I have a Cloud Service Worker Role in Azure which has been set up with a Reserved IP address. The goal of the Reserved IP is so when the worker role makes external requests it will always come from the same IP. No external traffic is received by the service and no internal communication is required.
EDIT: The Reserved IP was associated with the Cloud Service using the following Azure Powershell command:
Set-AzureReservedIPAssociation -ReservedIPName uld-sender-ip -ServiceName uld-sender
This added the following NetworkConfiguration section into the .cscfg file:
<NetworkConfiguration>
<AddressAssignments>
<ReservedIPs>
<ReservedIP name="uld-sender-ip" />
</ReservedIPs>
</AddressAssignments>
</NetworkConfiguration>
Now, when I try and re-deploy the service or update the configuration settings in Azure, I get the following error:
The operation '5e6772fae607ae0ca387457883bf2974' failed: 'Validation
Errors: Error validating the .cscfg file against the .csdef file.
Severity:Error, message:ReservedIP 'uld-sender-ip' was not mapped to
an endpoint. The service definition must contain atleast one endpoint
that maps to the ReservedIP..'.
So, I have tried adding an Endpoint to the .csdef file like so:
<Endpoints>
<InternalEndpoint name="uld-sender-ip" protocol="tcp" port="8080" />
</Endpoints>
In addition, I have entered NetworkTrafficRules to the .csdef like so:
<NetworkTrafficRules>
<OnlyAllowTrafficTo>
<Destinations>
<RoleEndpoint endpointName="uld-sender-ip" roleName="Sender"/>
</Destinations>
<AllowAllTraffic/>
</OnlyAllowTrafficTo>
</NetworkTrafficRules>
But I still get the same error.
My understanding is that endpoints are only required for internal communication between worker/web roles, or to open a port to receive external communication.
EDIT: My question is how do you map a Reserved IP to an Endpoint for this scenario?
To avoid getting the error while trying to update the configuration settings or re-deploy the service, I ran the Azure Powershell command to remove the reserved ip association with the service:
Remove-AzureReservedIPAssociation -ReservedIPName uld-sender-ip -ServiceName uld-sender
Then I was able to edit and save the configuration settings in Azure, and/or re-deploy the service. Once the service is updated I ran the Azure Powershell command to set the reserved ip association with the service:
Set-AzureReservedIPAssociation -ReservedIPName uld-sender-ip -ServiceName uld-sender
This is obviously not the ideal solution but at least I can make changes to the service if needed. Hope this helps someone.
Related
Currently I am trying to use Api Management to expose an Azure Function http trigger that is within a vnet.
After setting everything up, I tried a simple GET request and I'm getting a 500 error telling me
"messages": [
"Error occured while calling backend service.",
"The remote name could not be resolved: '<function-name>.azurewebsites.net'"
]
My Azure function was:
Created with a premium plan.
enabled inbound traffic with a private endpoint.
deployed in the same Vnet as my api management service.
Added a httpTrigger template from the portal
Was set up with a Azure managed DNS name
My api management service was created in external mode and I linked my function to Api Management in the portal.
Things I've tried:
I've double checked that the correct security group rules have been opened for api management to work
I've ensured that both my api management (external) is in the same vnet as my Serverless function
I deployed a vm to the same virtual network and was unable to resolve the dns name of my function there. Used ping, telnet, nslookup.
Tried adding application settings to my function to specify the azure dns server, among other settings.
Ive check that my private dns zone is linked with my vnet.
Seems like a DNS name resolving issue, but I can't seem to fix it. Any ideas on what could be causing this error?
update
So it seems to be an issue with my private endpoint. Every function I create without one works fine, but I would still like to have the private endpoint so it isn't accessible from the internet.
I know I could probably lockdown my function to only be called from the api management gateway ip, but I would rather not have to hard code IPs if I don't have too.
Thank you MayankBargali-MSFT | Microsoft Docs Posting your suggestion as answer to help other community members.
As per the error, the APIM is not able to resolve your azure function
app. Can you please verify if the custom DNS is correctly setup and
you can refer to this
document
for more details. Outbound access on port 53 is required for
communication with DNS servers. If a custom DNS server exists on the
other end of a VPN gateway, the DNS server must be reachable from the
subnet hosting API Management. I will also suggest you to review this
document for the setup part.
Reference: External api management service can't resolve Azure function service name - Microsoft Q&A
I have a worker role that hosts an ApiController, and it currently communicates with the public internet via http and https input endpoints I've defined in its Service Configuration file.
I would like to put this API behind an Azure APIM API, and have all traffic go through there, rather than hitting the worker role directly. I'm most of the way there, but am having trouble ensuring the worker role can't be hit directly from the public internet.
Currently:
I've created an ARM virtual network, and an Azure APIM API
I've configured our API to run on the ARM virtual network
I also created a classic virtual network and configured our worker role to deploy to it
I've defined a peering in the ARM virtual network between it and our classic virtual network
The API's Web service URL is set to the Cloud Service's Site URL value
Our worker role configuration file currently has http and https input endpoints that can be hit from the public internet
I currently have a url that maps to the Virtual IP (VIP) address of my API Management service, and can successfully make requests to my API via that url.
I believe the best way for me to prevent my worker role from being accessed directly from the public internet would be defining Access Control List rules in its configuration file that would only allow calls originating from my APIM API. It would look something like this:
<AccessControls>
<AccessControl name="APIM">
<Rule action="permit" description="OnlyPermitAPIM" order="100" remoteSubnet="?" />
</AccessControl>
</AccessControls>
<EndpointAcls>
<EndpointAcl role="RoleName" endPoint="httpsIn" accessControl="APIM"/>
<EndpointAcl role="RoleName" endPoint="httpIn" accessControl="APIM"/>
</EndpointAcls>
I'm not sure what the correct value would be for the remoteSubnet property. I tried entering the Address space value of my ARM Virtual Network (which my APIM API resides on), but that didn't seem to work, test calls returned a 500 status.
Is this the right approach? Also, is there a way to ensure that my APIM API makes a call directly through the peered virtual networks? Right now I believe it's still going through the public internet.
I was on the right track. The only thing I needed to change was the value of remoteSubnet. Rather than the address space of the ARM virtual network, I needed to include the API Management service's VIP. The relevant section of the .cscfg file looked like this:
<AccessControls>
<AccessControl name="APIM">
<Rule action="permit" description="OnlyPermitAPIM" order="100" remoteSubnet="<VIP address of APIM service>/32" />
</AccessControl>
</AccessControls>
<EndpointAcls>
<EndpointAcl role="RoleName" endPoint="httpsIn" accessControl="APIM"/>
<EndpointAcl role="RoleName" endPoint="httpIn" accessControl="APIM"/>
</EndpointAcls>
I am trying to associate a reserved IP with an App Service and NOT a VM.
I have successfully created a reserved IP, but unable to associate it to an existing App Service.
Here is the list of commands I am using in windows power shell.
> Add-AzureAccount (successful)
> Select-AzureSubscription (successful)
> New-AzureReservedIP –ReservedIPName PrevigeoWebReservedIP –Location
"North Europe" -ServiceName XXX (unsuccessful)
> Get-azureservice -servicename XXX (unsuccessful)
My question is: Is it conceptually wrong to associate a reserved IP address to a App Service? Is it possible only with a VM?
Is it possible to associate a reserved IP to an App Service, what am I missing here?
I am sure that the App Service with name XXX is present in the Azure subscription. I have only one subscription as a matter of fact.
Windows power shell version is:
Major Minor Build Revision
----- ----- ----- --------
5 1 14393 187
[Update] Background: I am doing this to restrict only our Azure Wep App to access our Azure API App. I am trying to achieve this using the ipconfig element in web.config file. For this to work, I believe that we need have static outbound IP addresses, which are not shared by other tenants (else it will be a security issue). In this context, I am not sure if a static inbound IP will help us.
Azure Web Apps work within a multi-tenant environment. So, in general, you cannot assign a reserved IP address to a Web App.
If you set up an IP-based SSL certificate, then a dedicated inbound IP address will be assigned to your web app. Not quite the same as a reserved IP (since it's not one you create/assign).
I started to play with Service Fabric very recently. I added a new Service Fabric cluster on Azure (unsecure) and I created a demo solution with 2 stateless Web API Services as follows:
Endpoint configuration for AnotherAPI is the following:
<Endpoints>
<!-- This endpoint is used by the communication listener to obtain the port on which to
listen. Please note that if your service is partitioned, this port is shared with
replicas of different partitions that are placed in your code. -->
<Endpoint Protocol="http" Name="ServiceEndpoint" Type="Input" Port="8698" />
</Endpoints>
I am able to access to the default controller (ValuesController) using the local endpoint:
http://localhost:8698/api/values
But when I try to use the azure endpoint I get an ERR_CONNECTION_TIMED_OUT error on Chrome.
http://{azure-ip-address}:8698/api/values
Is there anything that I am missing?
You have to open that port in your azure cluster via a Load Balancer Probe. You can do this at cluster creation time via ARM template or after the fact. For an existing cluster, go to the resource group, then the LB Balancer, then probes. The default open port in SF is 19080 though. If you just switch to that port it will work if you are not using SSL.
Can someone please post a sample code for using InstanceInput endpoints?
I used the below configuration in a worker role where a sample WCF service listens at port 8080.
<Endpoints>
<InstanceInputEndpoint name="InstanceAccess" protocol="tcp" localPort="8080">
<AllocatePublicPortFrom>
<FixedPortRange max="10105" min="10101" />
</AllocatePublicPortFrom>
</InstanceInputEndpoint>
</Endpoints>
But I was not able to access this WCF service from an external consumer using any of the ports 10101 to 10105. Should we use the public DNS name of the Azure service along with the public ports in the give range?
Also, I was not able to access this endpoint details from within the worker role OnStart() method. I used RoleEnvironment.CurrentRoleInstance.InstanceEndpoints["InstanceAccess"]. But it does not return a RoleInstanceEndpoint. Am I missing something here?
Here is a sample Visual Studio solution which uses Azure InstanceInput endpoint and hosts a WCF service on a worker role. The WCF service running on each of the individual instances can be accessed using the Azure DNS name and the public port mapped to that instance. I used the following endpoint configuration.
<Endpoints>
<InstanceInputEndpoint name="Endpoint1" protocol="tcp" localPort="10100">
<AllocatePublicPortFrom>
<FixedPortRange max="10110" min="10106" />
</AllocatePublicPortFrom>
</InstanceInputEndpoint>
</Endpoints>
This endpoint was somehow not accessible from within the WorkerRole (both OnStart() and Run() methods). So I used 'localhost'.
string endpointIP = "localhost:10100";
if (RoleEnvironment.CurrentRoleInstance.InstanceEndpoints.Keys.Contains("Endpoint1"))
{
IPEndPoint externalEndPoint = RoleEnvironment.CurrentRoleInstance.InstanceEndpoints["Endpoint1"].IPEndpoint;
endpointIP = externalEndPoint.ToString();
}
The solution also contains a console client which uses the hosted DNS name to invoke these individual WCF services.
InstanceInput endpoint is not working locally but once deployed it is working fine and assigned a different port for each instance, based on the port range it is allowed to create an instance, you cannot create instance more than the specified port range in the configuration. for example, port range is 101 - 105 you can create only 5 instance