We are developing a app on azure virtual machine and the VM has ngnix installed with TLS version 1.2. The app consists of two action which performs salesforce and office365 oauth flow. The app worked pretty fine on local and azure app service too.
Problem
For some reason, we are moving the app to azure VM. Here is the problem, after oauth the flow returns a code and we need to generate the access_token using that code through a https request to office365 endpoint. The endpoint response is either timeout or Error Read ECONNRESET.
Analysis
The only working URLs,
http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net
https://myapp.vault.azure.net/secrets/{Secret-Name}?api-version=2016-10-01
Both the above is used to fetch the access token and key vault secrets. Luckily, this is working pretty fine and I am able to get all the secrets from azure key vault.
But the below urls are either no response timeout or Error: Read ECONNRESET
https://login.microsoftonline.com/{Tenant-Id}/oauth2/v2.0/token
https://test.salesforce.com/services/oauth2/token
I’ve also tried other public or fake rest APIs like,
https://reqres.in/
https://jsonplaceholder.typicode.com/
None of them seems to be working. Does anyone faced this kind of issue?
Just clarify the answer from the comments for more references.
The Error Read ECONNRESET means the other side of the TCP conversation abruptly closed its end of the connection. This is most probably due to one or more application protocol errors. Refer to this SO for details.
Moreover, you have only working URLs from Azure Instance Metadata service and Azure Key Vault service, other public or fake rest APIs are failures. So you properly face internet connectivity issue on that VM or VNet itself. You could check if the firewall is blocking the outbound traffic to the Internet on the local VM or NSG rules.
In the end, some change in the firewall settings fixes this issue.
Related
I have the frontend and backend on cloud run, each whit his own service, but when I put "internal traffic" on the backend API, It doesn't work, give me 403 since the frontend and it is another service of the same project, and in the documentation says that internal means "only for the same project" so...
two services since the same project are not internal traffic?
I think that is because I use a custom domain and not the exact URL of the service but I am not sure because here says that the custom domains are allowed too.
So what do I have to do to auth my frontend service on cloud run?
I tried whit JWT auth, but there is a better option, isn't it
Cloud Run services set to internal only accepts traffic coming from the VPC network. In order to connect to a Cloud Run service that's serving internal traffic, the connecting service must be attached to a VPC connector. In this case, you need to setup Serverless VPC access connector as mentioned in this note:
For requests from other Cloud Run services or from Cloud Functions in the same project, connect the service or function to a VPC network and route all egress through the connector, as described in Connecting to a VPC network. Note that the IAM invoker permission is still enforced.
For authenticating between service-to-service, you can simply fetch an ID token from the Compute medatada server. You can do that on any GCP compute environment (Cloud Run, App Engine, Compute Engine, etc.). You can follow the steps provided in this documentation.
two services since the same project are not internal traffic?
Two services in the same project should be considered as internal traffic.
I believe what you need to do is follow the authentication steps with token as recommended here (service to service authentication):
https://cloud.google.com/run/docs/authenticating/service-to-service
https://cloud.google.com/run/docs/securing/service-identity#per-service-identity
Please note that even though you've set the ingress traffic to internal, the IAM role cloud run invoker is still needed for the service account.
Whenever I try to test an API (using the Test tab of the API blade) I get
Could not complete the request. Please try again later.
This has been happening on my API Management services for at least two hours.
I've created an additional API Management Service and another subscription (with its own APIM).
I'm on the Consumption tier (which has a 99.9% SLA) and the Azure Status Page is showing green across the board. My own personal dashboard (Service Health) is showing No service issues found.
This leads me to think it's something I've done.
How do I go about investigating this?
Solved. I was on a VPN which was changing the certificate.
I worked this out by going to the URL in Chrome (rather than requesting from the Azure Portal or Postman). Chrome told me that the connection was not secure which led me to realise it was the effect of the VPN.
This server could not prove that it is myapimservice.azure-api.net;
its security certificate is from *.myworkapimservice.azurewebsites.net.
This may be caused by a misconfiguration or an attacker intercepting your connection.
We have an Azure set up where we use Azure as our proxy for sending data to our apps via Azure functions.
We are having issues because evidently our local development Windows environments send the calls to Azure, and we verify this by logging into our Azure portal, and watching any traffic to the calls in the Azure function console. When we run our code on our local machines, we see the traffic and the calls getting made, BUT when we try the same calls on our production server environment (hosted onsite, Windows Server 2016) to Azure, we can't see any traffic come through our Azure calls.
I am trying to chase down whether it is the Firewall on the production server machine and to see if there are any Outbound Firewall rules that need to be opened up or added to talk to Azure, but I have not seen anything by doing my Google searches that brings up local machine talking to Azure. Most of the articles that come up are about setting up a Firewall on Azure, not local firewall rules to Azure.
The application we are running is an onsite IIS hosted website with calls out to Azure.
Anyone have any pointers on where or what I should be looking at to see if there is any communication coming from our production server to Azure on the production server. Which logs, rules, anything that could point us in a direction. I felt I have looked in most places. I have looked in IIS logs, application logs (we just send a log saying that the call was sent)
But if there is a specific Firewall setting on the produciton server that I need to add, I don't know what that would be and if anyone does know, it would be very helpful.
UPDATE:
We have so far found that we can hit the functions through a browser enabling GET requests and other functions that allow GET requests. The issue seems to be either IIS or a permission with IIS or the application itself. We actually set the permissions on our application on our server to "Everyone" just to see what would happen, on the folder for the application and still have not have any luck. The calls we are calling are actually POST to the Azure function. We don't have Postman on the machine.
Assuming you're calling out to an Azure Funciton, which is not running on an App Service Environment, or behind API management or similar, then the only place you can restrict access is on the networking tab of the settings of the function. If you don't have this configured then the function is not where the issue is.
If traffic outbound from your on-prem server is being blocked, then you will need to talk to your IT team to get that opened up. You don't mention how you're calling your funciton, but if it is an HTTP trigger, then you would need port 443 outbound open.
I'm taking my first foray into Azure Service Fabric using a cluster hosted in Azure. I've successfully deployed my cluster via ARM template, which includes the cluster manager resource, VMs for hosting Service Fabric, a Load Balancer, an IP Address and several storage accounts. I've successfully configured the certificate for the management interface and I've successfully written and deployed an application to my cluster. However, when I try to connect to my API via Postman (or even via browser, e.g. Chrome) the connection invariably times out and does not get a response. I've double checked all of my settings for the Load Balancer and traffic should be getting through since I've configured my load balancing rules using the same port for the front and back ends to use the same port for my API in Service Fabric. Can anyone provide me with some tips for how to troubleshoot this situation and find out where exactly the connection problem lies ?
To clarify, I've examined the documentation here, here and here
Have you tried logging in to one of your service fabric nodes via remote desktop and calling your API directly from the VM? I have found that if I can confirm it's working directly on a node, the issue likely lies within the LB or potentially an NSG.
I'm trying to access a third party service from Azure App Services (ideally Functions, but a Web App would do). However this service is hosted on a non-standard port, e.g. https://myservice.com:445
I'm using the System.Net.Http.HttpClient to make a POST request, but consistently get a SocketException:
An error occurred while sending the request. Unable to connect to the remote server An attempt was made to access a socket in a way forbidden by its access permissions 1.2.3.4:445
The code works on my local environment (Functions emulator or Kestrel), but fails on Azure. I tried using a service hosted on a regular https endpoint, e.g. https://myotherservice.com, and the call goes through normally.
I'm assuming there is some sort of outbound firewall rule that's preventing the fist call, but I haven't found any configuration option to disable this. Is it possible? I unfortunately cannot change the endpoint of the service I need to call.
After checking your application, I did indeed find that those outgoing requests were being blocked by the infrastructure.
I was also able to find public documentation covering those ports here:
https://github.com/projectkudu/kudu/wiki/Azure-Web-App-sandbox#restricted-outgoing-ports