I've set up a VPS using the Google Compute Engine platform. In the instance, I've established a MongoDB database that's being locally hosted at the default port 21017. I've also set up a REST API based NodeJS server with express listening in on connections at port 8080.
Right now, I can only access the NodeJS site internally. How do I expose the VPS port 8080 to the external ip address so that I can access the API anywhere?
I tried following along an answer to this post: Enable Access Google Compute Engine Instance Via HTTP Port.
But that did not solve my issue
Default Firewall rules
Google Compute Engine firewall by default blocks all ingress traffic (i.e. incoming network traffic) to your Virtual Machines. If your VM is created on the default network, few ports like 22 (ssh), 3389 (RDP) are allowed.
The default firewall rules are documented here.
Opening ports for ingress
The ingress firewall rules are described here.
The recommended approach is to create a firewall rule which allows port 8080 to VMs containing a specific tag you choose. Then associate this tag on the VMs you would like to allow ingress 8080.
If you use gcloud, you can do that using the following steps:
# Create a new firewall rule that allows INGRESS tcp:8080 with VMs containing tag 'allow-tcp-8080'
gcloud compute firewall-rules create rule-allow-tcp-8080 --source-ranges 0.0.0.0/0 --target-tags allow-tcp-8080 --allow tcp:8080
# Add the 'allow-tcp-8080' tag to a VM named VM_NAME
gcloud compute instances add-tags VM_NAME --tags allow-tcp-8080
# If you want to list all the GCE firewall rules
gcloud compute firewall-rules list
Here is another stack overflow answer which walks you through how to allow ingress traffic on specific ports to your VM using Cloud Console Web UI (in addition to gcloud).
Static IP addresses
The answer you linked only describes how to allocate a Static IP address and assign it to your VM. This step is independent of the firewall rules and hence can be used in combination if you would like to use static IP addresses.
Related
How we should open port 22 on aks loopback IP.
We are trying to do telnet on loopback IP using port 22 which is working fine on any Linux VM but on AKS we are getting the error Connection closed.
• Note that AKS clusters have unrestricted outbound (egress) internet access. This level of network access allows nodes and services you run to access external resources as needed. If you wish to restrict egress traffic, a limited number of ports and addresses must be accessible to maintain healthy cluster maintenance tasks. The simplest solution to securing outbound addresses lies in the use of a firewall device that can control outbound traffic based on domain names. Azure Firewall, for example, can restrict outbound HTTP and HTTPS traffic based on the FQDN of the destination. You can also configure your preferred firewall and security rules to allow these required ports and addresses.
Thus, you can configure an inbound rule and an outbound rule to allow traffic on port 22, i.e., SSH for destination IP address as 127.0.0.1 (Loopback IP address). To do so, kindly refer to the documentation link below: -
https://learn.microsoft.com/en-us/azure/aks/limit-egress-traffic#adding-firewall-rules
According to the above link, you must deploy a firewall and create a UDR hop to Azure firewall and associate it to AKS. Thus, in this way, if you configure the Azure firewall with the AKS cluster, you will be able to control the ingress and egress port traffic.
What can I do to fix this Advisory message?
The VM this relates to is a webserver, which sits behind an Azure LoadBalancer. The NSG rule that is causing this (only 1 'not default rule' ) is:
Type: Allow
Source: Service Tag - Internet, source port range = *
Destination: ASG for this VM, destination port 80,443, protocol tcp
If I remove this rule, the message disappears (after some hours) but than the internet web traffic can not reach the VM anymore.
Should I ignore the Azure Advisory message? Or am I overlooking something? I was looking forward to getting this nice and tidy, AND have a 'satisfied' advisory state.
You can run your webserver on the VMs on different ports than 80 and 443. The load balancer can translate between port 80/443 on your public IP and whatever port you choose inside the VMs. Since Load Balancers are a fairly simple service, this is probably your only option.
As an alternative, you could try Application Gateway instead of your load balancer. It should act as the reverse proxy you need. Be aware that it is a bit more costly than the load balancer, but it also has a lot more features.
I see that your VM is behind an Azure LoadBalancer. So, the network flow might be similar to :
Then, your web server should not be public to the internet. It should only be accessible from the loadbalancer. You can set the source service tag to AzureLoadBalancer. For more information about service tags, you may check the official documentation: Service tags
Update:
By further researching, the AzureLoadBalancer service tag in NSG rule is used to allow Azure health probes. Actually, there is a default rule for allowing load balancer to probe to endpoints.
So, the suggestions are:
You should not assign public IPs to each instances. In this way, your backends can only be accessed by private IPs. In other words, clients can only access your web via load banlacer.
Add NSG inbound rules with 80 and 443 ports for web service. And 22 or 3389 port for remote management.
In this case, your servers should be secure now. If there are still any warnings, I think you may ignore them. The Azure system may just see that you opened 80 and 443 ports to public. However, your instances do not have public IP.
Hope the above would be helpful to you.
We are using Kubernetes with Azure as cloud provider. The relevant setup to my question is that we have one loadbalancer and one network security group which is attached to all worker VMs. So basically every time I create a service, it creates a record in LoadBalaner frontend IP configuration, and adds a rule in network security group with specified destination port and Source IP addresses (which restricts from which source IP it can access the VM in which port.)
The problem with this set up is that, if I have a service that uses port 5000 which is open to public IP, and another service that also uses port 5000 but is open to only specific IP, both services are effectively open to public IP, because NSG rules are additive. Note that 5000 port number here does not represent the actual VM node port (although that's what Azure thinks) because it's taken care by kube-proxy in each machine and it will send the traffic to correct VM with corresponding node port. And this is why it makes sense to have two services using same port with different ingress rule set up.
Is there any way I can mitigate this problem? I can't think of any architecture setup I can deal with having different ingress rule for multiple services with same destination port.
Thank you
My internet provider doesn't offer static IP, so I have to connect to my AWS instances with a dynamic IP. That means that my VPC security group in AWS has a ssh port that can be accessed from every IP (source: 0.0.0.0/0), obviously if you have the key.
I would want to restrict this rule, and I was thinking of writing a CLI script that revokes this 0.0.0.0 rule and creates a new inbound rule with my (dynamic) IP.
Is it possible? Is it a good idea?
You could connect through a VPN. Then SSH from inside the VPN.
setup a software VPN (OpenVPN, OpenSwan) on an existing instance and open just that port to the outside world. Once setup it would essentially be free if you are running it on an instance that you would normally run. This will have a little more setup involved but it's not too hard.
Previously I suggested the Amazon VPC VPN. But that requires a static IP so that will not work
Can anyone confirm if Azure VM allows more than one Public IP? We want to host multiple website on single VM and hence want to have different IP for each website. I know we can host more VM, but that will greatly increase our expense too. So, I just want more than 1 Public IP on VM.
You can add multiple IP addresses for a cloud service. Since the VM's are "inside" the cloud service, this gives you in a way multiple public IP addresses for a virtual machine. The procedure is documented at [1]. Additional addresses currently cost about $3/month.
Here's the steps to add a new reserved IP address to a cloud service.
First create a new reserved IP address:
New-AzureReservedIP –ReservedIPName "MyIPAddress" –Location "West Europe"
Associate the IP address with cloud service:
Add-AzureVirtualIP -VirtualIPName MyIPAddress -ServiceName MyCloudService
Create endpoint that maps the IP address to a virtual machines. If you have multiple vm's and want load balancer, repeat this for each vm. In order to run multiple web sites, you would put each website to different port (the localport). The endpoint listens for connections on the public port and forwards them to the virtual machine's localport.
Get-AzureVM -ServiceName MyCloudService -Name myserver `
| Add-AzureEndpoint -Name QuvastoMail -Protocol tcp `
-LocalPort 8002 -PublicPort 80 -VirtualIPName MyIPAddress `
| Update-AzureVM
[1] http://azure.microsoft.com/en-us/documentation/articles/load-balancer-multivip/
It appears you can now have multiple public IPs for a load balanced cloud service:
http://azure.microsoft.com/en-gb/updates/multiple-vips-per-cloud-service/
Now you can assign more than one load-balanced public IP address to a
set of virtual machines, enabling high-availability and high-scale
scenarios. You can host multiple secure websites in a cloud service or
allow multiple SQL Server AlwaysOn Availability Group listeners to
access the same set of virtual machines.
For more information, please vistit the Load Balancer page. There is
no additional charge for this feature.
You would need a different Cloud Service (either Web Role or Virtual Machine) to have different IP addresses. Yes, this will increase overall cost.
The VIP (public IP) for Windows Azure Web Roles and VMs is assigned at the Cloud Service level. Think of a Cloud Service as a logical container - it can contain web/worker roles or VMs (not both currently).
Very possible, very easy actually.
Have your apps listening at your Azure Resource Managed VM, let's say ports 3001, 3002, 3003..
Then create an Load Balancer (just search it).
Create a Public IP Address.
Add it at your Load Balancer's Front-end Pool
Add your VM to your Load Balancer's Back-end Pool
at Inbound NAT rules of your Load Balancer, click "Add"
Select your frontend IP, your VM's network IP configuration, protocol, port and mapped port (click "Custom") to set a custom port.
Sample:
- You want your newly created public ip "52.165.147.25" to route to your vm's port 3001.
- On config that will be port 80 tcp, then port 3001 on mapped port.
- No need to enable "Floating IP (direct server return)" in case you see it.
PS:
On linux VM's you might have to "Optimize Your Network Kernel Parameters"..
Check here (scroll at bottom): http://docs.fluentd.org/v0.12/articles/before-install
sudo nano /etc/sysctl.conf
Add these entries:
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.ip_local_port_range = 10240 65535
Note the spaces, crucial.
Save it.
sudo sysctl -p
Done.
EDIT:
On the above steps you might have to also take care of CORS (Just google it)
Also, Another alternative I forgot to mention is to add NIC's / Network Interfaces to ya VM's. That won't be a viable option though because of azure max-nic-per-vm limits.
In addition to the earlier answer about Cloud Services, it is now possible to have multiple IP addresses on an Azure VM. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-multiple-ip-addresses-portal
You can only have one public IP address per deployment. So if you had 3 VMs in a single deployment, they'd share IP address. You can then choose to load-balance traffic across the instances or direct traffic to a particular VM (or role in cloud services) for a specific port number.
You can use host headers and support multiple websites in a single VM.
We are also having similar problems. We wanted to have multiple SSL certificates applied to multiple sites hosted withing Virtual Machine.
but it seems its not possible at all. Waiting for MS to release this feature.
Comparatively Godaddy and other hosting providers give free 2-3 IP addressed as well if you need more you can request additional Ip Address easily.
as well to get hold of support is too much difficult.
MZ azure really sucks. :(