I have created a DMZ subnet on Azure and have everything (inbound/outbound) locked down using NSGs. Currently I have a linux VM running and my azure backup is failing for the VM. I went and added Azure Backup service tag for both inbound and outbound rules but the backup are still failing.
Any thoughts on any specific ports or other servers I need to open up on the NSG?
I appreciate any help I can get.
Thanks everyone!
Microsoft Azure Backup makes use of port 443 (Https). Azure Backup service tag can also be used when backing up locked down VMs using MARS agent however the MARS agent can only be installed on Windows machines. So, backing up Linux Azure VMs with MARS agent is not supported as of now.
Related
Following on from the latest Azure maintenance, we cannot remote desktop to one of our VMs and fix potential issue on the IIS server of this machine. Everything was working fine for over 1 year.
The Agent status is now set to "Not Ready" when looking at the properties of the VM in the Azure portal.
We obviously tried to restart the machine but no effect. We cannot redeploy the machine to another node as the VM agent seems to be down.
The outbound NSG rules do not block outbound connection to internet (so that the machine should be able to write to its azure storage).
This user seems to have a similar issue on a VM scale set: Azure VM scale sets not accessible and cannot restart
Any idea on how to resolve this issue ?
In azure, i created 3 Windows server VM i.e. one for Azure Backup Server (let say BackupServer), one for Active Directory on VM (let say ADServer), and last SQL Server on Windows Server(let say SQLServer) . All three are on same Domain. Now while adding SQLServer to Protection Group in Azure Backup Server Configuration, then it is giving me error as attached in the screenshot.
Tried many links available on the internet but no luck.
Any suggestions?
But is it ok to disable firewalls for security concern?
You are right, disable firewall just for test, we should follow this official article to config firewall settings for DPM.
By the way, Azure VM have NSG to block outside network traffic.
I need to understand whether is it possible to add AWS Virtual machine to custom domain controller of Azure.
I have created Active Directory Domain controller in one of the Virtual machine of Azure. Now I have created few virtual machines on AWS (Amazon Web Services). I want to add these machines into Azure custom Domain controller.
Is it possible and if yes, then can someone please guide me on how to do that?
I don't think it is possible with AWS now, but you could try and create a Site-to-Site VPN and test, most likely will not work, but who knows, you might try to replicate your Azure VM DNS network configuration on your AWS VM and see if it helps.
Here's the networking guide for Azure AD Services.
I have tested joining Linux VMs across a Site to Site VPN and they work OK (it was to Azure Active Directory Domain Services, machines could join and users log on).
As the above answer notes however DNS is the killer here. With the Linux boxes I was able to use local config files to save needing to replicate the DNS zone, for Windows boxes you could try hacking the hosts file with some #pre #dom entries but in reality I think you would need a zone replica in your AWS DNS servers for it to work reliably.
I am trying out the Free Trial Microsoft Azure.
Basically I created an VM running Windows Server 2008 SP1.
There, I am running GeoServer, being able to access the geoserver from the local browser (eg: http://localhost:8080/geoserver/web)
Now, how to access this from a public browser? It has a public IP 13.93.154.109
which I can't even ping it, not to say to access it.
What did I miss out?
Note: I tried both classic/non-classic VM, result is the same.
Also, I am aware that there is an OpenGeo Suite out there for Azure. But it costs a lot. What I am trying to do is, to share the VM with the other existing product.
Thanks in advance.
localhost-from-vm
P.S: I am able to ping 13.93.154.109:3389 using PsPing instead of normal Ping.
You need to open the port 8080 to allow traffic on your VM.
Depending on how you have created the VM, it can be done in different ways:
If you have used the Classic workflow, you need to add an endpoint to your cloud service: https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-windows-classic-setup-endpoints/
If you have used the Azure Resource Manager workflow, you need to create an inbound rule in the network security group: https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-create-nsg-arm-pportal/#create-rules-in-an-existing-nsg
I've just set up a windows azure VM and installed IIS on it.
When I remote desktop onto the box I can see the default IIS website fine but I can't get this to serve on the web from the IP address of the box.
I've opened up port 80 on windows firewall and also added an endpoint for port 80.
I've tried to access it with the firewall completely turned off also but to no avail...
I cant work out if there is anything else I need to do to get this working?
Add endpoints for port 80 (http) and port 443 (https) to the VM in the Azure portal (tip: this can be automated with powershell or the Azure cli).
Remote desktop to the machine. Open the Windows firewall control panel and allow traffic to port 80 (http) and port 443 (https) or just turn it off ... the firewall is ON by default (tip: can also be scripted through the VM agent / powershell).
Go to the Azure portal and find the cloudapp.net subdomain for your VM (actually the cloud service) your VM is running under. Try accessing the site with that domain. If that doesn't work, try browsing to http://localhost on the server (remote desktop) to make sure IIS works and troubleshoot from there.
Modify the DNS records of your custom domain to use a CNAME to the .cloudapp.net domain. If you need A records make sure to use the public IP of the cloud service (just ping the .cloudapp.net domain to find it or look in the Azure portal).
You might want to look into Azure Websites or Azure Cloud Services (web roles). Those are a lot easier to manage and a lot cheaper. They still offer most of the functionality.
What fixed the issue for me was to go into the Azure Portal, browse to 'Network Security Groups', select the VM and then create an inbound rule to allow traffic to port 80.
Note: Also ensure that the inbound rule to port 80 is added and enabled on the actual VM.
Well, I deleted the existing VM and Cloud service and started again - all worked fine out of the box this time.
How annoying! The only thing I did notice was that before my cloud service had the same name as my VM - this time they had different names so that might have been what was causing the issue.
Cheers
For the newer VMs and pre-configured setups (2015+), it's possible your setup is using an azure asset called "Public IP". If so, you can set a custom DNS name label in it, inside "Configuration". Note that this name will consider any type of region used when creating the VM (e.g. my-site.brazilsouth.cloudapp.azure.com).
It's good to remember that for testing purposes, it still suffices to use the value of the public IP that is randomly designated to you.
The VMs are actually accessed via a Cloud Service (well they are for me). Azure created a Cloud Service automatically to be the scaling engine/load balancer on the front of the VM. I have to connect to the web site via that cloud service, not the VM directly.
Its possible you were using the internal IP rather than the external IP.
The sites have to use the internal IP address in the bindings section of IIS. However, in your dns you will need to use the external IP. This is presumably since the 'internal IP' is just a virtual one that Azure uses to map traffic from the external network to the VM's inside azure.
You should find both the internal and external IP's are visible on the VM's desktop.
Switch off TLS 1.3 in the Registry Editor.
This is what worked for me as of writing this in Mar 2021.