I would like to add security (e.g. a login with a password) for the public-ip for my Azure VM. Because else everybody could e.g. deploy smart contracts via the cakeshop links or turn off and on the Ethereum nodes.
Does anybody know how to do it?
It seems that you cannot set a password for the public IP. But you can set the password for the VM. For the security of the VM, you can use the Azure Network Security Group to filter the traffic. For more details, see Filter network traffic with a network security group.
For more security to the VM, you can try the Identity of Azure AD. Take a look at this Configure managed identities for Azure resources on a VM. Hope this will help you.
There is no such thing as a password for a public IP, a public IP is just a resource assigning IP's to a network interface, nothing more.
If you are hosting an application in Azure it is up to you to make sure this is secure. Ideally, this would be done through authentication at the application layer, to prevent users from being able to do anything in the application without authenticating. If your application does not provide this then you may want to take a closer look at your application and whether it is fit for purpose.
If application level authentication is not possible then you could look at adding authentication at the application server level, be this Apache, IIS, Tomcat etc. You would need to look at the appropriate documentation for your application server.
Related
I need to configure Azure SQL Database firewall settings so that it can only be accessed by my Azure Function app. The problem is I'm running the app in a consumption plan, and as far as I know, the outbound IP address(es) can change even when I don't take any actions.
Is there a way to whitelist the app so that I protect the database from unwanted connections?
I thought of whitelisting by Azure region since everything is hosted in the same region, but then how do I guard against other apps in the same region? That's why I'm thinking of using specific IP addresses. My only concern with this approach is, I don't know if other function apps can share the same outbound IP addresses as my own.
P.S. Currently, my firewall settings deny public network access and allow Azure services to connect only.
There are several ways to achieve this.
You may want to integrate VNet or get static IP addresses for your Azure Functions
Image from: https://learn.microsoft.com/en-us/azure/azure-functions/functions-networking-options
However, what I've seen from your comments you don't want to go the premium plan.
The last thing I can suggest you implement Managed Service Identity.
The idea behind this, instead of connecting the database with connection string, you connect to the database with the access token that you granted. You can't get the access token if you are not in the same Identity.
This tutorial explains the general idea with App Service:
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi
and this tutorial pretty much covers what do you really want to achieve.
https://www.azurecorner.com/using-managed-service-identity-in-azure-functions-to-access-azure-sql-database/
Good luck!
I had the same issue but managed identity didn't make much difference.
In the firewall setting for the SQL server there is an option to allow azure resources to access the server. For me this was set to no, but needed to be set to yes.
One thing you can do is assign a managed identity to your function. It will retrieve a token from Azure AD, and it will be used to connect to Azure SQL:
if (accessToken != null) {
string connectionString = "Data Source=<AZURE-SQL-SERVERNAME>; Initial Catalog=<DATABASE>;";
SqlConnection conn = new SqlConnection(connectionString);
conn.AccessToken = accessToken;
conn.Open();
}
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql
You can do this by assigning a static IP to the function app and whitelist at the SQL Server -INbound Networking side and Deny all requests. However you have to change the consumption plan to Appservice to assign a static IP.
https://learn.microsoft.com/en-us/azure/azure-functions/ip-addresses#dedicated-ip-addresses
Also, you can try creating a Vnet peering for those services and block other requests.
I can't find where i got the answer (so not my answer but sharing it here), your Azure Functions have a list of outboundIpAddresses and possibleoutboundIpAddresses that you can add to your Azure SQL firewall rules (mine had about 10).
You can find them by...
Go to https://resources.azure.com
Expand Subscriptions -> [Expand your Subscription] -> Providers -> Microsoft.Web -> Sites
Find your Azure Function Site in the JSON, and locate the outboundIpAddresses and possibleoutboundIpAddresses, these will contain a list of IP addresses.
Add all of them to your SQL server's firewall.
While I'm not positive if these will ever change, so far they haven't for me and the person who originally posted this solution also noted that they haven't run into issues with this.
Virtual networks do not work on Azure the same way as they work on premises
If you create a vnet, add your Azure function in a subnet and in sql server you allow this subnet to access it will unfortunately not work.
If it is ok for you to allow "public access" and/or "azure resources access" then things are simple. You log in with sql credentials and you have access.
If you block public access I am not sure that your resources would be able to access your database, because all your connection go to SQL server from the internet not from your internal network.
Solution that worked for me is
Create a vnet
Create a private endpoint for Sql server in this vnet (custom DNS records were created by the IT-OPS people).
Azure function uses a subnet of this vnet.
Now, you can close public and azure resources access in your database.
All your calls will go through your virtual network (not through the internet anymore) and only applications that use a subnet of this vnet would be able to connect to the database.
I am currently trying to use Azure Pipelines to build a Docker image and push it to the Azure Container Registry. I have a Service Connection setup, and but the build is failing with "denied." I suspect the reason for this is because my Container Registry is setup to only allow from "selected networks" and is restricted to a few IPs. I validated this by temporarily allowing all networks, and then the build/push succeeded.
Is there any way to get Azure Pipelines to successfully push a Docker image to the Container Registry that is only allowing selected networks? I thought that was what the Service Connection was for?
I'm afraid you're right. The possible reason is that you set it as select networks and do not add the IP address of the DevOps to allow the traffic. As I know, the IP address of the DevOps will change over time, here is the description:
In some setups, you may need to know the range of IP addresses where
agents are deployed. For instance, if you need to grant the hosted
agents access through a firewall, you may wish to restrict that access
by IP address. Because Azure DevOps uses the Azure global network, IP
ranges vary over time.
So you need to allow an IP range, not the single IP address. And it's not a secure way. Well, the most secure way from my experience is that control the access permission for all the people, not the networks. You can create multiple service principals and grant them with different roles to control the permission. For example, use the role AcrPull, it only has permission to pull the images. More details about the roles here. You can even control the permission on the repositories, here is more message about it.
By the way, the firewall to select the networks, I think it's more suitable for the resources inside the Azure, for this, you can use the endpoint to achieve it.
Please make sure that your service connection has AcrPush permission.
You can check it or add if needed here:
(You will find your connection under name 'your-organization-your-project')
I have created a Windows 2016 data center on Microsoft Azure cloud. I also downloaded its RDP file. However, when I am trying to access it from my Organization I get below error. (of course, organization uses proxy/firewall). When I access it from my home internet, I can access the VM successfully.
Currently the networking of the VM has below setting:
Please help to access the azure VM via proxy.
Edit:
Got few great answers. However, being a trainer, I need to keep creating and deleting the VMs on day to day basis, hence requesting network admin to add a particular VM IP to exception list won't help. Is there any other way possible?
Go with Jason's suggestion. Your network admin needs to configure the corresponding rules for the firewall or proxy. What you need to tell the network admin depends on your setup:
If you are dealing with one VM only, then you could either configure the public IP that is assigned to the VM as static and ask the network admin to allow rdp to that IP address, or, alternatively,
if you would like to save costs for the public IP and your organisation's proxy/firewall is capable of working with DNS names, then you could assign a DNS name to the public IP and let the network admin know the DNS name. The DNS name would be something similar to this: myazurevmname.azurelocation.cloudapp.azure.com
If you are planning to access several VM's in Azure, you can either repeat above steps for each of the VM's, however, may want to think about establishing a point-to-site VPN from your local computer which would remove the need for assigning public IP addresses to each of the VM's. The network setup in Azure will be more complex upfront, but it may be worth the effort. However, this will be a separate discussion.
You could set up teamviewer as a service(!) on your VM and then connect to it with teamviewer from your company pc. it'll be a bit laggy but you'll get used to it
Use this tutorial to set up teamviewer
It seems your organization network block it, you should contact your network admin to add it to firewall/proxy.
On Azure, I have a two-VM set (both classic), whereby my web application resides on one VM, my database on another. Both map to the same DNS and belong to the same Resource Group, but both are acting as standalone cloud services at the moment. Let me explain: currently the web application communicates with the database over the public DNS. However, I need them to be on the same lan, so I can de-risk security and improve latency.
I know for a fact that they're not part of a virtual network because when I try to affix a static private IP to my database VM, I'm shown the following prompt in the portal:
This virtual machine can't be configured with a static private IP
address because it's not deployed in a virtual network.
How should I proceed to fix this misconfiguration and what should my next concrete step be? The website is live, and I don't want to risk service interruption. Ideally, both VMs should be in the same virtual network, and should communicate with eachother via a static internal IP. Please forgive my ignorance. Any help would be greatly appreciated.
I guess i'll be the bearer of bad news. You have to delete both VMs while keeping the VHDs in the storage account, then recreate the VMs (reattaching the disks) in the Virtual Network.
Since these are Classic VMs you can use the old Portal when re-creating them. You'll find the VHDs under "My Disks" in the VM creation workflow.
Alternatively, just restrict the inbound access with an ACL on the database Endpoint. Allow the VIP of the first VM and deny everything else. This is good enough for almost any scenario, since if your Web Server gets compromised it's game over. It makes no difference how they exfiltrate stuff off your database (over a VNET or over VIP).
Here's the relevant documentation page for setting up Endpoint ACLs:
https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-windows-classic-setup-endpoints/
So we are starting to move to the cloud and our biggest concern is security, as it should be. The thing that I am not sure about is how to secure the end points from public (interent) access? Is this even possible or is there something else we can do to keep the environments in Azure out of the public eye?
This question is likely better suited to server fault. But until then...
In Azure IaaS V1, you can specify IP based ACLs (access control lists) to restrict inbound traffic.
In both IaaS v2, you can leverage NSG (network security groups) to help restriction trick into and out of specific VMs or virtual network sub-nets.
If you are using Azure Express Route (a leased line into an Azure facility), the VMs can be addressed directly from within the virtual network connection and don't need to have publically exposed endpoint.
Then there's also all the usual options such as securing the connections on the VMs themselves. :)
If you are using Azure Resource Groups along with your VMs (which is available on the new portal) you cannot use endpoints because it's not available there, so you should do the following to open up the HTTP port or ANY other port:
(Sign in to your account on the new portal)
1- Select the VM that you want to manage ports on.
2- In settings, click on Network Interfaces and select your network.
3- Go to Network Security Group and select your group.
4- Add Inbound or Outbound security rules depending on what you need.