Azure hybrid connections "No such host is known" - azure

I have a simple Asp.Net Core Azure Web App that needs to make a http get request to an on-premise Rest service. This Rest service is hosted on IIS with bindings set only for port 443. I've setup a new Hybrid Connection in Azure and added it to the Web App. At the on-prem side, I've installed Hybrid Connection Manager and entered the connection string for the Hybrid Connection - this now shows as "Connected".
Problem is, when executing the line of code that makes the get request, the following error is thrown:
System.AggregateException: One or more errors occurred. (No such host is known) ---> System.Net.Http.HttpRequestException: No such host is known ---> System.Net.
There's an interesting blog post here: Microsoft Blog which states that the connections should be setup without using the fully qualified domain name (FQDN) - server name suffixed with organisation.co.uk. However, as far as I can tell, the SSL certificate for the Rest service requires the FQDN - otherwise it presents the error
There is a problem with this website’s security certificate
Does anyone know how to troubleshoot and work around this problem?

The first error is probably a DNS issue. As that blog mentioned
If you are using a fully-qualified domain name, you need to ensure
that it’s a name that can be resolved within your local network. (In
some cases, customers are running DNS in the local network, and it’s
that local DNS service that resolves the name.)
So, If you have to use FQDN in the connection string for the Hybrid Connection. You could use an FQDN which only could be resolved by local DNS service.
Alternatively, you could try to edit the hosts file to make DNS lookup preferably inside the on-premise network. Add a line in Rest service server hosts file (located in %WINDIR%\system32\drivers\etc) mapping the IIS server's IP to a name.
For example:
192.168.0.50 serverFQDN
More details, Refer to this.

Related

Can't connect to FTP or SSH URLs in my Azure app service API

I have verified that FTP is turned on. I get this error when trying to connect in FileZilla:
Connection attempt failed with "EAI_NONAME - Neither nodename nor
servname provided, or not known".
My FTP URL looks like this:
ftp://dev-api.ase-name-dev.appserviceenvironment.net
Hmmm… can't reach this pageCheck if there is a typo in
dev-api.scm.ase-name-dev.appserviceenvironment.net.
DNS_PROBE_FINISHED_NXDOMAIN
This is what that URL looks like:
https://dev-api.scm.ase-name-dev.appserviceenvironment.net/webssh/host
I have two domains for this API. The default one and a new custom one. I looked in the domain settings and it all looks fine.
Any ideas on what's going on here?
Based on the above information shared, we understood that you are using app service environment.
If your app service environment is created with ILB then you need to use internal load balancer IP to do FTP adding to that you need to have any of these ports opened 21, 990, 10001-10020 as mentioned in this Documentation.
If your ASE is created with external Load balancer then you need to use the public IP address of the ASE to perform SSH or FTP.

Azure Application Gateway: Cannot connect to backend server in

Due to a recent layoff I got bombarded to azure admin out of the blue. I am pretty new to this and haven't yet got the chance to follow an admin course.
Facing the following issue: We host a couple of websites on an Azure Windows Server VM running IIS. These are accessible through an application gateway with a public IP. I was asked to add two new listeners for a new part of the website. I created the appropriate targeting in the backend pool, created http and https settings and added the listeners and Rules. However, when browsing to the site, it throws a 502 error and when i check the backend health, it gives below error.
Cannot connect to backend server. Check whether any NSG/UDR/Firewall is blocking access to server. Check if application is running on correct port.
I opened up the appropriate inbound ports on the NSG of the AZ Web interface on the VM and also on the local firewall of the server hosting IIS. AFAIK there are no additional NSG rules on the application gateway.
What am i missing here? :s
I have extensive experience working with Application Gateways and I can tell you that a 502 Bad Gateway means something is definitely wrong at the backend or misconfigured AGW settings - that's what the error says, so nothing surprising. From my experience here are different scenarios I've faced for this error:
Backend server can't be reached due to an NSG Rule controlling access from the AGW subnet to the backend subnet.
Backend server can be reached but the port is not opened at the server's firewall.
Backend server can be reached, port is opened but application is not listening on those ports or application is not even running.
AGW listeners were misconfigured.
Here's what you can try:
First validate whether the Application and VM are fine by trying to access the application from another VM in the same subnet.
Next, try to get a VM in a different subnet and try to access the application, to mimic the AGW trying to connect to the backend. This will help you validate whether your NSGs are properly configured.
Lastly, revisit all the AGW settings and look for any misconfiguration in the listeners or other settings. (Added this based on your comments).
Taking this approach to troubleshooting will quickly help you identify which layer is causing the issue. Also, it would be a good practice to start documenting all AGW errors you get along your journey and also the remediation steps etc. This will help you tremendously in the future - this is not the last time you'll face issues with your AGW!
If you've checked your firewall issues and it's not solving the problem it could be user permissions on your VM.
I then ran the following command in ps and it sorted it for me.
** netsh http add urlacl url="http://*:{port}/" user="Everyone" **
A good test to see if this will work is if you can access your app using invoke-webrequest and using a localhost URI, but not using the server's NIC Private IP.
You'll also need to set your host address to use the wildcard in your config file.

WebApp private endpoint azure vpn

I Have implemented a azure vpn infra in azure, using azure vpn client.
The configuration and connection work just fine.
To test this, I create a private resource (azure virtual machine) allocated it inside azure vpn subnet, and tried to connect using the private ip of the vm while connected to the vpn client, and it did work just fine.
Now I wanted to do the same experiment using azure web app private endpoint following this guide:
https://www.varonis.com/blog/securing-access-azure-webapps/#webapp
I have a point to site connection not a site to site.
I did created the web app and placed it inside the vpn subnet. But the problem is, even if I am connected to the vpn client, I get the error 403 forbidden no matter if I am connected to the vpn or not.
Did this error occurred to somebody who can kindly help me to understand the nature of this issue and how to overcome it?
Thank you very much for your help
Nayden Van This might be occurring for a number of reasons such as forgetting to include the A record for the privatelink URL in the custom DNS server or there might be an internal proxy blocking *.azurewebsites.net.
The most common issue is DNS. Please review the DNS integration content found here to ensure you have correctly configured your DNS for use with privatelink.

URL rewrite configuration on Azure

I have WAF, Application Gateway and a VM in place in Azure cloud. I have deployed an application in VM, which is running on tomcate and on port 8280.
I have domain name www.abc.com. In DNS entry, www.abc.com is pointing to my Azure App Gateway on port 80.
I am able to access the my application using IP and port. for example:-
http://X.X.X.X:8280/MyApps/page1 and http://X.X.X.X:8280/MyApps/page2.
I am trying to configure App Gateway, so that when I try to open using domain name. My requirement is when I hit www.abc.com, it should redirect to URL www.abc.com/page1. I tried to setup the listener with basic type and also path based. But no success. When I try to hit www.abc.com, it throws error:
502 - Web server received an invalid response while acting as a gateway or proxy server.
The 502 error always shows that there is a firewall restiction from your application gateway instance to your backend VM. You can verify if there are blocking the traffics in the NSG associated with your application gateway subnet or VM subnet. Also, this might be caused by inproperly configuring the custom health probe. You also can get more reasons from this doc.
Moreover, you can confirm you have set the url-based path correctly. Pay attention to the path and port.

How do I connect to an AD domain controller in Azure?

I'm working through an Azure tutorial on MSDN as suggested by #BrentDaCodeMonkey. Basically, I'm trying to learn how to set up a Windows domain, so I can use it for a some other SQL Server tutorials. See my previous question here.
I'm running into a problem where I cannot connect my servers to my Active Directory Name Controller. When I try to add my domain name to the server in System Properties, I get an error message instead of the Windows Security popup dialog.
An Active Directory Name Controller (AD DC) for the domain "corp.ejm.com" could not be contacted. Ensure that the domain name is typed correctly. [...] The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Name Controller (AD NC) for domain "corp.ejm.com"; The error was: "This operation returned because the timeout period expired."
Note that I am able to verify the DC's IP address, with nslookup in the command prompt.
Complicating this issue is that the tutorial instructions don't exactly match what I'm seeing in Azure. For example, I'm not allowed to use Windows Server 2008 R2 SP1 when setting up SQL Server virtual machines. I had to use Windows Server 2012 for those, but still used 2008 for the DC. I thought that the problem might be a conflicting operating systems, so I tried running the tutorial again using Windows Server 2012 for everything. Same error message.
Also note: the tutorial says that I should use the example domain, corp.contoso.com. I used my own example domain instead, corp.ejm.com. I'm wondering if this has something to do with it. My example domain is not registered on the Internet.
Connect to the DC VM and find out its IPAddress (10.*).
Go to the virtual network configuration and set the DNS server IP Address to that.
Also make sure you use this IP Address during step #8 in install SQL VMs section.
Now try joining the SQL VMs to the domain.
Hope this helps.

Resources