Azure: Add existing Virtual Machines to new Application Gateway in same region - azure

We already have created two virtual machines in the North Europe region.
Now, I want to add these two machines in Application Gateway, but as per Azure documents while creating an Application gateway one cannot use a virtual network with existing VMs in it.
Is there a way around to create an Application gateway in the same network as VMs?

You can create Application Gateway and the VM in the same VNET.
VNET can have multiple subnets. When you deploy Application Gateway, you need to specify a Subnet and you are not supposed to deploy VMs in the same subnet where Application Gateway resides.
So create a new subent and place your VM or if the VMs already exists, you create a new subnet for your Application Gateway.

Related

Configure and verify Vnet in Azure

I have created a Virtual Network next to its subnet and integrated it into three service applications and created the rule on the firewall of my SQL Azure server.
Everything is in the same Azure subscription and region
I need to know if it is enough to direct all the traffic between these instances through the virtual network or do I need to configure some other aspect.
And how can I query the data traffic to verify that the virtual network is being used?
Azure Virtual Network (VNets) allows to place Azure resources in a non-internet-routable network.
https://learn.microsoft.com/en-us/azure/architecture/example-scenario/private-web-app/private-web-app#architecture
Using Azure App Service regional VNet Integration, the web app connects to Azure through an AppSvcSubnet delegated subnet in an Azure Virtual Network.
Virtual Network only routes traffic and is otherwise empty, but other subnets and workloads could also run in the Virtual Network.
The App Service and Private Link subnets could be in separate peered Virtual Networks, for example as part of a hub-and-spoke network configuration. For regional VNet Integration, the peered Virtual Networks must be located in the same Azure region.
Azure Private Link sets up a private endpoint for the Azure SQL database in the PrivateLinkSubnet of the Virtual Network.
The web app connects to the SQL Database private endpoint through the PrivateLinkSubnet of the Virtual Network.
The database firewall allows only traffic coming from the PrivateLinkSubnet to connect, making the database inaccessible from the public internet.

Create external network between Azure API Manager and a virtual machine

I have created an API Manager Service (AMS) in Azure with its subnet.
I have created a Virtual Machine with Ubuntu that exposes some APIs on the port 8000. It has a public IP and an internal IP (10.0.1.5). This is the network configuration.
I don't want a public IP on this machine. What I want is that only the AMS speaks with the Virtual Machine to expose the API.
I can't find a way to create a private network (or external network in the AMS point of view) between the AMS and the virtual machine. In the network configuration of the virtual machine, the AMS subnet is not available.
In a normal network I would create a NAT between the 2 subnets but in Azure I don't know how to do it.
Do you have any advice?
Create a Virtual network first in some region . Then , while creating APIM services go to the Virtual network tab and select type as external instead of none and select the same Virtual network that you have created earlier.
Once the APIM service is deployed then create a VM and while creating the VM go to the networking tab and select the same virtual network that you have used in APIM but different subnet for the VM (as APIM and VM cannot use same subnet , it is not supported in azure) . You can add a new subnet in the same Vnet for using it in the VM by going to the VNet resource you have created and in Subnets page clicking on add subnet.
(Note : All the resources must be in same region)
After this configuration is done the resources can communicate which are present inside the VNet even if they have different subnets. As by default resources under the same vnet can communicate in azure.

How to add user route to Azure App Services

I have an Azure VM with inside custom vpn to 172.254.254.0/24 route.
I am able to reach that VM from another azure VM adding an "user route" to a "route table" in that VM. It works perfectly.
Now I have an Azure App Services web application.
I need to add the route above too.
But I am stuck I am not able to do it.
Integrate your app with an Azure Virtual Network
The VNet Integration feature has two variations.
Regional VNet Integration - When connecting to Resource Manager VNets in the same region, you must have a dedicated subnet in the VNet you are integrating with.
Gateway required VNet Integration - When connecting to VNets in other regions or to a Classic VNet in the same region you need a Virtual Network gateway provisioned in the target VNet.
Gateway required VNet Integration only provides access to resources in the target VNet or in networks connected to the target VNet with peering or VPNs. Gateway required VNet Integration doesn't enable access to resources available across ExpressRoute connections or works with service endpoints.
Refer: https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet#enable-vnet-integration

Connecting App Service to Load Balanced cluster in different Resource Groups

I have 2 separate resource groups in Azure:
Contains some Services including a Linux App Service hosting Python Django
Contains an ElasticSearch cluster which I created using the ARM template from here
I want to connect from the App service in (1) to the ElasticSearch service load balancer in (2)
I tried to create a virtual network peering using
az network vnet peering create -g $webResourceGroup -n web2es --vnet-name vnet --remote-vnet $remote_vnet --allow-vnet-access
where $webResourceGroup => (1) and $remote_vnet => (2)
However, when I try to do an HTTP request to the ElasticSearch Service, it just does not work.
How do I fix or troubleshoot this?
There are some requirements and constraints for virtual network peering.
Resources in one virtual network cannot communicate with the front-end
IP address of a Basic internal load balancer in a globally peered
virtual network. Support for Basic Load Balancer only exists within
the same region. Support for Standard Load Balancer exists for both,
VNet Peering and Global VNet Peering. Services that use a Basic load
balancer which will not work over Global VNet Peering are documented
here.
So, if the peered VNets are in a different region, you cannot connect to resources that are behind a Basic Load Balancer through the Front End IP of the Load Balancer. This restriction does not exist for a Standard Load Balancer. From the parameters, you will see that loadBalancerInternalSku or loadBalancerExternalSku is by default basic, you should use a standard load balancer.
Also, you should have integrated your app with an Azure Virtual Network. Please note that you cannot reach resources across global peering connections(VNets are located in different regions) when you are using Regional VNet Integration which requires the app and the VNet must be in the same region. If so, you need to use Gateway required VNet Integration and VNet peering with gateway transit.
If possible, you could create all resources like VNet, app service, cluster in the same region. Then you do not need a VPN gateway for your VNet Integration. This may have fewer limitations and easier to deploy in your scenario.
Hope this could help you.

Azure Service Fabric Cluster connection with on premise network (Private data center)

Can you please describe the process on how services inside Service Fabric Cluster could communicate with the database servers present in our private datacenter?
Right now how we do for some of the custom VMs on Azure is that we attach network interfaces(NICs) to VMs and Nics are connected to the subnet which provides us cross premises connectivity.
Is there any way we could specify this when provisioning the Service Fabric Cluster?
Thanks!
What you describe is the preferred way - Have a VNET that is connected to your datacenter (either with S2S VPN or Express Route), and then you are free to access on-prem resources from your code as if you were operating inside the local network. You don't have to add NICs to your SF VMs, you can just modify the ARM template to provision all resources inside the designated VNET.
If you take a look at the sample template for SF, you can see the subnet0Ref variable which is being used to set the network profile of the NICs that are part of the newly created scale set.
You can modify the template to lookup your pre-existing subnet using the resourceid template expression function (documentation). The you can drop from the template all the other resources that you don't need created, like the VNET itself.

Resources