I am trying to diagnose a possible TLS 1.2 vs 1.0 issue. We have an Azure subscription with the following Network Security Group, Application Gateway, and Application Services. We have white listed IPs in the NSG and require TLS 1.2 in the AG. We have an issue from one partner that is hitting our API. Transactions from one of their data centers work and transactions from another are not making it to the API.
We have white-listed both data centers. We have enabled a Network Watcher in Azure with flow logging and can confirm that we are receiving the requests from both datacenters. Logging shows all traffic is to port 443. We suspect that one datacenter is using TLS 1.2 and the other is not.
Is there any way to log which version of TLS is used by a request?
Related
I’m playing with Microsoft Azure Service Fabric, but I'm having some problems reaching the services from internet.
My situation:
I Created the Service Fabric cluster:
Windows Server 2016 Datacenter.
Node type count: 1.
Custom Endpoint: empty.
“Enable reverse proxy” flagged.
All my services are developed base on .NET Core 2.1, REST API.
Using a web browser, all the services work fine locally (with Service Fabric Local Cluster and Azure Storage Emulator or Azure Storage). Then I published the application to the Azure cluster but I can not reach any of the service from internet.
Question
How can I setup the environment so to reach the services from internet?
I read some docs:
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-connect-and-communicate-with-services
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-reverseproxy
One of the service in the ServiceMnifest.xml file has the following configuration:
<Endpoint Protocol="http" Name="ServiceEndpoint" Type="Input" Port="8939" />
So, I added the following configurations in the load balancer:
Health probes: added a configuration for the 8939 port.
Load balancing rules: added a configuration for an 8939 => 8939 TCP passthrough using the previous health probes configuration.
But when I try to reach it from browser I get a timeout.
Any suggestion is appreciated.
Regards,
Attilio
So if you have the reverse proxy enabled, and want to use that the endpoint on port 8939 is not interesting as you should access the reverse proxy using the proxy url
As pointed out in the comments the format is http://[FQDN]:[ReversPoxyPort]/[ApplicationName]/[ServiceName]/[Controller] and typically the port is 19081 so the url becomes something like myawesomeservicefabric.westeurope.cloudapp.azure.com:19081/FabricApp1/Service1/Values
As with all other things the port should be configured in the load balancer with a probe and a rule.
I am not sure what the portal does with clusters now a days, but at some point it configured a network security group which might also be the cause of your issues.
RDP into the machine and test the endpoint on localhost. If it doesn't work, it's likely an application error.
Verify the firewall settings, for a rule for incoming traffic on port 8939.
Enable logging on the Azure Load Balancer to see if the health probe detects the endpoint.
I'm taking my first foray into Azure Service Fabric using a cluster hosted in Azure. I've successfully deployed my cluster via ARM template, which includes the cluster manager resource, VMs for hosting Service Fabric, a Load Balancer, an IP Address and several storage accounts. I've successfully configured the certificate for the management interface and I've successfully written and deployed an application to my cluster. However, when I try to connect to my API via Postman (or even via browser, e.g. Chrome) the connection invariably times out and does not get a response. I've double checked all of my settings for the Load Balancer and traffic should be getting through since I've configured my load balancing rules using the same port for the front and back ends to use the same port for my API in Service Fabric. Can anyone provide me with some tips for how to troubleshoot this situation and find out where exactly the connection problem lies ?
To clarify, I've examined the documentation here, here and here
Have you tried logging in to one of your service fabric nodes via remote desktop and calling your API directly from the VM? I have found that if I can confirm it's working directly on a node, the issue likely lies within the LB or potentially an NSG.
I'm settings up a Service Fabric cluster in Azure and want to run a web API (using .NET Core) over https. I want to use my CA-signed wildcard (*.mydomain.com) certificate to access this API. But I'm a bit confused as to where I use it when I create the cluster, is it the cluster or client certificate? I'm thinking the client certificate, but the documentation states that this is for admin tools (i.e. the Explorer), so I'm unsure on how to proceed.
And yes I've read a ton of posts and resources, but I still find this confusing.
There are three certificate types. Here is a summary overview of them.
The Cluster certificate is used for the Explorer endpoint and is deployed to the primary nodes. So if you add your *.mydomain.com wildcard cert there, and CNAME something (e.g. manage.mydomain.com) to [yourcluster].[region].cloudapp.azure.com, then when you hit your management endpoint that cert will be what will be presented to the web browser.
The Reverse Proxy SSL certificate is deployed to each of the nodes and is used when using the built-in reverse proxy feature of Service Fabric. In this case this is what is being used when you hit https://api.mydomain.com/YourAppName/YourService/Resource (where api.mydomain.com is another CNAME to yourcluster.region.cloudapp.azure.com). This is used as an alternative to running your own reverse proxy or other offloading layer (Application Gateway, IIS, nginx, API Management, etc).
The Client certificates are used in place of Azure Active Directory authentication to the management endpoint. So instead of managing users in AAD (with the _Cluster AAD application and the Admin / Read-Only roles), you manage access by handing out management certificates (Admin or Read-Only) to your trusted users.
You can also have secondaries these certificates to use in certificate rollover situations.
The way we are using it is to have Application gateway configured in front of service fabric cluster, and web certificate is uploaded to Application Gateway (and dns is pointing to application gateway) In that scenario SSL is terminated at application gateway.
Another possibility is to terminate SSL at each node in service fabric cluster, in this scenario you would need to ensure that certificate gets deployed to each of the nodes.
As for cluster vs client certificate dilemma, I am also confused, but I think the answer is neither. Client certificate is not for sure since this certificate is used to identify you as admin when running service fabric admin ps scripts.
I do not think it is cluster certificate either, here is what MS docs say what it is used for:
Cluster and server certificate is required to secure a cluster and prevent unauthorized access to it. It provides cluster security in two ways:
Cluster authentication: Authenticates node-to-node communication for cluster federation. Only nodes that can prove their identity with this certificate can join the cluster.
Server authentication: Authenticates the cluster management endpoints to a management client, so that the management client knows it is talking to the real cluster. This certificate also provides an SSL for the HTTPS management API and for Service Fabric Explorer over HTTPS.
as far as I am reading into it, this certificate is used for internal cluster authentication, and it is also used so your management tools can be asured that they are working with right cluster.
I have two VMs with IIS that host my application with Azure Application Gateway distributing the traffic. The gateway is configured to offload SSL and everything is working fine.
However, I'd like to use client certificate authentication on one of the paths of the application - on NetScaler (or some other load balancer) I'd simply put serialized client certificate into HTTP Header (X-Client-Cert).
Can I do something similar with Application Gateway?
At the moment thats not possible, but is in the pipeline of product development of the azure product team.
We integrate with a third-party service where we can run queries which is right now secured using HTTPS encryption and username/password. We send our queries from a service running on the Windows Azure cloud.
The third-party provider wants to migrate towards better security and they have asked us to either
Setup a VPN - which is problematic because for we'd need to use Azure Connect and they'd have to install the client endpoint service on their part.
Provide some IP address where the queries will come from so they can filter out anyone else at the firewall level - which is problematic because AFAIK you cannot fix the IP addresses of the Windows Azure Compute nodes.
Suggest another secure alternative - the only thing I could think of is to set up the VPN with them on a non-Azure server and then tunnel the requests through using Azure Connect - which is obviously extra work for us and also defeats the point of hosting the service on a cloud if it depends on a non-cloud service.
Any ideas?
Can they install the Azure Connect endpoint on another server on their DMZ network? i.e. not the actual server which hosts their service?
Can we somehow provide them with static IPs for incoming queries?
Any other solution that is scalable?
Thanks
If I understand the scenario correctly, your Azure service is a client to a 3rd party service. This scenario may be solved through the use of the Windows Azure AppFabric Service Bus. You would need to install a proxy app in the 3rd party's datacenter that would be responsible for establishing the connection to the service bus. The connection comes from inside the 3rd party's datacenter, so no new incoming holes in the firewall. The connection can handle WCF connections with all its security strengths, and users can be authenticated with ACS.
Here is a starting point: http://msdn.microsoft.com/en-us/library/ee732537.aspx
There is a hands on lab in the Windows Azure Platform Training Kit that explains most of the details that you'll need.
IMHO, HTTPS is already very good; and I don't exactly see how a VPN would make the system any more secure. In particular, VPN is no silver bullet, if your VM is compromised then the VPN connection is compromised too (same for HTTPS). On the other hand, the IP restriction would indeed reduce the attack surface.
Then, using a server outside the cloud is a poor idea indeed. Not only it defeats most of the benefits of the cloud (been there, done that and suffered a lot), but also it also makes the whole thing less secure with more complexity and more attack surface.
Windows Azure does not provide anything that look like a static IP at this point. In our experience, IP addresses for a given service change once in a while even if the service is only upgraded (and never deleted). Static IP addresses have been an important feature request for a long time, Microsoft will probably provide it at some point, but it might still take many months.