I try to run self-hosted SignalR server application, the server on the Azure virutally
const string ServerURI = "http://<myip>:8080";
SignalR = WebApp.Start(ServerURI);
The server is not created.
If you create a local server then all is well
const string ServerURI = "http://localhost:8080";
An inbound port rule is created.
On a separate VPS everything works fine, but on Azure is not...
When you provision a new VM, Azure adds a default Network Security Group (think of it as a firewall) that allows RDP traffic (TCP port 3389) from any connection and denies all traffic going to your VM on any other port.
Since you want port 8080 to be accessible from the outside, you will need to add an NSG rule that explicitly allows port 8080 in.
Documentation on how to add an NSG rule on an existing NSG:
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-create-nsg-arm-pportal#create-rules-in-an-existing-nsg
Related
I have an Azure VM, and a web application listening internally on port 32001. The VM is publicly accessible on a static IP address. I'm trying to route all traffic the VM receives on port 443 to its localhost port 32001. I am try to set it up in this screen, and my first idea was to edit the HTTPS rule. But no matter what I try, I can't seem to get a connection to my webapp. What am I supposed to do?
You can't do this using just VM. What you actually need is a Load Balancer in front of your Azure VM which takes care on port forwarding. An example you can find here and here. But in short, what you need to do is:
expose 32001 on your VM
create Load Balancer
add VM to backend pool in Load Balancer
configure port forwarding on this balancer
In inbound and outband rules you can configure what traffic is allowed, but you can't configure there port forwarding.
You can also check this topic
I have created a Windows WCF Service and I want to host it inside Azure VM.
The service is locally running fine inside the VM, but when attempting to access the service outside of the VM, I cannot connect to the service at the specified port.
While requesting the service, I'm getting the following error:
SocketException (0x274d): No connection could be made because the target machine actively refused it...
Also, while pinging the VM through the command prompt with public ip, I'm getting Request timed out.
I have enabled the port for TCP in Azure inbound rules as well as in VM firewall inbound rules. The VM is Windows Server.
How can I access the service running in the VM from another system?
Any help is appreciated.
check application is running on the port you exposed
check windows level firewall allows traffic on that port from your destination
check NIC level NSG allows traffic on that port from your destination
check subnet level NSG allows traffic on that port from your destination
you might also have Azure Firewall\UDR\NVA in the networking setup, check those as well (this is highly unlikely if you are not running an enterprise grade setup).
I want to open a port on Azure. I am logged onto Azure VM. After that how to do I open the port?
I tried opening the firewall port but that did not help. I also tried to do it thru azure-cli but it needs web login.
Can I not open a port while logged in onto that Azure VM?
For VMs in azure service management mode:
To open a particular port, say 8080 in your VM, you have to add an endpoint in azure portal, powershell or using xplat-cli. Once this is done, you have created a connectivity between external loadbalancer (I mean VIP of the VM) to the actual VM (with Internal IP address). If the VM is Linux, by default you can start using endpoint (VIP and port) it unless you restrict ports specifically.
For windows VM, for non standard ports, you have to add windows firewall inbound allow rules (say for 8080) inside your VM so that it can accept traffic forwarded from VIP
For VMs in azure resource management:
You have to first create a loadbalancer with VIP, then add NAT rules to forward traffic from VIP to VM. (use load balancing rules if same VIP port forwards traffic to multiple backend VMs)
For windows VM, again windows firewall inbound rules needs to be added
Securing ports:
The above scenario will work by default, but if you want to secure your ports, you have to follow either one of the below, not both.
Use Access control List (ACL): This works at VIP endpoint level. If we want to restrict VIP port 8080 to only few Ip and deny other IP, we can use ACL to add those IPs. This can be done in portal endpoint section/powershell/Xplat-cli
Use Network Security Group (NSG): This works at pheriphery of VM level. We have greater control here to restrict multiple VM ports, port range, etc., but we have to manage those rules. The ports needs to be secured in NSG is the VM internal port whereas in ACL it is the VIP port.
Hope this clarifies
You also need to open the port in the Endpoint settings within the Azure Portal.
Go to Azure Portal -> Your VM -> Settings -> Endpoints and add your Port.
To open a port, you have to it from the azure portal and not in the VM. You can use the NSG (Network Security Group) attached to vm and add a rule in the "Inbound security rules"
I just created a new Ubuntu 14.04 virtual machine in Microsoft Azure using the (recommended) resource manager deployment model. The following screenshots show the deployment configuration and the resulting resources:
Once it was deployed, I accessed the VM using SSH through the public IP, logged in and installed nginx. I left it with the default configuration and did a 'curl localhost' to ensure the webserver was running.
Then I went to the Network Security Group resource and added an Allow rule for port 80 to the Inbound rules:
I then opened a browser and tried to request the public IP associated with the NIC and got a connection timeout.
Edit: I can get access by disassociating the NSG from the NIC, but if I re-associate it, I will get blocked again within a few minutes.
I have tried using the same process to set up a Windows Server VM, with IIS, but I'm getting the same result.
What am I missing here?
I get no errors when doing the same setup using the classic deployment model, this only occurs when trying the recommended resource manager model.
For the ones that still struggle with the inbound rules on the new Portal Azure, you need to set up the Network Security Group (NSG) to:
allow connections from (source):
any sources
and
* - for the source port range (extremely important as it may seem normal to set 80 or 443 - which is not correct)
destination:
any
and
80 - as the destination port range (or the port that your webserver is listening to - it could be also 8080 or other)
The same goes for other ports like the 443 for the https connections.
What is your source port on your NSG? Did you leave it Any/*? If not you are limiting yourself to traffic coming only from that one port.
I am new to Azure and trying to setup our companies testing environment in Azure.
As I understand it for two machines to talk to each other in Azure they need to be in the same cloud service, i.e. our web server and DB server.
So I have created a service, then created each of the VM's in that service. They are both running. In the endpoints I can see:
web server:
NAME PROTOCOL PUBLIC PORT PRIVATE PORT LOAD-BALANCED SET NAME
HTTP TCP 80 80 -
HTTPS TCP 443 443 -
PowerShell TCP 5986 5986 -
Remote Desktop TCP 50232 3389 -
db server:
NAME PROTOCOL PUBLIC PORT PRIVATE PORT LOAD-BALANCED SET NAME
MSSQL TCP 1433 1433 -
PowerShell TCP 54327 5986 -
Remote Desktop TCP 52459 3389 -
in the cloud service the input areas
INPUT ENDPOINTS
protoApp : 123.456.789.227:80
protoApp : 123.456.789.227:443
protoApp : 123.456.789.227:5986
protoApp : 123.456.789.227:50232
protodb : 123.456.789.227:1433
protodb : 123.456.789.227:54327
protodb : 123.456.789.227:52459
I can connect to the protodb server but not the protoapp server (on the given ports).
There are two / three questions really.
Should they both be in the same cloud service?
Should the live DB and web server be in a seperate cloud server (not created them yet)
Can anyone think of a reason why I can no longer MSTSC / rdp to one of the machines, even though the endpoints say its all fine, the machine is running and the cloud service says it has it as an endpoint.
No reason why not, though you should look at creating a Virtual Network to connect them
You should consider this if
Performance dictates it
You want extra security - consider somebody hacks the web server, they then immediately have access to the same server that hosts the data. Really you should restrict the incoming IPs for MSSQL to something trusted anyway, or the same subnet if you use a Virtual Network
Cost is not an issue
I've sometimes had trouble using mstsc to directly connect via RDP to Azure VMs. If you go to http://manage.windowsazure.com and navigate to your VM, there will be a "Connect" option at the bottom. This will download a .rdp file which might help.
Something else worth noting, If you're using Azure VMs, you won't qualify for Microsoft's uptime SLA unless you have two or more VMs per cloud service configured as part of an Availability Set. So straight away you should consider that the number of VMs you're planning will double if you want to have a production/highly available environment, and you should consider the impact this will have on your application architecture too.