Azure Application gateway : HostName Mystery - azure

Suppose I have a VM with following property
FQDN :trialinstance.westus.cloudapp.azure.com
Public IP : XXX.XXX.XXX.XXX
Private IP : YYY.YYY.YYY.YYY
as it is an linux VM, output of 'hostname -f' command is
trialinstance.somerandomguid.dx.internal.cloudapp.net
now I need some help in understanding these :
what will be the value for Target field in BackendPool ?
What will be the hostname ?
How setting 127.0.0.1 works as hostname ??
Azure documentation and explanation is very very inadequate :(

what will be the value for Target field in BackendPool ?
If your Linux VM and application gateway are in a same Vnet, you could use your VM's private IP.
If your VM and application gateway are not in a VNet, you should use VM's public IP or FQDN trialinstance.westus.cloudapp.azure.com.
More information about this please refer to this link.
What will be the hostname ?
You should know how heath probe works, custom probe is indeed not used for any DNS name resolution or for any network routing. Instead, the probe "knows" which backend server pool to hit through the custom probe’s association with specific Backend HTTP Settings, which are in turn associated with one or many Backend Pools through one or many Routing Rules.
If multi-site is not configure, you could set it 127.0.0.1. See this link.

Related

Azure Virtual Machine cannot resolve DNS entry of Application Gateway

I have the following situation:
If I deploy an application (Deployment, Service and Ingress) in my kubernetes cluster, my ingress deployment is being automatically added to my application gateway (I am using the Azure Application Gateway Ingress Controller; https://azure.github.io/application-gateway-kubernetes-ingress/annotations/ ). So far so good.
That means that my application can be reached via my application gateway via https://my-app-gateway-public-ip/myAppPath/. Also, I have an additional private DNS zone which makes my app accessible via https://dns-name/myAppPath.
Additionally, we have an AADDS in combination with a Bastion Service. Deployed some virtual machines and the virtual machines use the DNS resolver of the AADDS (for authentication against the AAD).
The problem is: If I am outside of the cloud, I can nslookup the dns or can access the site via the ip, but I cannot do that with my virtual machines. My DNS server (within the AADDS) is unable to resolve the dns or accessing the ip. I am wondering what the issue is.
The bastion and AADDS are in different subscriptions and therefore different virtual networks. I established already a peering between those virtual networks (or the authentication between the AADDS and the VMs wouldn't work).
The kubernetes cluster and the application gateway are also in a different subscription, but no peering has been done so far.
Are there any hints what I could be missing?
Kind regards
• Since, you are using a Bastion gateway server to connect to the VMs hosted in your subscription, the Bastion gateway server must be having a public IP address through which then the registered underlying VMs can be connected to via private links created in the private DNS zones associated with a particular virtual network in a subnet and an assigned private IP address and a FQDN accordingly. Thus, if you want to access the application website hosted behind the application gateway, then you will have to create a conditional forwarder in the DNS zone in AADDS to redirect the internal requests from the VMs hosted within a virtual network to the public IP address of the website hosted behind the application gateway
• Thus, a conditional forwarder forwards the DNS resolution requests for a particular resource hosted on the public internet for which the DNS host resolution is not found or done in that DNS zone which usually serves or fulfils the requests related to internal environment. As a result, when a VM configured with a private IP is registered as a host in the internal DNS zone queries the public IP or FQDN associated with the application’s website, the DNS requests are forwarded to the public internet through the conditional forwarder and then the results are displayed in the VM’s browser for the application’s webpage. Thus, the VMs don’t need to have internet access but the DNS server should have or should forward the requests through the Internet proxy server accordingly to reach the internet.
For more information on creating conditional forwarder in AADDS, kindly refer to the below link: -
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/manage-dns#create-conditional-forwarders

Azure URL app service not working in vnet with private endpoint

Hi currently I have setup a VNET.
Inside this vnet I made a VM and I added an App-Service in the subnet with an private-endpoint.
The private-endpoint of the App-Service is also automatically added to a privatelink DNS zone. (Azure created this automatically for me) It also points correctly to the right internal ip address.
Now from within my VM I try to access my AppService using curl and using the created .privatelink.azurewebsites.net link to the AppService. But it keeps returning 404.
How is this possible. My knowledge of DNS is limited.
If I do a NSLOOKUP inside the VM, it nicely resolves the privatelink DNS Name and finds the private-endpoint ip address
What am I missing?
Update
When I keep using the original azurewebsites.net xxxxxxx.azurewebsites.net (not the privatelink) URL I can access the appservice from within the VNET.
If I am on the VM, and I do a lookup of the original URL I get this.
Non-authoritative answer:
xxxxxxxxx.azurewebsites.net canonical name = xxxxxxxxx.privatelink.azurewebsites.net.
Name: xxxxxxxx.privatelink.azurewebsites.net
Address: 10.1.1.4
So there is some magic behind the scenes?
When you create a public Azure App Service "xxxxxxxxx", beside provisioning the app service environment also a DNS entry for this new service will be created in one of Microsoft's authoritative DNS servers (they are usually named like ns1-xxx.azure-dns.com) ultimately pointing to the public IP address of the server where your your app service is hosted.
If you add a private endpoint for your app service, the DNS entry in these servers won't be removed. Instead what's happening is that internet access to your web app is cut off using firewall rules.
This means if you type in "xxxxxxxxxx.azurewebsites.net" in your browser outside the VNet, a DNS query is sent and the public IP address of the server is returned. Your browser sends a HTTP query to that IP address but will get a HTTP status code 403 indicating that public traffic is blocked.
Inside your VNet the situation is different. As you described you got a private DNS zone "privatelink.azurewebsites.net" which is linked to the VNet (you can see that in the "Virtual network links" section)
If you now type "xxxxxxxxxx.azurewebsites.net" in a browser in your VM which is placed in the same VNet as xxxxxxxxxx.azurewebsites.net, the DNS server associated with the network adapters (by default accessible in your VM through 168.63.129.16) will use the entries placed in the private DNS zones. If a zone named "privatelink.azurewebsites.net" exists, all queries for the domain "azurewebsites.net" will be resolved using this private DNS zone. For example, if there is an A record entry for "xxxxxxxxxx" for 172.16.0.5...
...this is exactly the IP you'll get when you resolve xxxxxxxxxx.azurewebsites.net in your Azure VM:
C:\Users\vm>nslookup xxxxxxxxxx.azurewebsites.net
Server: UnKnown
Address: 168.63.129.16
Non-authoritative answer:
Name: xxxxxxxxxx.privatelink.azurewebsites.net
Address: 172.16.0.5
Aliases: xxxxxxxxxx.azurewebsites.net
If you delete your private DNS zone, the DNS server will resolve back to ns1-xxx.azure-dns.com which in turn will give you the public IP of the service:
C:\Users\vm>nslookup xxxxxxxxxx.azurewebsites.net
Server: UnKnown
Address: 168.63.129.16
Non-authoritative answer:
Name: waws-prod-am2-459-d21a.westeurope.cloudapp.azure.com
Address: 20.50.2.66
But since the app service still has firewall rules applied that block all traffic coming from outside the VNet, you will get a HTTP status code of 403 if you try to access the service over a browser.
See also: https://learn.microsoft.com/en-us/azure/app-service/networking/private-endpoint#conceptual-overview

Azure Private Endpoint - Listening restrictions

I'm experiencing some deeply frustrating issues when trying to connect to a SQL server Private Endpoint. Setting aside for a moment a complete specification of the problem, I'd like answers to the following questions
Is it the case that a SQL Server Private Endpoint will only listen to connections from an Azure Virtual Machine? I have seen it suggested by 3rd parties that this is the case but cannot find this explicitly documented by MS. (To clarify, if only VMs can connect, then this would mean, for example, that an Azure Load Balancer could not use Private Endpoint as a backend resource; and, for example, that an on-premise VM could not connect to a Private Endpoint through a VPN - is that correct?)
Presuming the answer to the above question is Yes, then does the restriction apply such as to prevent Private Endpoint from listening to connections forwarded from an Azure VM interface?
(For example, say a firewall in a VM in Azure. Inside the firewall VM, the IP 192.168.0.10 is configured. In Azure, the VM interface is associated with only a single IP address which is IP 192.168.0.6. In this scenario, the firewall VM will respond to ARP requests with ARP responses saying "I have 192.168.0.10", but 192.168.0.10 is not associated by Azure configuration with any Azure virtual network interface. In said case, will a connection to the Private Endpoint using source address 192.168.0.10 work? Or is it the case that the PE will listen for connections only with a source address 192.168.0.6?)
To answer your questions:
It's possible that use a private endpoint as backends in the Azure Load balancer because Azure LB supports NIC or IP address as the backend target. Also, the on-premise VM surely can connect to a private endpoint through VPN tunneling, read this document for more details.
A VM by default sends all outbound traffic to the IP address that's assigned to the primary IP configuration of the primary network interface. So it will use source address 192.168.0.6 when connecting to the private endpoint. Read the network interface constraints.

Azure Container Instance not using public IP

Tldr:
The issue is that the IP address the agent uses doesn't match the public IP address attached to the container Instance. It's like it is using some hidden internal IP address that isn't visible to an end user.
Background:
I setup a self-hosted DevOps agent in an Azure Container Instance. I added a public IP so I could whitelist it in my subscription, and the DevOps agent would have access to alter resource per Terraform templates.
Problem:
The agent is unable to alter resources that have firewall rules, despite adding the container Instance IP to the whitelist. The error message states failure due to network access from an unapproved IP address. The issue is that the IP address the agent uses doesn't match the public IP address attached to the container Instance. It's like it is using some hidden internal IP address that isn't visible to an end user.
Anyone encountered this before? The whole reason I decided on a self-hosted agent was to avoid the IP hopping problem caused by using DevOps hosted agents.
I just tried with a simple curl container, outgoing IP is different with the IP the container is exposed on. This is something I'd expect to see as well (I believe it would be using Kubernetes underneath). Nothing you can do about that.
You can create a container in the VNet, hence you won't need to whitelist random IP addresses. or you can just create a VM assign a Public IP to it and whitelist that IP (that will always work).

Azure DNS zone record not resolving to specified IP from App service to Virtual Machine

I followed the documentation guide here to configure an Azure DNS zone for a virtual network.
I then created a virtual machine on that virtual network and provisioned a virtual network gateway to allow my Azure web apps to communicate with the virtual machine using VNet integration. My web apps are then able to resolve against the virtual machines private IP as expected.
I then created an 'A' type record set within the DNS zone resolving a service name against the private IP of the virtual machine just like here.
However, when I then attempt to access the DNS configured service name that should resolve against the private IP address of the virtual machine, I get the following error:
curl: (6) Could not resolve host: xxxx.local
Am I missing something obvious here?
I can not reproduce this error following your steps:
Create an Azure VNet with a DNS private zone like private.test.com.
Create a VM and a VPN gateway on that VNet.
Enable VNet integration with my Azure web app service.
My web apps are able to resolve against the virtual machines private IP as expected. This could verify the Azure private DNS zone should work. Then I also create an A record for a custom name against the VM private IP address. Both scenarios work.
You could check if an A record is something like below picture in the private DNS zone.
Then you could verify if curl with http:// or without that, or without the specific port 9200, the error is still the same.
I suggest using SET WEBSITE_DNS_ command. This command will output the current DNS server that is being used by the web app. If the error Environment variable WEBSITE_DNS_ not defined is received, no custom DNS servers are configured for the web app. See more details about networking Related Commands for Azure App Services.

Resources