I have a template that sets up an Azure service fabric cluster successfully. However, in order to complete the configuration, I need to open the NSG to the internet to access download.microsoft.com:80. This is forbidden in a production environment. So far I have identified 23.40.68.76, 23.195.64.241, 23.66.100.156 as the possible IP's for download.microsoft.com.
The reason is due to ServiceFabricNodeBootstrapAgent attempting to download a Service fabric update:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="ServiceFabricNodeBootstrapAgent" />
...
- <EventData>
<Data>Downloading fabric cab from http://download.microsoft.com/download/3/1/F/31F3FEEB-F073-4E27-A98B-8E691FF74F40/ServiceFabric.6.5.676.9590.cab to C:\windows\TEMP\ServiceFabric.6.5.676.9590.cab</Data>
</EventData>
</Event>
I only have accesss to the vNet and NSG. The vNet is peered to a site network. Internet access is not allowed.
I need to be able to redirect this traffic to a impersonated site. I thought I could use the host file and redirect the traffic, but “download.microsoft.com” is a special url.
Is there a work-around strategy for this problem ?
Got answer from MS. They want me to open the firewall so the servers can download from port 80. This is a known issue. They might fix it in the future. Might not.
Consider using Azure Firewall instead of the NSG to manage traffic. It is a Layer-7 firewall, that has a feature to allow or block traffic, based on the domain name.
Related
Due to a recent layoff I got bombarded to azure admin out of the blue. I am pretty new to this and haven't yet got the chance to follow an admin course.
Facing the following issue: We host a couple of websites on an Azure Windows Server VM running IIS. These are accessible through an application gateway with a public IP. I was asked to add two new listeners for a new part of the website. I created the appropriate targeting in the backend pool, created http and https settings and added the listeners and Rules. However, when browsing to the site, it throws a 502 error and when i check the backend health, it gives below error.
Cannot connect to backend server. Check whether any NSG/UDR/Firewall is blocking access to server. Check if application is running on correct port.
I opened up the appropriate inbound ports on the NSG of the AZ Web interface on the VM and also on the local firewall of the server hosting IIS. AFAIK there are no additional NSG rules on the application gateway.
What am i missing here? :s
I have extensive experience working with Application Gateways and I can tell you that a 502 Bad Gateway means something is definitely wrong at the backend or misconfigured AGW settings - that's what the error says, so nothing surprising. From my experience here are different scenarios I've faced for this error:
Backend server can't be reached due to an NSG Rule controlling access from the AGW subnet to the backend subnet.
Backend server can be reached but the port is not opened at the server's firewall.
Backend server can be reached, port is opened but application is not listening on those ports or application is not even running.
AGW listeners were misconfigured.
Here's what you can try:
First validate whether the Application and VM are fine by trying to access the application from another VM in the same subnet.
Next, try to get a VM in a different subnet and try to access the application, to mimic the AGW trying to connect to the backend. This will help you validate whether your NSGs are properly configured.
Lastly, revisit all the AGW settings and look for any misconfiguration in the listeners or other settings. (Added this based on your comments).
Taking this approach to troubleshooting will quickly help you identify which layer is causing the issue. Also, it would be a good practice to start documenting all AGW errors you get along your journey and also the remediation steps etc. This will help you tremendously in the future - this is not the last time you'll face issues with your AGW!
If you've checked your firewall issues and it's not solving the problem it could be user permissions on your VM.
I then ran the following command in ps and it sorted it for me.
** netsh http add urlacl url="http://*:{port}/" user="Everyone" **
A good test to see if this will work is if you can access your app using invoke-webrequest and using a localhost URI, but not using the server's NIC Private IP.
You'll also need to set your host address to use the wildcard in your config file.
I've been trying to setup my Azure Network security group to accept connections to my Octopus Tentacle, but with no success.
I know the Tentacle is properly working because I can connect using localhost, all that's left is to be externally available.
Could anyone shine a light on the necessary rules at the Network security group? Find below my own rules.
Kind regards and thanks in advance!
Open Windows Firewall on your VM. And add an allowed access for
"10933" TCP port. (10933 the default port between Octopus server and tentacle)
If your Octopus Server and tentacle are not on the same Azure
resources and still couldn't telnet the Tentacle, You must add an "Inbound
security rule" for the same 10933 TCP port which used by your VM's
network security group.
Optional:You should give a static IP and domain name to your VM on Azure. Your Network admin should configure it a IP restricted access.
For testing the connectivity. You should use "telnet client". Open cmd and write this. If there is no connection error/timeout it's working .
telnet yourtentaclesextrenalIPaddress 10933
You should add the endpoint and firewall settings on your virtual machine firewall (not the Azure you mentioned). This is the official tutorial on how to set up the Tentacle. Also take a look if your OS you want to launch Tentacle on is supported (the same link).
I have a Azure Website with virtual IP (ip based SSL), however, in my cloudservice I have to specify the address of my website to whitelist. Somehow I think I'm missing the obvious here since I cannot connect to my webservice when I deny all BUT my website. If I remove the Deny All -rule I can connect fine.
I now have, which wont work:
<AccessControl name="accessRestriction">
<Rule action="permit" description="permit-site" order="1" remoteSubnet="VIRTUALIPADDRESS/32" />
<Rule action="deny" description="deny-public" order="2" remoteSubnet="0.0.0.0/0" />
</AccessControl>
</AccessControls>
EDIT:
my website cannot connect to the webservice.(Unable to connect to the remote server)
EDIT2:
In my intellitrace log I can see that indeed the website is trying to gain access but is blocked
'Requested registry access is not allowed.'
Side note: If I add a permit-rule for my local home IP I CAN reach the webservice if my run my website locally (and connect from home).
2nd, off-topic question, In a lot of tutorials I see people using 'Order=100' and, 200 and then 300, instead of just using 1,2,3, why 3 digits? (answered)
EDIT3: both website and service are now https, still no connection possible with ACL enabled.
Thanks!
IP SSL does not guarantee the outbound IP address for outgoing connections, but it only associates the inbound IP with your site. You will need to whitelist all possible outbound IP addresses for your site according to what region your site is in.
For the list of outbound possible IP addresses you can look at https://social.msdn.microsoft.com/Forums/azure/en-US/fd53afb7-14b8-41ca-bfcb-305bdeea413e/maintenance-notice-upcoming-changes-to-increase-capacity-for-outbound-network-calls?forum=windowsazurewebsitespreview
The reason for this is that Azure Websites is a multitenant environment and the outbound IP address cannot be guaranteed at the site level.
I am planning to enable Azure Cloud Service and On Premise environment connection using Site To Site Connectivity.
Here are specific details that i want to know
1. What would be required from On Premise network team in terms of
enabling the connection?
2. How do i setup and enable the connection on every deployment build that i do for my Azure cloud service?
3. What are the ways to troubleshoot if the connection is down?
Basically you'll need a Virtual Network with a VPN to your on premise. After that, you'll add your cloud service to this virtual network. You can do that editting your ServiceConfiguration (.cscfg file)
<ServiceConfiguration serviceName="<service-name>" osFamily="<osfamily-number>" osVersion="<os-version>" schemaVersion="<schema-version>">
<Role …>
…
</Role>
<NetworkConfiguration>
…
</NetworkConfiguration>
</ServiceConfiguration>
To monitor the traffic you'll just need to watch the Virtual Network dashboard. You'll see data in / out and if connection of the VPN is down.
More info in here:
http://blogs.technet.com/b/askpfeplat/archive/2014/03/03/connect-an-on-premises-network-to-azure-via-site-to-site-vpn-and-extend-your-active-directory-onto-an-iaas-vm-dc-in-azure.aspx
How would one make a TCP connection from an Azure PaaS hosted Web Sites to a Worker Role? That's deployed in one virtual network. Can this be done without opening an Input Endpoints, Internet facing port on the worker role? It looks like WebSites cannot currently be part of virtual network deployments as per Azure Virtual Network FAQ:
Can I use Windows Azure websites with Virtual Network? No. We do not support websites with virtual networks.
I'm new to Azure and playing with various configurations and it looks like this is something that could perhaps be done with the new regional vnets (and perhaps the internal load balancer), but then again there isn't really information around regarding this other than that they are on different virtual machines and in different networks and thus making them to communicate is a more involved process.
If it helps discussion, I have the following are the regional vnet configurations, which are used by the worker Xyz.ComputeRole. This role is the one accepting TCP connections.
<edit: I found a really good post regarding this matter Network Isolation Options for Machines in Windows Azure Virtual Networks. As it stands, it looks like I could open an Input Endpoint to the worker role and then restrict access to it only from the WebSites deployment. However, it looks like a lot of work to do, and hops over the networking elements like a load-balancer, and perhaps I'd need to find out the Web Sites deployment IP.
Am I off-base and there's a simple way to connect a WebSites to a Azure computer role via TCP connection?
Network configuration
<VirtualNetworkConfiguration>
<Dns>
<DnsServers>
<DnsServer name="XyzVnetDns" IPAddress="192.168.50.0" />
</DnsServers>
</Dns>
<VirtualNetworkSites>
<VirtualNetworkSite name="XyzVNet" Location="North Europe">
<AddressSpace>
<AddressPrefix>10.0.0.0/8</AddressPrefix>
</AddressSpace>
<Subnets>
<Subnet name="Sub1">
<AddressPrefix>10.0.0.0/11</AddressPrefix>
</Subnet>
</Subnets>
<DnsServersRef>
<DnsServerRef name="XyzVnetDns" />
</DnsServersRef>
</VirtualNetworkSite>
</VirtualNetworkSites>
Cloud service configuration
<NetworkConfiguration>
<VirtualNetworkSite name="XyzVNet" />
<AddressAssignments>
<InstanceAddress roleName="Xyz.ComputeRole">
<Subnets>
<Subnet name="Sub1" />
</Subnets>
</InstanceAddress>
</AddressAssignments>
You cannot add Azure Web Sites deployments to a VNet because there's no dedicated outbound IP address for Web Sites. This will also preclude you from setting up Access Control Lists (ACL's) on the worker role's input endpoints.
For Web Sites -> Worker Role (cloud service) security, you'd need to rely on something app-specific (maybe an SSL cert or something else).
By the way: regarding "a lot of work to do" for restricting access: Not sure exactly what you tried (or if you tried it), but it's trivial through the portal (just enter a subnet mask and... done), and very easy through command-line as well.
There are now two ways to connect to resources in your Azure VNET from your Azure Website. You can find details written up in several blogs.
The Hybrid Connections capability involves you downloading a relay agent that can access both Azure and your desired endpoint. This works for access to resources in your VNET or in any other network for that matter. You can install the agents on premise to enable TCP access to resources there. Each Hybrid Connection endpoint you define can only provide access to a single host:port. You can have 5 endpoints for free and if you need more you can pay to get them.
The VNET Integration capability allows you to access resource in your VNET. Under the cover it is using point to site technology to do this so your VNET needs a dynamic routing gateway and you need point to site to be enabled. If you also use site to site VPN to connect your on premise network to your VNET you can then access on premise resources.
None of these methods provide private access to your website. They only are intended to enable your website to access resource in other networks. Both features are also currently in preview and are being improved upon.
If you would like details on either there are a number of blogs and documents online. For an example you can refer to this one: using vnet or hybrid connections with Azure websites