I am using Blockchain as a Service on Azure to deploy a private blockchain.
The default ports are 8545 for the RPC ENDPOINT and 3000 for the first transaction node. I would like to change these parameters because of a firewall constraint.
Is it possible and how can I do it?
Based on my knowledge, this is possible. You could use this template to do this.
Download azuredeploy.json file to your local PC, and modify adminSitePortand gethRPCPort value you want.
"adminSitePort": 3000,
"gethRPCPort": 8545,
Then you could use PowerShell to deploy this template.
New-AzureRmResourceGroupDeployment -Name <deployment name> -ResourceGroupName <resource group name > -TemplateFile "D:\azuredeploy.json"
After the template is deployed successful, you need check Azure NSG that opens port that you need.
Related
I have a web application in azure and I want to make sure that only my build server (or any other VM on the same subnet) are the only ones which are able to access the SCM site. I thought the most obvious thing would be to create an access restriction rule and in fact that works, I am able to create it from the portal with no issue whatsoever.
The problem, however, happens when I try to automate this using powershell. My build server subnet is located on a subscription different from the one where my web application is.
I am executing the following powershell script:
$subnetId = "/subscriptions/$VNETSubscriptionId/resourceGroups/$VNETResourceGroup/providers/Microsoft.Network/virtualNetworks/$buildServerVNET/subnets/$buildServerSubNet"
Add-AzWebAppAccessRestrictionRule -ResourceGroup $webAppRg -WebAppName $webAppname -Name VNETAccess -Priority 1000 -Action Allow -SubnetId $subnetId
And I get the following error:
Add-AzWebAppAccessRestrictionRule : The client '{{my user credential}}' with object id '81fa4eb1-5553-4daa-af44-3c717b19eda2' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/subnets/read' over scope '/subscriptions/{{websiteSubscriptionId}}/resour
ceGroups/{{VNETResourceGroup}}/providers/Microsoft.Network/virtualNetworks/{{buildServerVNET}}/subnets/{{buildServerSubNet}}' or
the scope is invalid. If access was recently granted, please refresh your credentials.
The error seems to indicate that the cmdlet is searching for the subnet on the same subscription id than the website instead of the subscription where the subnet is located, since the resourceId string that is being returned on the error messsage has the wrong subscription Id. It is using the one where the website is instead of using the one where the build server is.
What else needs to be done in order to create this rule through powershell?
The error message is confused.
In fact, after my validation, you need to add the -IgnoreMissingServiceEndpoint parameter when adding a subnet from a different subscription. Read this GitHub case WebApp:Add-AzWebAppAccessRestrictionRule.md - incorrect use of subscription context over SubnetId param
When using a subnet from a different subscription, we cannot validate
the subnet to see if the correct service endpoint (Microsoft.Web) has
been set. If you use -IgnoreMissingServiceEndpoint the rule can be
added.
Scenario: You want to clone an app to another region, while configuring an Azure Resource Manager traffic manager profile that includes both apps.
Below are the commands I tried
$srcapp = Get-AzWebApp -ResourceGroupName SourceAzureResourceGroup -Name
source-webapp
$destapp = New-AzWebApp -ResourceGroupName DestinationAzureResourceGroup -Name dest-webapp -Location "South Central US" -AppServicePlan DestinationAppServicePlan -SourceWebApp $srcapp -TrafficManagerProfileName newTrafficManagerProfile
the above commands fail with ""Creating app with backup from 'subscriptiondetailshere' failed: Detail: Hostname \'abc.xyz.companydomain.com\' conflicts with an already existing hostname. ExtendedCode: 04005"
FYI : the apps are hosted in standard app service plan. I did read documentation saying only the premium apps can be cloned but I was able to clone this particular app in standard plan through Azure Portal UI.
I want to be able to automate this using the ps. Any pointers are appreciated
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-app-cloning
Update:
copied web app:
Traffic manager:
First, azure web app clone does support standard app service plan. Here is a screenshot from the doc:
Second, the code you're using is correct, I did a test at my side, it's working fine(The web app is copied from central us to west us, after copied, everything is working fine):
For the conflicting error, you should check in your destination resource group if there is a existing web app with that host name(you mentioned that you can copy from azure portal, maybe you didn't delete it when you were using code to copy it).
I want to check if a vpn gateway connection is given to a vnet through a powershell command given a vnet name.
I have created 2 vnets in 2 different resource groups and enabled peering.
You can use command in following manners
First get virtual network object from azure from following command:
Vnet_object = Get-AzVirtualNetwork -Name MyVirtualNetwork -ResourceGroupName TestResourceGroup
"Vnet_object" will be of type "PSVirtualNetworkGateway"
Pass this object in following command and you will get virtual network gateway if it is connected to that Vnet.
Get-AzVirtualNetworkGatewayVpnClientConnectionHealth
-InputObject
Link for above command: https://learn.microsoft.com/en-us/powershell/module/az.network/get-azvirtualnetworkgatewayvpnclientconnectionhealth?view=azps-2.4.0
If I'm not understanding you correctly, please let me know. It seems that you want to know if a VNet has gateway connected when you have enabled VNet peering.
You could use Azure PowerShell (Get-AzVirtualNetwork -ResourceGroupName $myrg -Name $myVnet).VirtualNetworkPeerings, then you will check the value of parameter AllowGatewayTransit and UseRemoteGateways. One of those values is true, this vNet has a connecting gateway.
Additionally, the new Az module is used for Azure Resource Manager model, it's recommended to migrate Azure PowerShell from AzureRM to Az. If you still use the old AzureRM module, you could replace Get-AzVirtualNetwork with Get-azurermVirtualNetwork.
I have a strange issue in azure portal after moving my WebApp and App Service Plan to another resource group. After click to Change App Service Plan I'm getting that info:
Application is worrking but I can't do anything with App Service Plan settings, moreover I can't event do this from powershell with using command:
Set-AzureRmWebApp -Name <webapp name> -ResourceGroupName <resource group name> -AppServicePlan <new app service plan>
Ticket submitted for support!
Does anyone know how to fix it?
#komluk, As Avanish said that you can't move WebApp resources between web spaces and Moving web apps to App Service plans that are in data centers in different geographical locations is not supported.
I've created a Service Fabric Cluster with the Azure portal. It's secured by a wildcard SSL certificate from a CA. The certificate is stored in the keyvault.
In the cluster I have several web api services. I would like to add https endpoints to them.
I've followed this guide to update the configuraton, Added https endpoint to ServiceManifest.xml in Nimles.UserManagement.Api.Authorized
<Endpoint Protocol="https" Name="ServiceEndpointHttps" Type="Input" Port="9021" />
Added binding to ApplicationManifest.xml
<ServiceManifestRef ServiceManifestName="Nimles.UserManagement.Api.AuthorizedPkg" ServiceManifestVersion="1.0.0" />
<Policies>
<EndpointBindingPolicy EndpointRef="ServiceEndpointHttps" CertificateRef="NimlesComCert" />
</Policies>
Added certificate
<Certificates>
<EndpointCertificate X509FindValue="*****" Name="NimlesComCert" />
</Certificates>
But I can't find information on how to add the certificate to the VM since I've used the portal to create the cluster, and all guides just referers to ARM templates.
I don't mind if I need to use ARM if this is not possible from the portal, but I don't want to recreate the cluster, in that case just use ARM with my current cluster.
The basic steps to add SSL to your Web Api in Service Fabric are:
Add certificate to KeyVault
Install it on VM Scale Set VMs
Add certificate to ServiceManifest and ApplicationManifest (or add it to your services some other way, let's go with manifest here)
Based on you description above you likely already have all of these steps covered. When you secure a cluster with a certificate, that certificate is installed on each VM in the cluster. It should just be a matter of referencing it in your manifest. Look at step 2 below for updating the VMs using ARM if you need to add another certificate to the cluster (if you are running multiple applications secured with different certificates).
Just for reference, I am adding all the required steps below.
Add certificate to KeyVault
You have already done this, but just for reference
I recommend using ServiceFabricRPHelpers to help adding the certificate to the KeyVault. Something along these lines from PowerShell
Invoke-AddCertToKeyVault
-SubscriptionId $subscriptionId
-ResourceGroupName $vaultResourceGroupName
-Location $vaultLocation
-VaultName $vaultName
-CertificateName $clusterCertName
-Password $clusterCertPw
-UseExistingCertificate
-ExistingPfxFilePath $certFilePath
Install certificate on VMSS
Since you have secured your cluster with a cert, your VMs already have the vault certificate installed, but again, just for reference
You can do this with either PS cmdlets, or by updating the ARM template. The PS cmdlet could look like this:
$certConfig = New-AzureRmVmssVaultCertificateConfig
-CertificateUrl $certificateUrl
-CertificateStore $certStore
# Add the certificate as a new secret on each VM in the scaleset
$vmss = (Get-AzureRmVmss | Where-Object{$_.name -eq $vmssName})[0]
$vmss.VirtualMachineProfile.OsProfile.Secrets[0].VaultCertificates.Add($certConfig)
# Trigger an update the VMs in the scaleset
Update-AzureRmVmss -ResourceGroupName $ResourceGroup -Name $VmssName -VirtualMachineScaleSet $Vmss
And the ARM version would look like this
"osProfile": {
"adminPassword": "[parameters('adminPassword')]",
"adminUsername": "[variables('adminUsername')]",
"computernamePrefix": "[variables('vmNodeType0ComputerName')]",
"secrets": [
{
"sourceVault": {
"id": "[parameters('sourceVaultValue')]"
},
"vaultCertificates": [
{
"certificateStore": "[variables('certificateStoreValue')]",
"certificateUrl": "[parameters('certificateUrlValue')]"
}
]
}
]
},
For the ARM template version of this, you can update the already deployed cluster by either downloading the automatically generated script from Azure Portal, or by downloading the actual template you used when deploying the first time (even if you deployed by using a wizard in the portal it actualy creates a template behind the scenes for you and it is that one that is deployed when you click OK in the last step).
Find the Resource Group with your cluster in the portal.
The Automation Script renders a new template for you based on what the Resource Group contains at this point, it is an accumulation of all your changes up to this point of the resources in the group. Click download and you will get a .zip with both the template file and parameters.
You can now redeploy it using either PowerShell like this:
New-AzureRmResourceGroupDeployment
-Name "Update_admin_cert"
-TemplateFile .\template.json
-ResourceGroupName $resourceGroupName
-Mode Incremental
Note the Mode Incremental option, it simply patches whatever is already in your resource group with any new or overlapping definitions in the template your are deploying, so it is (in general) safe to run it on an existing resource group if you only want to change or add some detail for a resource.
Adding certificate to ApplicationManifest
Adding the certificate to your service is a matter of updating the manifest used for deploying the application/services. This documentation article outlines what you need. In short, add a EndpointBindingPolicy to the ServiceManifestImport in ApplicationManifest.xml and a certificate in the Certificates tag that references the thumbprint for your certificate:
<ServiceManifestImport>
<ServiceManifestRef ServiceManifestName="Stateful1Pkg" ServiceManifestVersion="1.0.0" />
<ConfigOverrides />
<Policies>
<EndpointBindingPolicy CertificateRef="TestCert1" EndpointRef="ServiceEndpoint3"/>
</Policies>
</ServiceManifestImport>
<Certificates>
<EndpointCertificate Name="TestCert1" X509FindValue="ABCDEF27174012740129FADBC232348324" X509StoreName="MY" />
</Certificates>
You can use the portal to generate an ARM template for an existing resource group. Click to the 'automation script' menu item. Then you click 'download'.
Then you can redeploy the resource of type 'Microsoft.Compute/virtualMachineScaleSets', with the certificate info in node 'virtualMachineProfile'. (delete the rest, remove the dependencies)
Note that you'll have to provide any parameter values, as they are not filled out automatically.
(I'd recommend using an ARM template to create the cluster to begin with though.)