Accessing Azure Virtual machine behind proxy / firewwall - azure

I have created a Windows 2016 data center on Microsoft Azure cloud. I also downloaded its RDP file. However, when I am trying to access it from my Organization I get below error. (of course, organization uses proxy/firewall). When I access it from my home internet, I can access the VM successfully.
Currently the networking of the VM has below setting:
Please help to access the azure VM via proxy.
Edit:
Got few great answers. However, being a trainer, I need to keep creating and deleting the VMs on day to day basis, hence requesting network admin to add a particular VM IP to exception list won't help. Is there any other way possible?

Go with Jason's suggestion. Your network admin needs to configure the corresponding rules for the firewall or proxy. What you need to tell the network admin depends on your setup:
If you are dealing with one VM only, then you could either configure the public IP that is assigned to the VM as static and ask the network admin to allow rdp to that IP address, or, alternatively,
if you would like to save costs for the public IP and your organisation's proxy/firewall is capable of working with DNS names, then you could assign a DNS name to the public IP and let the network admin know the DNS name. The DNS name would be something similar to this: myazurevmname.azurelocation.cloudapp.azure.com
If you are planning to access several VM's in Azure, you can either repeat above steps for each of the VM's, however, may want to think about establishing a point-to-site VPN from your local computer which would remove the need for assigning public IP addresses to each of the VM's. The network setup in Azure will be more complex upfront, but it may be worth the effort. However, this will be a separate discussion.

You could set up teamviewer as a service(!) on your VM and then connect to it with teamviewer from your company pc. it'll be a bit laggy but you'll get used to it
Use this tutorial to set up teamviewer

It seems your organization network block it, you should contact your network admin to add it to firewall/proxy.

Related

Best network design for company with remote offices that need to go through 1 public facing interface

I received a call from a business owner. One of his services will only license and whitelist one public IP well he has three locations. When I got involved they were trying to spin up an OpenVPN appliance and have site to site vpns to the remote locations. Well the remote locations have Fortigate firewalls and this will not work I believe with the SSL VPN of OpenVPN.
I would like to recommend something with Azure or AWS but I am unclear on the best VPN setup with Azure. Essentially he will need all remote sites exiting to the internet through Azure.
Late last night tried to test with AWS VPC and a VPN back to the fortigate. Client later expressed he would rather not use AWS.
Also recommended this https://forum.fortinet.com/m/tm.aspx?m=148626&p=
but he did not want to bottlekneck one of his locations
All sites exiting Azure out of one IP address
If you have 3 sites in Azure, you can make all 3 sites exiting Azure with one VPN gateway IP for the same destination.
You need to configure VNET to VNET peering and enable Gateway Transit to make it work. Can you also elaborate your ask here with a Network Diagram ?

Can't access my website in Network from VM

I deployed a testing website on my host and want to access from VM.
I setup a network connection and both are connected to a home group.
I can share files form one to another using share folder.
I assigned IP to my website so that I may be able to access using its IP.
When I brows at local using IP. it run perfect.
But when I brows from VM. It gives me error This site can't be reached.
in your VM environment, you need to check networking configurations and permissions.
could be a lot of things, if you could add a picture it would be easier to tell you. if you can't, see if your connection is bridged or not.
also, a good thing to check is that your router has an open port for your VM and allows another connection inside your subnet.
The problem is solved. I dig out and taken 3 steps. and my issue is solved.
I Turn off my windows firewall on host.
Authentications:
i) In IIS I click on Authentication.
ii) Anonymous Authentications Enabled.
IP Address and Domain Restrictions:
In IIS Click on IP Address and Domain Restrictions and Add IP address of VM or
any PC
from where I want to access.
and now it worked.

Point Azure VM to Local DNS

I feel like I may be trying to sprint before I can even walk here, but I'm getting there! I've got a VM on Azure that I want to be able to access a local fileserver from. We have the following setup:
$COMPANY.net is the local domain, $COMPANY.com is the Azure domain. They are connected using Azure AD Connect, and the VM on Azure is using AADDS; we have a site to site vpn setup between Azure and our local network. I can put in the IP address of the local fileserver and reach it from the Azure VM, but I can't resolve the name if I try that. I believe it is a DNS problem, I need the Azure VM to use my local DNS server to resolve the host name rather than the AADDS addresses. Do I need to set up a DNS server on Azure that will point the requests to my local DNS, or is there another way?
Thank you!
You can specify DNS server for your Azure VM to use. The doc is quite large: https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md
Your name resolution needs might go beyond the features provided by Azure. For example, you might need to use Microsoft Windows Server Active Directory domains, resolve DNS names between virtual networks. To cover these scenarios, Azure provides the ability for you to use your own DNS servers.

Adding existing Azure VMs (classic) to a virtual network

On Azure, I have a two-VM set (both classic), whereby my web application resides on one VM, my database on another. Both map to the same DNS and belong to the same Resource Group, but both are acting as standalone cloud services at the moment. Let me explain: currently the web application communicates with the database over the public DNS. However, I need them to be on the same lan, so I can de-risk security and improve latency.
I know for a fact that they're not part of a virtual network because when I try to affix a static private IP to my database VM, I'm shown the following prompt in the portal:
This virtual machine can't be configured with a static private IP
address because it's not deployed in a virtual network.
How should I proceed to fix this misconfiguration and what should my next concrete step be? The website is live, and I don't want to risk service interruption. Ideally, both VMs should be in the same virtual network, and should communicate with eachother via a static internal IP. Please forgive my ignorance. Any help would be greatly appreciated.
I guess i'll be the bearer of bad news. You have to delete both VMs while keeping the VHDs in the storage account, then recreate the VMs (reattaching the disks) in the Virtual Network.
Since these are Classic VMs you can use the old Portal when re-creating them. You'll find the VHDs under "My Disks" in the VM creation workflow.
Alternatively, just restrict the inbound access with an ACL on the database Endpoint. Allow the VIP of the first VM and deny everything else. This is good enough for almost any scenario, since if your Web Server gets compromised it's game over. It makes no difference how they exfiltrate stuff off your database (over a VNET or over VIP).
Here's the relevant documentation page for setting up Endpoint ACLs:
https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-windows-classic-setup-endpoints/

Statically configured NIC's loose all settings when I turn Azure machines back on

I configured two AD controllers and a WINS server in Azure each with static IP's and then turned them off for the weekend. Now that I turn the machines back on, all of the NIC's are setup to obtain an IP automatically.
When I go back into the NIC and reconfigure it for a static IP, I get an error message that the IP address I entered for the network adapter is already assigned to another adopter which is no longer present in the computer. Then it asks me if I want to remove the static IP configuration for the absent adapter.
What is happening here? Is there something I am configuring incorrectly that forces my configured static NIC's to change? Do I want to answer yes and reconfigure the card yet again, or is there a better way to go about this.
Thanks.
I'm going to answer my own question just in case someone is doing a network search looking for an answer and winds up here.
The issue centers on, for me at least, the differences between what is required for setting up bare metal AD environments as opposed to AD environments in Azure. In bare metal we are used to configuring inside of the NIC. In Azure, you work in two places. You create your AD's with DNS and then you use the Azure powershell to configure the AD controller's static IP and then you go back to your virtual network and register the DNS servers that were created.
There are some things happening behind the scenes in Azure that make this work. So, just create your AD's with DNS. Get the IP that was assigned by DHCP and register it with the Azure powershell and then list the name of the AD and it's IP in the virtual network and you are done.
Hope this helps.

Resources