I may be way off base here because I am not a networking expert, and new to Azure. I am having problems isolating two subnets in an Azure virtual network.
Scenario:
One virtual network (vn) with address space 10.0.0.0/16.
Two subnets (subnet1 and subnet2)
subnet1: 10.0.0.0/24
subnet2: 10.0.1.0/24
Two virtual machines (vm1 and vm2). Each virtual machine is Windows Server 2012 R2 with Windows Firewall disabled.
vm1 lives in subnet1,
vm2 lives in subnet2
vm2 has web service bound to port 5550. vm1 has client (browser) hitting web service on vm2. I can successfully access the web server action on vm2 via client (browser) on vm1.
Two network security groups (nsg1 and nsg2).
nsg1 is associated with subnet1,
nsg2 is associated with subnet2
The default inbound rules, particularly for nsg2, allows access from vnet via default rule:
PRIORITY: 65000,
NAME: AllowVnetInbound,
SOURCE: VirtualNetwork,
DESTINATION: VirtualNetwork,
SERVICE: Custom(Any/Any),
ACTION: Allow
I am trying to configure nsg2 to DENY traffic from vm1 to vm2 i.e. subnet1 to subnet2. I can't seem to make this work; not matter what deny rule I put in place the client on vm1 is always able to access the web server on vm2.
I added a new rule with higher priority:
PRIORITY: 200,
NAME: DenyVnetInbound,
SOURCE: VirtualNetwork,
DESTINATION: VirtualNetwork,
SERVICE: Custom(Any/Any),
ACTION: Deny
Does not work, client on vm1 is still able to access web server on vm2.
Also tried variations..
PRIORITY: 200,
NAME: DenyVnetInbound,
SOURCE: 10.0.0.0/24,
DESTINATION: 10.0.1.0/24,
SERVICE: Custom(Any/Any),
ACTION: Deny
This doesn't work either. Is it possible to isolate subnets in the same virtual network in Azure?
I can now block other subnets in a repeatable fashion. I am using rule:
PRIORITY: 4000
NAME: DenyVNet
SOURCE: VirtualNetwork
DESTINATION: All
SERVICE: Custom (Any/Any)
ACTION: Deny
I believe the root cause is that I had a faulty test(s). I suspect the issue has to do with HTTP persistent connections from the browser (and other test applications using HTTP). HTTP Keep-Alive?
When I change the NSG rules (inbound on target subnet):
ACTION RESULT
Kill both client and service New rule always works
Kill either client or service New rule works...most of time
Don't kill either client or service New rule never works, old rule behaviour remains
This pattern seems repeatable for Azure NSGs. I also believe this to be the case for AWS VPC security groups / network ACLs.
Related
I need to close a port 8010 on one of my app service on Azure. Is it possible to configure ports on app service?
In the App Service shared tenant environment, it is not possible to block specific ports because of the nature of the infrastructure.
But in App Service Environment(ASE), you have full control over inbound and outbound traffic. You can use Network Security Groups to restrict or block specific ports.
An ASE always exists in a virtual network, and more precisely, within a subnet of a virtual network. You can use the security features of virtual networks to control inbound and outbound network communications for your apps.
So, you need to create app service, virtual network. Then deploy app service to virtual network. (The vnet applies asg rules)
follow steps:
1.create a virtual network and make sure it is in the same location with your app service.
2.create a network secure group.(also make sure in the same location, In my side all of location is 'Central US')
3.add security rules of your nsg. Inbound or Outbound.
3.create a subnet in the vnet. Use the network secure group that you create above.
4.deploy your app service to the subnet of virtual network that you create above.
Finally, the app service deploy to the subnet of virtual network and the subnet virtual network use the network secure group which blocks specific ports. So your app service also block specific ports.
Please let me know if you have more problems.
Using Point-to-Site connection, I planned to connect Windows 10 (on-premises) and Windows Server 2016 on Azure so that Windows 10 (on-premises) can join Windows Server 2016 Domain Controller.
I am trying to elaborate steps that I followed:
Step1: Create a Resource Group, say SkyTech with the Region East US.
a). Create an Availability Set, say 1ASet.SkyTech with details as
Resource Group: SkyTech
Region: East US
Fault domains: 2 (default)
Update domains: 5 (default)
Use managed disks: Yes(Aligned) (default)
b). Create a Virtual network, say, 1VNet.East with details as
Address space: 15.0.0.0/25
Resource Group: SkyTech
Location: East US
Subnet: 1SubNet.East
Address range: 15.0.0.0/26
DDoS Protection: Basic (default)
Service endpoints: Disabled (default)
Firewall: Disabled (default)
c). Create Gateway subnet for the virtual network 1VNet.East with details as
Address range: 15.0.0.128/28 (selected automatically)
Network security group: None (default)
Route table: None (default)
Service endpoints: 0 selected (default)
Subnet delegation: None (default)
Step2: Create virtual network gateway with details as
Name: SkyTech.EastUS
Region: East US
Gateway type: VPN
VPN type: Route-based
SKU: Basic
Virtual network: 1VNet.East
Gateway subnet address range: 15.0.0.128/28 (selected automatically)
Public IP address: Create new
Public IP address: SkyTech.Pub.IP
Public IP address SKU: Basic (selected automatically)
Assignment: Dynamic (selected automatically)
Enable active-active mode: Disabled (default)
Configure BGP ASN: Disabled (default)
Step3: Generate and export certificates of the Windows 10 (on premises) computer.
a). Create a self-signed root certificate
b). Generate a client certificate
Step4: Export the root certificate public key (.cer)
Step5: Export the self-signed root certificate and private key to store it
Step6: Configure Point-to-Site Configuration in the Virtual Network Gateway
Added Address Pool like 172.16.25.0/24
Added Root Certificates and Public Certification Data of the desktop computer (on the premises).
Clicked Save and then Download VPN client.
Step7: Installed VPN client in the desktop computer (on premises)
Connected VPN.
In the ipconfig, the desktop computer is showing the address from the Address Pool (172.16.25.0/24) under PPP Adaptor.
Steps8: Create virtual machine
Resource group: SkyTech
Virtual machine name: SkyTech.EastUS
Region: East US
Availability option: Availability set
Availability set: 1ASet.SkyTech
Image: Windows Server 2016 Datacentre
Authentication type: Password
Username: Admin.SkyTech
Password: Admin#123
Confirm password: Admin#123
Public inbound ports: Allow selected ports
Select inbound ports: RDP
Already have a Windows Server license: No
Disk options (OS disk type): Premium SSD
Virtual network: 1VNet.East
Subnet: 1SubNet.East
NIC network security group: Basic
Accelerated networking: Off
Place this virtual machine behind an existing load balancing solution: No
Boot diagnostic: Off
OS guest diagnostics: Off
System assigned managed identity: Off
Enable auto-shutdown: Off
Enable backup: Off
Step9: Static IP the virtual machine
In virtual machine, Settings > Networking
There are NIC Public IP: 40.82.x.x and NIC Private IP: 15.0.0.4
Click 40.82.x.x > Settings > Configuration
Assignment: Static
Then, Save
Steps10: Created DNS Server at the VNet level as follows:
Used 15.0.0.4 as a Private IP in Custom.
I tried all above steps about times in the order of Step1 to Step10.
The issue is:
From Windows 10 (on-premises) computer, I am able to connect Windows Server 2016 VM SkyTech.EastUS using RDP with Public IP and with Private IP both.
But both (Windows 10 and Windows Server 2016) are not pinging each other so that I can join Windows 10 to Windows Server 2016 Domain Controller.
Moreover, after all Steps (From Step1 to Step10), I added role of Active Directory Domain Services and promoted Windows Server 2016 as a Domain Controller.
Then, I tried to join Windows 10 to Windows Server 2016 Domain Controller. I see error message as follows:
Please let me know, what I need and where I am wrong.
Regards
TekQ
you need your vm to be able to talk to the domain controller and you vm to be able to resolve the dns name of your domain to one of the domain controllers. Usually you just specify on or more of your domain controllers as dns servers for the vm.
Alternatively you can set them at VNet level, so the settings are applied to all the VMs in the Vnet.
For connectivity you can use Vnet peering or Site-to-Site VPN.
Two points you have to do:
Deploy a DNS server. Usually, you could do this via adding a DNS role in the DC VM or another server in the same VNet. Specify the DNS server private IP address in the DNS servers of Azure VNet on the Azure portal.
Create a Azure VPN gateway to connect between the on-premise network and Azure VNet. In this case, for one or fewer clients, you could use a P2S VPN gateway. For a corp, you could use the S2S VPN gateway. This way needs a VPN device.
Once the VPN gateway set up and you can ping the Azure VM via private IP address, then you could join the desktop to the ADDC domain. Note, once you update the DNS or other settings in the Azure VNet, you have to re-download the VPN client to make the local DNS or route update if you have a P2S gateway.
I have setup a LB with a backend pool (only one host for test). I setup network security group on test host with following rule:
Source: AzureLoadBalancer Destination: Any Action: Allow
Source: VirtualNetwork Destination: VirtualNetwork Action: Allow
Source: Any Destination: Any Action: Deny
I can't connect to host through LB (from host in the same VNET).
It's a public LB and I try to connect through ip public.
If I setup a rule Source: Any Destination: Any Action: Allow
All work fine.
Of course, I don't want this rule.
What's wrong with my setup ?
Thanks.
You need to add an inbound port rule to allow connections from remote location to virtual machines. Find the network security group associated with the host Vnet. Add the inbound port (rdp 3389, ssh 22 or other port your self-defining ) which you allow to connect the host. Additionally, you will give every rule a priority. Low number of priority means high priority.
For more information about create a public Basic load balancer by using the Azure portal.
Please, I am trying to do some that should be simple... but it is not working.
I have 03 VMs in the same subnet.
The Subnet has a security group that I created HTTP/80 inbound OK.
Now, I need to open SQL to my second VM in the same subnet.
I already try to change the security group of my VM running SQL to the same of the IIS server.
I did do my Windows firewall inbound rule too. No way.
I tried to created another rule to test if my security group was forwarding correctly, without success.
This is my SQLIN rule:
Priority: 2100 / Source: Any / Protocol: TCP / Source port: 1433 / Target: CIDR Block: x.x.x.x/32 (server vm azure ip (internal) / Target port: 1433 / Action: ALLOW.
I can access my SQL through my VPN, but I need to open to the Internet.
The another test to check if my security group is doing what I create in the rules... is... I try to open RDP through port 3390... and redirect to 3389 (because in this security group I already have 3389 published to another server...)
The rule
Priority: 2120 / Source: Any / Protocol: TCP / Source port: 3390 / Target: CIDR block: x.x.x.x/32 (server vm azure ip interrna) / Target port: 3389 / Action: ALLOW.
I did not have sucess in both rules.
Again: Subnet is associated to this security group, and BOTH VMs are associated to this sec group.
If the 2 VMs are on the same subnet then you don't need to open up the NSG for the machines to talk to each other - you should just be able to use the windows firewall rules. Make the SQL VM private by making sure it doesn't have a public IP, or use the NSG here. I suspect the problem is with windows firewall from the IIS box or into the SQL box.
I have a network with enabled Network Security Groups where I deny Outbound Port 80 and 443. All Outbound traffic is managed through a Squid Proxy.
Now, I want to create a new Virtual Machine in this Network using the Azure ARM templates using the resource Microsoft.Compute/virtualMachines. The problem is that after creation of the Azure Storage Account the VM can't connect to it as the Outbound Port 80 and 443 are denied.
Is it possible to give the resource Microsoft.Compute/virtualMachines some proxy settings?
You'll need to use a custom script extension to call a script to change the proxy settings on the VM itself after VM creation has completed.