I am trying to get NTP daemon working on my virtual machines in azure which are behind public load balancer for outbound access to internet.
NTP service is configured in client mode (default) and I have allowed outbound UDP 123 access in security group.
Now, the ntp service is not working if I am not configuring an incoming UDP 123 rule in my external load balancer to the VMs.
Running ntpdate -dq 0.centos.pool.ntp.org shows that packets are being transmitted, but none received if there is no LB incoming rule.
Adding the rule fixes the problem, but my concern is that it shouldn't be required at all, since in client mode the ntp service doesn't required inbound connections. Why is the service not working without this rule?
I guess you are using Standard SKU LB.
Standard SKU SNAT programming is per IP transport protocol and derived from the load balancing rule. If only a TCP load balancing rule exists, SNAT is only available for TCP. If you have only a TCP load balancing rule and need outbound SNAT for UDP, create a UDP load balancing rule from the same frontend to the same backend pool. This will trigger SNAT programming for UDP.
From my understanding, any UDP port load balancing rule should work.
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections#preallocatedports
Related
What is the difference between TCP vs UDP in the load balancing rule?
What if UDF in the red box below is selected?
Image above is from the https://learn.microsoft.com/en-us/azure/load-balancer/manage-rules-how-to
This can be either used for port swapping or if you need to use port forwarding to keep consistency on your incoming sessions and so on...
Please take a look to the following URL below:
Load-balancing rules are used to specify a pool of backend resources to route traffic to, balancing the load across each instance. For example, a load balancer rule can route TCP packets on port 80 of the load balancer across a pool of web servers.**
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-faqs
Is it possible with the Azure load balancer to create a load balancing rule based on source network? For example:
Connections from 10.1.0.0/16 to port 9000 go to backend port 9100
Connections from 10.2.0.0/16 to port 9000 go to backend port 9200
No, it's not possible because the frontend IP configuration only includes the IP address, protocol, and port. Refer here. Also, if you intend to configure an internal LB, then frontends and backends should be inside a virtual network.
A Load Balancer rule is used to define how traffic is distributed to
the VMs. You define the frontend IP configuration for the incoming
traffic and the backend IP pool to receive the traffic, along with the
required source and destination port.
and
The frontend (aka VIP) is defined by a 3-tuple comprised of an IP
address (public or internal), a transport protocol (UDP or TCP), and a
port number from the load balancing rule.
For more information, you could read multiple frontends for Azure Load Balancer.
I have setup a few VM's and a load balancer so that we can have one outgoing IP. Right now i am having issues to connect to the internet from inside my VM. If i open internet explorer and try to access a website, it shows waiting for reply and then "This page can’t be displayed".
Each VM is connected to the same subnet.
The subnet has a NSG attached to it and each VM is part of the subnet.
NSG attached to the subnet.
There is then a load balancer to allow incoming RDP but with different ports to the different VM's.
I think i am missing the SNAT but i have no idea where to configure that. From what i have read, i am using level 2 "Public Load Balancer associated with a VM (no Instance Level Public IP address on the instance)". Multiple VM's on a subnet and one load balancer to share one IP address.
Where do i actually go to set up the SNAT? Or is there another issue i am missing here?
Probably, you could add the load balancing rules for TCP port 80 or 443 instead of inbound NAT rules. NAT rules always use for port forwarding. Moreover, you do not need add NAT rules for DNS. This works on my side.
A load balancer rule defines how traffic is distributed to the VMs. The rule defines the front-end IP configuration for incoming traffic, the back-end IP pool to receive the traffic, and the required source and destination ports.
I have created a simple service for receiving UDP packets and am trying to deploy in Service Fabric.
When running locally, I am able to spam packets to the service (running in local SF Cluster), but when deployed to Azure the service, and even the VM, does not receive the UDP packets.
I even RDPed into the VM and installed Wireshark, my packets weren't present.
I did the same with a standard Windows DC VM, and was able to see the packets arrive.
Clearly there is an issue with the firewall which is configured upon creation of a SF cluster.
PS I have followed the steps here https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-connect-and-communicate-with-services to ensure that the LB rule is set to UDP (as is not an option upon creation).
EDIT - Note I also followed the advice on this question Service Fabric Stateless Server Custom UDP Listener
So turns out that modifying an existing Load Balancer rule does not change the protocol on the firewall (speculation).
I created a NEW Load Balancer rule with the appropriate protocol/port and traffic was flowing.
Modifying an existing Load Balancer rule to change to an appropriate protocol does not work, and traffic ends at firewall.
I have created a VMSS with a load balancer (LB).
Now there is only one VM with a nodeJs application running in and listening on port 80.
I have allowed port access on VM Firewall (inbound + outbound).
I have added an Inbound LB NAT rules on port 80 through the portal. However after saving, it does not show up.
Now I could not access my application with the Public IP or DNS name.
What is wrong with my approach ?
How can I do this with the portal or the powershell ?
I would not like to recreate the scale set.
Finally make it works through the portal. In fact the scale set has an Inbound NAT Rule and a load balancing rules. Allowing firewall port access and NAT rules are Ok for this scenario but not enough , a Load balancing rule on port 80 needs to be added. Before the load balancing rule is added a probe should be added first.
In short here are the steps:
Firewall access on port 80
Inbound NAT Rule (under load balancer) access on port 80
Probe access on port 80
Load balancing rule on port 80 (need a probe)