I have created Azure Virtual Network with address space 10.50.50.0/23, in it, I have created 5 subnets - 10.50.50.0/26, 10.50.50.64/26, 10.50.50.128/26, 10.50.51.0/26 and 172.16.0.0/26, on top of this network I have created Virtual Network Gateway (VPN) with point to site 10.99.99.0/25, I would like to limit routing only to 2 subnets 10.50.51.0/26 and 10.50.51.64/26 - for doing that I've added --custom-routes for only those two network ... but still in my client I've saw routing to whole network range (10.50.50.0/23), same after creating new route table and creating new hop's ... any idea how to modify that ?
If you want to limit the route on the client, you should add a route on the client instead of the Azure virtual network. In fact, you can find the route of the VPN client in the file VpnSettings.xml of the folder Generic from VPN client downloaded folder.
The file VpnSettings.xml will like this:
<?xml version="1.0"?>
<VpnProfile xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<VpnServer>azuregateway-xxxxx-xxx.vpn.azure.com</VpnServer>
<VpnType>SSTP</VpnType>
<CaCert>xxxxx</CaCert>
<Routes>10.0.0.0/16</Routes>
<Auth>EAPTLS</Auth>
<VnetName>example-network</VnetName>
<VnetId>06e10077-xxxx-xxxx-84d6-5aa4db8b6752</VnetId>
<ServerCertRootCn>DigiCert Global Root CA</ServerCertRootCn>
<ServerCertIssuerCn>DigiCert Global Root CA</ServerCertIssuerCn>
<VpnClientAddressPool>192.168.100.0/24</VpnClientAddressPool>
<AadIssuer />
<AadTenant />
<AadAudience />
<CustomDnsServers />
</VpnProfile>
You could try to modify the route to <Routes>10.50.51.0/26,10.50.51.64/26</Routes> then you could reinstall the VPN client package like VpnClientSetupAmd64.exe.
In addition, you can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network.
Confirmed with Microsoft, currently not supported.
Related
I have a template that sets up an Azure service fabric cluster successfully. However, in order to complete the configuration, I need to open the NSG to the internet to access download.microsoft.com:80. This is forbidden in a production environment. So far I have identified 23.40.68.76, 23.195.64.241, 23.66.100.156 as the possible IP's for download.microsoft.com.
The reason is due to ServiceFabricNodeBootstrapAgent attempting to download a Service fabric update:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="ServiceFabricNodeBootstrapAgent" />
...
- <EventData>
<Data>Downloading fabric cab from http://download.microsoft.com/download/3/1/F/31F3FEEB-F073-4E27-A98B-8E691FF74F40/ServiceFabric.6.5.676.9590.cab to C:\windows\TEMP\ServiceFabric.6.5.676.9590.cab</Data>
</EventData>
</Event>
I only have accesss to the vNet and NSG. The vNet is peered to a site network. Internet access is not allowed.
I need to be able to redirect this traffic to a impersonated site. I thought I could use the host file and redirect the traffic, but “download.microsoft.com” is a special url.
Is there a work-around strategy for this problem ?
Got answer from MS. They want me to open the firewall so the servers can download from port 80. This is a known issue. They might fix it in the future. Might not.
Consider using Azure Firewall instead of the NSG to manage traffic. It is a Layer-7 firewall, that has a feature to allow or block traffic, based on the domain name.
I have a worker role that hosts an ApiController, and it currently communicates with the public internet via http and https input endpoints I've defined in its Service Configuration file.
I would like to put this API behind an Azure APIM API, and have all traffic go through there, rather than hitting the worker role directly. I'm most of the way there, but am having trouble ensuring the worker role can't be hit directly from the public internet.
Currently:
I've created an ARM virtual network, and an Azure APIM API
I've configured our API to run on the ARM virtual network
I also created a classic virtual network and configured our worker role to deploy to it
I've defined a peering in the ARM virtual network between it and our classic virtual network
The API's Web service URL is set to the Cloud Service's Site URL value
Our worker role configuration file currently has http and https input endpoints that can be hit from the public internet
I currently have a url that maps to the Virtual IP (VIP) address of my API Management service, and can successfully make requests to my API via that url.
I believe the best way for me to prevent my worker role from being accessed directly from the public internet would be defining Access Control List rules in its configuration file that would only allow calls originating from my APIM API. It would look something like this:
<AccessControls>
<AccessControl name="APIM">
<Rule action="permit" description="OnlyPermitAPIM" order="100" remoteSubnet="?" />
</AccessControl>
</AccessControls>
<EndpointAcls>
<EndpointAcl role="RoleName" endPoint="httpsIn" accessControl="APIM"/>
<EndpointAcl role="RoleName" endPoint="httpIn" accessControl="APIM"/>
</EndpointAcls>
I'm not sure what the correct value would be for the remoteSubnet property. I tried entering the Address space value of my ARM Virtual Network (which my APIM API resides on), but that didn't seem to work, test calls returned a 500 status.
Is this the right approach? Also, is there a way to ensure that my APIM API makes a call directly through the peered virtual networks? Right now I believe it's still going through the public internet.
I was on the right track. The only thing I needed to change was the value of remoteSubnet. Rather than the address space of the ARM virtual network, I needed to include the API Management service's VIP. The relevant section of the .cscfg file looked like this:
<AccessControls>
<AccessControl name="APIM">
<Rule action="permit" description="OnlyPermitAPIM" order="100" remoteSubnet="<VIP address of APIM service>/32" />
</AccessControl>
</AccessControls>
<EndpointAcls>
<EndpointAcl role="RoleName" endPoint="httpsIn" accessControl="APIM"/>
<EndpointAcl role="RoleName" endPoint="httpIn" accessControl="APIM"/>
</EndpointAcls>
We are trying to add a second ExpressRoute connection to a vNet in an Azure subscription. We have already successfully completed the connection to our first ExpressRoute (we are using the Exchange Provider method) using a combination of the virtual network GUI and powershell cmdlet tools.
However... the GUI only supports adding one site-to-site VPN via ExpressRoute.
The method for adding a secondary site-to-site connection is to export the network configuration (via the Azure portal) and edit the resulting NetworkConfig.xml file - and then re-import this via the portal.
All good, in theory.
The NetworkConfig.xml file exported from the gui:
<Gateway>
<ConnectionsToLocalNetwork>
<LocalNetworkSiteRef name="XXXX">
<Connection type="Dedicated" />
</LocalNetworkSiteRef>
</ConnectionsToLocalNetwork>
</Gateway>
In conjunction with MS Support (with whom we are still engaged), we determined the following should work:
<Gateway>
<ConnectionsToLocalNetwork>
<LocalNetworkSiteRef name="XXXX">
<Connection type="Dedicated" />
</LocalNetworkSiteRef>
<LocalNetworkSiteRef name="YYYY">
<Connection type="Dedicated" />
</LocalNetworkSiteRef>
</ConnectionsToLocalNetwork>
</Gateway>
However, attempting to import this generates the following error message:
"The gateway in virtual network site XXX-XXX-XX referenced multiple local
network sites and uses a connection type different than 'IPsec' for at
least one of the connections. If a gateway references more than one local
network site, the connection type to all local network sites must be
'IPsec'. 'IPsec' is the default connection type."
This appears to suggest multiple ExpressRoute connections on a single vNet are not supported, which would be contrary to the MS FAQ here:
Can I have one virtual network connected to more than one ExpressRoute
circuit?
Yes. You can link a single virtual network with up to 4 ExpressRoute
circuits. All ExpressRoute circuits must be in the same continent. They
can be ordered through different service providers and in different
locations.
(from https://azure.microsoft.com/en-us/documentation/articles/expressroute-coexist/)
Does anyone have any idea how we should proceed?
Thanks
You can accomplish this task using APIs. You can link up to 4 ExpressRoute circuits to a virtual network. You can do this by linking the same vnet to multiple circuits. Below is a sample
new-azurededicatedcircuitlink -servicekey <skey1> -vnetname <vnet>
new-azurededicatedcircuitlink -servicekey <skey2> -vnetname <vnet>
In the above example skey 1 and skey 2 represent different circuits.
I am planning to enable Azure Cloud Service and On Premise environment connection using Site To Site Connectivity.
Here are specific details that i want to know
1. What would be required from On Premise network team in terms of
enabling the connection?
2. How do i setup and enable the connection on every deployment build that i do for my Azure cloud service?
3. What are the ways to troubleshoot if the connection is down?
Basically you'll need a Virtual Network with a VPN to your on premise. After that, you'll add your cloud service to this virtual network. You can do that editting your ServiceConfiguration (.cscfg file)
<ServiceConfiguration serviceName="<service-name>" osFamily="<osfamily-number>" osVersion="<os-version>" schemaVersion="<schema-version>">
<Role …>
…
</Role>
<NetworkConfiguration>
…
</NetworkConfiguration>
</ServiceConfiguration>
To monitor the traffic you'll just need to watch the Virtual Network dashboard. You'll see data in / out and if connection of the VPN is down.
More info in here:
http://blogs.technet.com/b/askpfeplat/archive/2014/03/03/connect-an-on-premises-network-to-azure-via-site-to-site-vpn-and-extend-your-active-directory-onto-an-iaas-vm-dc-in-azure.aspx
How would one make a TCP connection from an Azure PaaS hosted Web Sites to a Worker Role? That's deployed in one virtual network. Can this be done without opening an Input Endpoints, Internet facing port on the worker role? It looks like WebSites cannot currently be part of virtual network deployments as per Azure Virtual Network FAQ:
Can I use Windows Azure websites with Virtual Network? No. We do not support websites with virtual networks.
I'm new to Azure and playing with various configurations and it looks like this is something that could perhaps be done with the new regional vnets (and perhaps the internal load balancer), but then again there isn't really information around regarding this other than that they are on different virtual machines and in different networks and thus making them to communicate is a more involved process.
If it helps discussion, I have the following are the regional vnet configurations, which are used by the worker Xyz.ComputeRole. This role is the one accepting TCP connections.
<edit: I found a really good post regarding this matter Network Isolation Options for Machines in Windows Azure Virtual Networks. As it stands, it looks like I could open an Input Endpoint to the worker role and then restrict access to it only from the WebSites deployment. However, it looks like a lot of work to do, and hops over the networking elements like a load-balancer, and perhaps I'd need to find out the Web Sites deployment IP.
Am I off-base and there's a simple way to connect a WebSites to a Azure computer role via TCP connection?
Network configuration
<VirtualNetworkConfiguration>
<Dns>
<DnsServers>
<DnsServer name="XyzVnetDns" IPAddress="192.168.50.0" />
</DnsServers>
</Dns>
<VirtualNetworkSites>
<VirtualNetworkSite name="XyzVNet" Location="North Europe">
<AddressSpace>
<AddressPrefix>10.0.0.0/8</AddressPrefix>
</AddressSpace>
<Subnets>
<Subnet name="Sub1">
<AddressPrefix>10.0.0.0/11</AddressPrefix>
</Subnet>
</Subnets>
<DnsServersRef>
<DnsServerRef name="XyzVnetDns" />
</DnsServersRef>
</VirtualNetworkSite>
</VirtualNetworkSites>
Cloud service configuration
<NetworkConfiguration>
<VirtualNetworkSite name="XyzVNet" />
<AddressAssignments>
<InstanceAddress roleName="Xyz.ComputeRole">
<Subnets>
<Subnet name="Sub1" />
</Subnets>
</InstanceAddress>
</AddressAssignments>
You cannot add Azure Web Sites deployments to a VNet because there's no dedicated outbound IP address for Web Sites. This will also preclude you from setting up Access Control Lists (ACL's) on the worker role's input endpoints.
For Web Sites -> Worker Role (cloud service) security, you'd need to rely on something app-specific (maybe an SSL cert or something else).
By the way: regarding "a lot of work to do" for restricting access: Not sure exactly what you tried (or if you tried it), but it's trivial through the portal (just enter a subnet mask and... done), and very easy through command-line as well.
There are now two ways to connect to resources in your Azure VNET from your Azure Website. You can find details written up in several blogs.
The Hybrid Connections capability involves you downloading a relay agent that can access both Azure and your desired endpoint. This works for access to resources in your VNET or in any other network for that matter. You can install the agents on premise to enable TCP access to resources there. Each Hybrid Connection endpoint you define can only provide access to a single host:port. You can have 5 endpoints for free and if you need more you can pay to get them.
The VNET Integration capability allows you to access resource in your VNET. Under the cover it is using point to site technology to do this so your VNET needs a dynamic routing gateway and you need point to site to be enabled. If you also use site to site VPN to connect your on premise network to your VNET you can then access on premise resources.
None of these methods provide private access to your website. They only are intended to enable your website to access resource in other networks. Both features are also currently in preview and are being improved upon.
If you would like details on either there are a number of blogs and documents online. For an example you can refer to this one: using vnet or hybrid connections with Azure websites