How to use another machine within Azure P2S VPN as a gateway? - azure

I have configured Azure P2S IKEv2 VPN and downloaded the VPN client (in machine it shows as PPP adapter) into 2 machines, one each in different countries. Say our IP addresses are 170.10.10.121 & 170.10.10.122 . From here on we'll call the site with .121 machine as site A.
My machine(.122) would like to use (.121) as a gateway, so that I could browse the internet in my computer using site A's public IP address. Is this possible or have I got this terribly wrong?
My end goal is that, we have multiple sites(B,C,D) that'd like to use the internal network as well as access public internet using site A. This site has dynamic IP address for public internet and port forwarding is not an option as ISP is non cooperative.
As shown in the below picture, machines PC-B-1,C-1,D-1 are trying to use the PC-A-1 as a gateway to access the internet through Site A.
Thanks.

what you need to do is installing the P2S on all PCs in all sites and setup a FW/NVA in Azure and route the traffic through that one or setup S2S from all sites to Azure and route the traffic to a FW/NVA in Azure. Basically you will need a NVA/FW in Azure to get the same IP for all computers. You cant use a P2S as a gateway.
Prefered solution is to setup S2S VPN with NVA to get the same IP.

So this is the setup I am using as a work around.
Since setting up a S2S is not an option for lack of infrastructure and lack of time,
As given in the question, I installed P2S VPN agents in all the machines that is involved, from the machine whose internet we wanted (in site A) to be used by others, to all the other machines (in B,C,D). Now that all the machines are in Azure Vnet, I installed WinGate application at Site A machine and activated proxy.
Then I configured proxy on the rest of the machines in sites B,C and D to proxy through the machine in Site A using its Azure Vnet ip address.
Machines involved are all Windows 10.
This might not be the best solution, but given the extraordinary list of limitations definitely this was the quickest and easiest.
Let's see if we can get better and quicker solutions for the same :)
Meanwhile thanks for all the suggestions :)

Related

route cloud static IP to home private network

I have my own servers and have hosted a few services (game servers, web servers, ...), and use to host these on a publicly accessible dynamic IP using DuckDNS.
I have recently moved to a rural area and use a satellite service for my internet that does not support publicly accessible IP address.
I would really like to host these things again, but the only way I can think of doing that, is to have an IP somewhere in the cloud and route that back into my network. I have been messing around in Azure but I can't seem to get what I want working. I am not stuck on Azure, just happens to be the one I am message about with.
I have pfSense as my router, so I can setup a VPN client on that and pretty much keep that alive indefinitely, so here is what I am thinking and I hope someone can point my in the right direction, or if you like, poke holes in the idea.
I configure a VPN client on pfSense to be an WAN interface
create a VPN gateway in the cloud
connect pfSense VPN client to the VPN gateway
create a static external IP in the cloud
route traffic from the external ip through the VPN back to my pfSense server and into my internal network
once I get the traffic coming into pfSense , I can route to computers / VMs on my internal network.
This way, I do not need a publicly accessible IP from my ISP, I can connect to the Azure and use its external IP and route back through the VPN to my internal network.
If this was real hardware, I would have had this built in 30 minutes, seems this virtual world is messing me up.
Any ideas on how to configure this or maybe another solution?
I am struggling with the whole Azure setup and have watch hours of videos about each of the bit in Azure, but I am lacking some key bits of knowledge to bring this together.
If you know what you are doing with pfSense...
cloudfanatic.net
$2.99 US a month for a VPS running pfSense. They will spin up a VPS with pfSense on it at no extra charge. Open an account, send support an email.
Gives you a static permanent IP. Shared 1GB Internet link. No data limits. I see between 150 and 500Mbps. Perfectly fine for what I use it for.
Wireguard on that pfSense, people connect in, etc...
I've been using it for about 6+ months. Been very impressed.
Chunky

Is it possible for a Azure Container App to access on-prem network share using a UNC path?

Hey all I've been trying to look into whether this is possible or not.
I was working with Infra-Engineering to setup a VNet with peering to the on-prem network. Everything was smooth sailing until we found out that the Azure Sandbox for Function Apps blocks the SMB ports. I saw a reply on this thread: https://learn.microsoft.com/en-us/answers/questions/290531/how-can-i-access-a-on-premise-network-file-share-d.html
that if we use a Container App that we would not have this restriction. Can anyone corroborate this? I just want to get some insight before committing to trying this out.
In short - you need a VPN/Express Route connection to on premise, the container app needs to be in a VNet peered with the VPN VNet (if separated), a DNS server able to resolve on-premises DNS records, if there are firewalls, NSGs involved you will also need access rules there, and obviously the IP address ranges need to be routed (BGP or Static) and should not overlap
https://techcommunity.microsoft.com/t5/apps-on-azure-blog/azure-container-apps-virtual-network-integration/ba-p/3096932
https://learn.microsoft.com/en-us/azure/architecture/hybrid/hybrid-dns-infra

Is it possible make requests to the server from another network

To elaborate more on the title, (that I know is confussing, I would appretiate if someone make it better)
I need to connect a PC that is off the office to the server that is being hosted on azure,
but only the calls being made from the office IP are trusted by the server.
I need to be able to connect to it from of the premisses, on my laptop.
Is there any way to do this, with a vpn or something like that?
I think the easies way to achieve your goal without exposing VM to public Internet is Point-to-site VPN:
You add and configure a VPN gateway on Azure Virtual Network where VM is placed
You allocate a private address space to Point-to-site connections and authorize its IP range at VM level (Security Group, Firewall or any other method that you use to protect the traffic in Azure)
You install a VPN client on your laptop and connect to VM with it's private IP address

Best network design for company with remote offices that need to go through 1 public facing interface

I received a call from a business owner. One of his services will only license and whitelist one public IP well he has three locations. When I got involved they were trying to spin up an OpenVPN appliance and have site to site vpns to the remote locations. Well the remote locations have Fortigate firewalls and this will not work I believe with the SSL VPN of OpenVPN.
I would like to recommend something with Azure or AWS but I am unclear on the best VPN setup with Azure. Essentially he will need all remote sites exiting to the internet through Azure.
Late last night tried to test with AWS VPC and a VPN back to the fortigate. Client later expressed he would rather not use AWS.
Also recommended this https://forum.fortinet.com/m/tm.aspx?m=148626&p=
but he did not want to bottlekneck one of his locations
All sites exiting Azure out of one IP address
If you have 3 sites in Azure, you can make all 3 sites exiting Azure with one VPN gateway IP for the same destination.
You need to configure VNET to VNET peering and enable Gateway Transit to make it work. Can you also elaborate your ask here with a Network Diagram ?

Azure VMs Virtual Network inter-communication

I'm new to Azure (strike 1) and totally suck at networking (strike 2).
Nevertheless, I've got two VMs up and running in the same virtual network; one will act as a web server and the other will act as a SQL database server.
While I can see that their internal IP addresses are both in the same network I'm unable to verify that the machines can communicate with each other and am sort of confused regarding the appropriate place to address this.
Microsoft's own documentation says
All virtual machines that you create in Windows Azure can
automatically communicate using a private network channel with other
virtual machines in the same cloud service or virtual network.
However, you need to add an endpoint to a machine for other resources
on the Internet or other virtual networks to communicate with it. You
can associate specific ports and a protocol to endpoints. Resources
can connect to an endpoint by using a protocol of TCP or UDP. The TCP
protocol includes HTTP and HTTPS communication.
So why can't the machines at least ping each other via internal IPs? Is it Windows Firewall getting in the way? I'm starting to wonder if I've chose the wrong approach for a simple web server/database server setup. Please forgive my ignorance. Any help would be greatly appreciated.
If both the machines are in the same Virtual Network, then just turn off Windows Firewall and they will be able to ping each other. Other way is to just allow all incoming ICMP traffic in Windows Firewall with Advanced Settings.
However there is a trick. Both the machines will see each other by IP Addresses, but there will be no name resolution in so defined Virtual Network. Meaning that you won't be able to ping by name, but only by direct IP address. So, if want your Website (on VM1) to connect to SQL Server (on VM2), you have to address it by full IP Address, not machine name.
The only way to make name resolution within a Virtual Network is to use a dedicated DNS server, which you maintain and configure on-premises.
This article describes in details name resolution scenarios in Windows Azure. Your particular case is this:
Name resolution between virtual machines and role instances located in
the same virtual network, but different cloud services
You could potentially achieve name resolution, if you put your VMs is same cloud service. Thus you will not even require dedicated virtual network.
If your VMs are inside a Virtual Network in Azure, then you have to make sure two things.
Required Port is enabled.
Firewall is disabled on the server.
I was trying to connect to one VM where SQL Server DB was installed, from another VM. I Had to enable 1433 port in the VM where SQL was installed. For this you need to add an MSSQL endpoint to the VM on the azure management portal. After that i disabled windows firewall. Then i was able to connect to the VM from another.

Resources