Does any one know why on rebooting web/worker instance from the Azure portal the fire wall rules set in that machine instance gets removed.
I know that the best practice is to use VNET and NSG and there is no logic from adding the rules to one instance while these rules are not being applied to the other instances but it would be nice if I know what is happening on Rebooting Instance (Not the Service) from the portal.
Related
I have 2 VM instances under 2 separate projects. When I go into the firewall page, all rules are tied to the first instance. Is there a way to specify which instance the rule applies to? Another issue may be that one was built on us-central and the other on us-east1.
I'm trying to get the company to use Azure Firewall as we start to move production workloads to Azure, however the network team have stated there are limitations when using Azure firewall. For example they have saod the Firewall reboots or drops all connections when you update a rule on it?
Is this true? Would anyone know of any limitations of using Azure Firewall. The network team prefer to use Checkpoint firewalls in Azure which are fine, but I would rather use Azure firewall, if its not going to fall down eveytime we do an update to teh rules.
That just doesn't sound like its right, as Azure Firewall is prouction ready resource.
• Please find the link below for detailed known documented limitations of Azure Firewall: -
https://learn.microsoft.com/en-us/azure/firewall/overview#known-issues
It clearly states all the issues regarding configuration of rules, NAT of UDR and other features of Azure that are used in integration with it. There, it clearly states that for configuration updates regarding the Azure Firewall, it takes three (3) to five (5) minutes on average to take effect independently, i.e., if multiple configuration updates are done to the Azure Firewall, each configuration update takes separate time to take effect and reciprocate it in its functioning. Thus, please check this, and as for updating of rules is concerned, I don’t think the existing rules defined on Azure Firewall are dysfunctional or the Azure Firewall as an appliance goes down for few periods of time when the rules are getting updated.
I've got an azure sftp container instance properly set up finally but I ran into a wall while configuring security for it (much like the person here).
My basic flow is this:
PIP on Azure ->
-> Load balancer using PIP to be reached by the wider web ->
-> Load balancing rule to backend subnet ->
-> SFTP container group living on that subnet ->
-> SFTP container in that group
Nothing special and I verified before associating the NSG that the network is operating as intended. Connection to the SFTP server is functioning properly. The problem is, after associating the NSG with the container group's subnet, I was still able to connect to it without any configured rules. Even after applying a rule # priority 100 to deny all traffic, to rule out something I may miss from the default rules, I can still get in.
After reading how NSG flow logs don't include container instances, I'm torn between believing users have NSGs working with container groups but are missing logs, and the possibility that NSGs don't work with container groups at all. If anyone has any guidance on properly using NSGs here, please let me know. Otherwise, if there's another tool I should be using, please recommend it (Azure Firewall is included in the container group tutorial, but I believe completely overkill for what I need and also prohibitively expensive).
EDIT: Adding picture of NSG rules -
After my validation, currently, the NSG associated with the ACI subnet does not work in this scenario for the SFTP container service behind an Azure load balancer. This NSG rule does not block the client's public IP address and it works like without it.
As a workaround, you could restrict the SFTP access with NGINX reverse proxy like this blog or add a service like Azure Application gateway reverse proxy to direct your public-facing traffic to your backend instance.
How can we change the IP Restriction Rules while the Cloud Service is running. (A reboot is acceptable).
For example, add / remove an IPAddress.
We don't really want to redeploy and we definitely don't want to repackage.
https://learn.microsoft.com/en-us/azure/cloud-services/schema-cscfg-networkconfiguration
Using Network Security Groups. This can be done at any time.
https://learn.microsoft.com/en-us/azure/virtual-network/security-overview
In NSG overview add either the tag or IP range and the desired restriction or allow.
what is the AWS security groups equivalent in azure
if there is any in azure is this only for the PaaS services or also for IaaS ?
According to Amazon EC2 Documentation, a security group is just a single point for firewall settings applied to a given instance:
A security group acts as a firewall that controls the traffic allowed
to reach one or more instances. When you launch an instance, you
assign it one or more security groups. You add rules to each security
group that control traffic for the instance.
In Windows Azure you have to set these rules on a per-instance or per-service basis, there is no way to define some rules and apply them automatically to all instances.
But you can use PowerShell cmdlets for automating this task for your services.
Firewall rules apply mostly for PaaS: for your web/worker role services and for SQL Azure. In case of IaaS there are two sides: your VM with custom software firewall (depending upon your OS etc.) and the endpoints you create and manage in Azure Portal that relay in- and outbound traffic to your VM.
Azure Network security groups and other related improvements were announced today:
http://weblogs.asp.net/scottgu/azure-new-marketplace-network-improvements-new-batch-service-automation-service-more
Network Security group in Azure is the option you are looking for. But there is no option to create it directly. But can be created while creating Virtual Machines and can be associated with multiple Virtual Machines. For more detail,
http://tehcbase.com/aws-security-group-equivalent-in-microsoft-azure/