Create HTTPS endpoint for Azure Virtual Machine - azure

I have created a virtual machine in Azure and enabled the IIS role.
I have created the appropriate firewall rules to allow me to browse to a website that I have set up in IIS over HTTP.
However, despite having created the bindings and firewall rules to enable HTTPS, I am unable to browse to the same website over HTTP.
I have been reading that I need to create a HTTPS endpoint for Azure to traffic any requests on port 443 to my site.
Does anyone know how to do this in the new portal?
Thanks,
Sean

By default, when you create a VM, only port 3389 (RDP) is opened. You will need to add any additional ports that you need to the Network Security Group.
Here is an example of how to add an NSG inbound rule to allow traffic on port 80 (HTTP), but you can use the same steps to allow traffic on port 443 (HTTPS):
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/nsg-quickstart-portal

Ok, so I have got this working so I will document the steps that I went through in order to get this to work:
Create a public IP address in the Azure portal
Assign a ‘cloudapp.azure.com’ DNS name to the IP address
Associate the IP address to an Azure network interface (this network interface may be attached to a VM or an App Service – in our case, it’s a VM)
Create an http endpoint in IIS and set the host name in your bindings to the ‘cloudapp.azure.com’ DNS name and the the IP address to the IP address created in step 1
Create a https endpoint and select your wildcard server certificate as the SSL certificate
Create a ‘CNAME Record’ entry in your DNS Configuration where the host is your custom DNS name and the target is the Azure DNS name
Open a web browser and browse to your custom DNS name via https and ensure that the website displays the server certificate

Related

Azure: Application gateway listeners based routing. A communication error occurred: "Operation timed out"

We have configured Listeners and add the rules and upload the SSL certificate on Azure portal
But the server is not hitting the URL. Suggest me if there any settings i missed to configure to enable the listeners based routing settings
When you access a host name via the App gateway, the DNS resolves that host name to the public IP address of the App gateway (which should be configured as a CNAME in your DNS or local host files) and then the app gateway uses that host header to find the associated listener. Once it finds the correct listener, it checks the associated rule and use the configured http settings to direct the traffic to the configured backend service.
Without the CNAME mapping in your DNS, the application gateway will not be aware of the host name/domain name that you are using to access the site.
If you have not created a CNAME mapping to your Application gateway's IP in your DNS, you can also make use of host files in your local machine for the name resolution as part of testing.
Reference : https://learn.microsoft.com/en-us/azure/application-gateway/create-multiple-sites-portal#edit-your-hosts-file-for-name-resolution

Access IIS https website from outside network

Currently I have a https website setup locally on the Azure VM
with a custom hostname : <websitename>.<domainname>.com and bound to the localhost 127.0.0.2
in the hosts.etc on port 443
Consider example hostname as web.microsoft.com
Website bindings in IIS are
type:https
hostname:web.microsoft.com
port:443
IP Address:127.0.0.2
Hosts.etc
127.0.0.2 web.microsoft.com
In order to access it locally on the VM itself https://web.microsoft.com/admin/login.aspx works fine.
Port 443 is open on the Azure VM and inbound firewall rule is set in windows to allow connections on 443
If I try to access it outside of the network using the public IP address this doesn't work
eg https://45.60.200.110/admin/login.aspx.
I have other non-https websites which work fine and can be accessed through the public IP ,only difference is they are not having hostname in the IIS website bindings.
Am I missing something or do I need to make some additional config?
That's the problem.
The customized hostname cannot be accessed through the external network. Because the public network does not know this hostname, nor does it bind the hostname to your IP.
For example, you can enter other custom host names at will in the browser, and you will find the same error displayed.
The solution is that you need to purchase an available public domain name from the domain name provider and bind it to IP address.
If you insist on using custom domain name, it can only be used on the internal network. In addition to the configuration made on the server side, it is also need to add the host name and IP address in the hosts file of the client machine.
45.60.200.110 web.microsoft.com

How to add a subdomain in cloudflare for my azure container which requires a port number to access it

I have a metabase docker image running on my Azure container. It can be accessed through azure's fqdn:port_number (port is 3000) or ip:port_number. I want to give a nice domain name for this application through cloudflare(. How can I do this?
Thanks in Advance!
PS: There were some topics on this in cloudflare community but I couldn't fine any answer relevant for me.
You could add a CNAME record to point subdomain such as www.example.com to the FQDN value of your Azure container like containerdns.westus.azurecontainer.io.
Example of a CNAME record:
name: www
record type: CNAME
value: FQDN value of your Azure container
TTL: 32600
ref: https://www.cloudflare.com/learning/dns/dns-records/dns-cname-record/
https://support.cloudflare.com/hc/en-us/articles/360019093151-
Update
From your comment, you want to access myapp.com which actually points to fqdn:port. In this case, you could create and configure an application gateway to host web sites with custom ports using the Azure portal. If you have multiple sites, you could follow this tutorial.
You could follow the steps below:
Create a public-facing application gateway with a public IP address in the same region as your container instance.
Create a backend pool with target hostname of your container FQDN like containerdns.westus.azurecontainer.io
Create a basic listener and provide name, frontend port 80 and protocol HTTP.
Create a health probe, provide protocol HTTP, check the box Pick host name from backend http settings and the remaining setting is the default.
Add an HTTP-settings with custom port 3000 as your desired and check the box Pick host name from backend address and use custom probe and select custom probe.
Create a basic rule with the backend pool and HTTP setting.
In the end, you could create a CNAME record mapping the subdomain www.myapp.com to the FQDN of your application gateway.
I validate this on my website on Azure VM, hope this could help you.

Can't access Azure VM HTTP Web Site from Outside of Azure

I've setup a VM and installed IIS. I checked that the firewall rules were enabled for HTTP and HTTPS. Furthermore, in Azure Portal, I've enabled the two predefined inbound security network group rules for HTTP and HTTPS.
When in the VM, I can go to localhost and see the default Web page of IIS Default Web Site.
Inbound security rule in Network Security Group
Anybody know how to go about figuring out how to make this work?
Thx
You should add port 443 and port 80 to azure VM windows firewall inbound rules.
Are the Source port ranges on your inbound rules set to 80/443 or * (i.e. all source ports)?
Try changing them to * with only the destination ports set to 80 or 443 respectively.
Ex:
Refer How to open ports to a virtual machine with the Azure portal for more details.
There are two ways to make your site accessible from the Internet.
Use the public IP address which is associated to the virtual machine's NIC.
Configure DNS for your VM machine (e.g. web.southeastasia.cloudapp.azure.com). This DNS is bounded to the associated public IP Address.
Reference: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/portal-create-fqdn
In your IIS, just configure binding to make sure the incoming request from the Internet is recognized by IIS.
You also need to make sure you have no rule in Network Security Group (NSG) blocking port 80. Or if there is a NSG, you need to create an inbound rule to allow port 80.
I Azure Windows VM, apart from configuring the NSG rule, we should also create a Windows firewall rule to allow inbound TCP connections on the required port. Just RDP into your windows VM, open Windows Defender Firewall and add the rule

Access azure app service with ip address not the hostname

I've got a app plan (BASIC SMALL) with a private (hopefully) ip adress that can be found under Settings > Custom Domains.
When I try to access the content of the app using just the ip, it doesn't work. The site says "Error 404 - Web app not found." The hostname works just fine. When I ping the hostname it gives me the same ip adress. What do I have to do in order to be able to access it just using the ip?
That's not how Web Apps work, since you don't get a unique IP address assigned. You'll need to access it via yourname.azurewebsites.net or yourcustomdomainname.com - and then your requests are routed appropriately based on the name you provide.
If you absolutely needed a dedicated IP address, you'd need to deploy to a virtual machine.
When you host your web site on Azure web app it is bound to a virtual IP address that is shared with other web sites in the same app service plan. If you want to get a dedicated IP with your web site, please try to use Azure virtual machine with reserved IP. You could also choose App Service Environment
If you buy your custom domain, you can freely set DNS A records for that IP (it remains static). It sets binding of your domain to your web app. You can't access it directly by IP. Because on a given IP address and standard HTTP port 80, only one web can be running.
Imagine your web app could be open by entering that IP. You would "block" port 80 for zillions of other stuff running there.
If you check Properties blade there you will see a number of outbound IP addresses. If you consume some requests from web app / job / ... and have IP restriction set on the other side - you need to allow all these IPs.
As David suggested. If you really need a static IP - you need to run VM and set IP address as static or set VNet for web app.

Resources