The Problem
I'm trying to understand more about networking, firewalls, and IP ranges to help me solve a few real-life problems. The problem I ran into is that the SQL server I'm connecting to has a firewall which can list individual IP's or IP ranges, but my ISP changes my IP fairly frequently, which means that whitelisting my current IP is a temporary solution and I'll eventually be disconnected.
The Question
If I wanted to stabilize my IP and make it so that it comes from a predetermined range (or even a single static IP), would the best way of doing that be to make a virtual network that I can VPN into that has a specified range of IP's? Or is there any easier solution?
Details
I'm interested in the answer at a broad level, but the specific database I'm connecting to is on Azure. Hence, my thought process would be to create a Virtual Network and and a Virtual Network Gateway, which I would connect to using a standard VPN connection tool like Hamachi or Open VPN. I'm assuming then that I could open up a tool like PGAdmin and connect to the database, because the database would consider the incoming connection to be from the IP range that I've whitelisted and that the Virtual Network sits on. Is this accurate?
As you stated, if there is a public IP range from your on-premise outbound traffic, you just need to whiltelist the IP list on the firewall of Azure SQL database server. It is a simple method.
If you want to block the public endpoint from on-premises machines, you can use private endpoint for Azure SQL database. Read On-premises connectivity over private peering for more details.
With Private Link, customers can enable cross-premises access to the
private endpoint using ExpressRoute, private peering, or VPN
tunneling. Customers can then disable all access via the public
endpoint and not use the IP-based firewall to allow any IP addresses.
Related
Hope you are all safe!!!
I have a live project running on Azure Environment.
As part of data checking when i tried to access the Database using the SSMS in my machine, Everytime I need to white list my IP.
Since it is an intranet domain IP changes everyday.
Is there any solution to permanently enable my IP using mac address or something. So that i can jump over this IP Whitelisting.
IP whitelisting (as the name already suggests), does not work on MAC address basis. What you could do as an alternative is to use a Point-to-Site VPN from your machine into an VNET in Azure. Then you should be able to leverage Private Endpoints (aka Private Link) to allow connections to your database from that VNET. https://samcogan.com/service-endpoints-and-private-link-whats-the-difference/
I'm using SSMS to connect to Azure DB from my laptop. I have provided my laptop IP address in "Set server firewall". However, each time when connecting from SSMS it's considering my public IP address, instead of laptop IP.
My questions are:
why is it not considering my Laptop IP?
How safe is it to configure a public IP address in Azure's "set server firewall"? Will not it possible someone having same public IP can able to connect to Azure DB?
How the Azure DB can be configured so that it should account the request from my laptop IP only?
Azure PaaS service has a public endpoint, so it means that you cannot connect to them from your private IP, you must configure your Azure PaaS with your public IP. There is an option to make a public endpoint as a private endpoint using a private link, vpn point to site, virtual network gateway. Please, have a look at this article for more details.
You can keep security your connection from public IP using Azure PaaS firewall once your connection from your source to azure allows only you public IP, but you have to change this IP in firewall for each time your IP is renewed in case it is dynamic. For the best practice you should consider a private link or a Azure Instance Manager SQL which has more option, but it is more expensive then Azure PaaS SQL.
To help you answer these questions, we first must consider the network topology involved. Your laptop is likely connected to a wireless access point which is connected to a network switch. All traffic on the switch (or series of switches depending on the location you are at) uses a private IP addresses to communicate. These addresses cannot be routed on the public internet. In order for you to access the Azure SQL Database which sits on a different private network then your laptop, it had to travel over the public internet. This means your traffic is going through a series of routers and in order for the connection to correctly route between you and Azure, it needs your public IP address.
It is safe to a certain point. The Azure SQL Server you are connecting too uses SSL/TLS to encrypt the traffic so communication over the public web is encrypted. Your concern for essentially spoofing the public IP is valid which is why it is crucial to make sure you have selected a strong password for the SQL login. Microsoft also deploys a series of edge security services that monitors for attacks on any of their services to ensure the safety of their platform and will flat out block suspected attacks.
If you want to restrict traffic so that only your laptop can be used, now we are introducing a complex but doable architecture. You will need to setup a VNet and VPN Gateway in Azure and connect the two services. You will have to then connect the Azure SQL Database to the VNet you just setup. Once completed, you will need to access the VPN from your laptop which will grant you access to the database. The actual setup isn't trivial as there are many things to take into consideration such as cost, hardware capabilities on your side and security requirements.
At the end of the day, what should drive the "right solution" should be your security requirements. For some, running via a public IP is sufficient, for others they need to access it over a VPN.
To address your comment below, I needed more space so I'm amending the solution.
Anytime you make something publicly accessible over the internet, there is a possibility for someone else to access it. The chances are lowered the more complex you make the password to the resource. If you do not have a static IP address for your internet or someone spoofs your public IP address, there is a chance an attacker will have the ability to connect to the Azure SQL Server. This is where the password complexity comes into play. The stronger the password, the harder/longer it will take to brute force their way in.
If you have time to do the research/learning on this, I'd suggest taking a look at the online training Microsoft has for the Azure Solutions Architect certification. I think it will help you to better understand the intricacies involved with building a solution such as this.
https://learn.microsoft.com/en-us/learn/certifications/azure-solutions-architect
To elaborate more on the title, (that I know is confussing, I would appretiate if someone make it better)
I need to connect a PC that is off the office to the server that is being hosted on azure,
but only the calls being made from the office IP are trusted by the server.
I need to be able to connect to it from of the premisses, on my laptop.
Is there any way to do this, with a vpn or something like that?
I think the easies way to achieve your goal without exposing VM to public Internet is Point-to-site VPN:
You add and configure a VPN gateway on Azure Virtual Network where VM is placed
You allocate a private address space to Point-to-site connections and authorize its IP range at VM level (Security Group, Firewall or any other method that you use to protect the traffic in Azure)
You install a VPN client on your laptop and connect to VM with it's private IP address
I have a case where I want to migrate on-prem servers to Azure, but I should still have the local IPs pointing to these VMs. I mean by the local IPs the country-range of IPs since these VMs should be accessed using country IPs for regulatory reasons.
I heard that this is possible, but I have no idea what type of resources I should use to allow this, VNET, VPN, ExpressRoute ?? And how to do it as I have no experience in networking what so ever.
Regards,
NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.
You can setup a site-to-site VPN between on-prem and Azure Vnet, then deploy a server on-prem run as the NAT device.
It is possible, but with some complications and constraints:
You can run these servers/VMs in Azure using their public IP addresses. You need to create the Virtual Network using these address ranges, but it is possible. The catch here is that these public IP addresses are only accessible via cross premises connectivity solutions such as Azure VPN gateway or Azure ExpressRoute. You cannon access these VMs using their "public" IP addresses directly over the Internet. For this purpose, these public IP address ranges are really treated as "private addresses".
Once you create the virtual network with the public IP addresses (as private address space) in Azure, you will also need to make sure your routing in the on premises network is configured correctly to forward the traffic to these VMs over the VPN tunnels or MPLS/WAN network if you are using ExpressRoute.
If these servers/VMs need to accept requests directly from the Internet, the traffic from the Internet will still come to your on premises network because that's where your ISPs will direct the traffic. You will need to ensure these traffic will be routed correctly over the cross premises connectivity (VPN/ExpressRoute) to Azure.
Hope this helps a bit. Please let me know if this answers your question.
Thanks,
Yushun [MSFT]
I would like to use my internal exchange servers for email notifications from an azure Web Role. The role is set up on the west us region. I need to allow this role, with multiple instances, access my corporate smtp server on port 25. IS there an appropriate range of IPs that I could open up on my corporate firewall, or is there a more secure option.
We have experience setting up networks in Azure as well as VPN gateways, I am not sure that this would be part of the solution as my understanding is not broad enough to see how I could implement something that would allow secure access to corporate networks while continuing to be publicly available.
Any help or direction would be appreciated.
Thanks
Your web role has a single (and fairly static) ip address of the load balancer, but this is of no use to you as the source ip address for outgoing data will be the ip address of the particular instance. You can get hold of this address, but not easily, and it is subject to change — every time an instance recycles, or is added, the ip address will change (although the incoming ip address, of the load balancer, remains static). So you can't provide instance public ip address ranges for the corporate firewall.
If you are familiar with VPNs and private networks on Azure, then that will be your simplest option. Your worker role ip addresses will still change, but the range is more predictable, and is defined by your subnet configuration. A worker role on a private network (VPN) will have both public and private ip addresses, so will be publicly accessible, but will send to a VPN ip address via the gateway.
Another option is to do some sort of smtp relay, either on a VM in Azure, or a managed hosting service, where the ip address is more static. This would require that a machine is setup, maintained, and running, but could probably be easily done on an extra small linux vm.
Your web roles will be part of an Azure Cloud Service. That cloud service is assigned a static public IP address by Azure. No matter how many roles you add/remove from the service the public IP will remain unchanged. You can set your SMTP server to only allow requests from that IP address.