIPv6VM1osdisk' -VhdUri $osDisk1Uri -CreateOption FromImage
echo now creating...
new-azurermvm -ResourceGroupName $resgroupName -location $location -VM $vm1
echo done

I don't understand what you mean by launch an IPv6 query. Do you mean query for an AAAA record or do you mean IPv6 network traffic? If you meant he query type then tools like nslookup and dig allow you to control the query but when looking up a hostname in things like browsers they let the OS decide how to resolve the name, that's not Azure specific. If you're talking about IP level traffic, the Azure DNS recursive resolvers are only contactable using IPv4 at present.