I have a linux vm on Azure. I opened an inbound rule for port 20212 tcp and furthermore in created a rule in iptables to allow traffic to this port.
But when i do telnet 127.0.0.1 20212 i get a connection refused error and also when i do telnet SERVER-IP 20212 i get the same error. Is there any other step in need in opening a custom port on Azure VMs
There are 3 moving pieces to this puzzle:
Network Security Group allowing a port
Linux VM firewall allowing a port
Application that is running and listening on the port
It appears that you are missing the third one.
Related
I setup an EC2 instance (Amazon Linux AMI) to host a Docker API (Flask application with Python). The application is running on port 5000. Using my local PC (which is remote), I am able to hit the API with a browser (i.e., http://ipaddress:5000/), and get the "Hello, World!" response. The issue is that when I do the same thing on another computer (my work computer), I get a connection refused error.
In the security group for the instance, these are my inbound rule settings (I know this isn't secure, it's just a Hello World example):
HTTP (TCP): Port 80, allow 0.0.0.0/0, ::/0
SSH (TCP): Port 22, allow 0.0.0.0/0
Custom TCP Rule (TCP): Port 5000, 0.0.0.0/0, ::/0
The question: Why is the firewall blocking one remote computer and not the other?
The problem: Corporate firewalls will often set outbound rules that limit which ports you can access from websites outside of your organization.
The solution: Since Port 80 is a common port used for web servers, corporate firewalls (generally) don't block outbound traffic to these ports. Therefore, I was able to fix this problem by deploying the AWS API on Port 80. Then, I was able to connect to the API from within my corporate network.
I've installed a Windows 2012 R2 VM (free tier) and enabled all ports for external communication (including port 80).
I logged in to my VM and installed nginx webserver (I've also tried to python development server).
I can access the website internally on the VM (using 127.0.0.1 or the internal address of the server 10.1....) but when trying to access it from outside, using the external IP address (which is also the IP address I used in order to login to my server using RDP) I get no response.
Can you please help me understand what I'm doing wrong?
Thanks!
As #evilSnobu points out from his comments, the short answer is to allow the TCP port 80 in the windows firewall on windows VM itself.
Usually, we could login to that Windows VM and run the CMD command netsh advfirewall set allprofiles state off to disable the windows firewall temporarily. Then we can use telnet tool to check if TCP 80 port can be connected.
When we face the same issue no response outside of Azure VM. we can try one or more of the followings:
There is an NSG at the subnet level or NIC level as well which is not allowing data through.
There is a firewall on the VM itself (windows firewall etc.)
There is nothing listening on that port. It should be listening on 0.0.0.0 instead of 127.0.0.1 when you use netstat -ano in the windows CMD.
The service is not staring when you verify the port listening.
Outbound traffic with a specific port is denied from your local machines.
Hope this helps.
I set up an Azure ubuntu VM, created the network security group, added port 80 and 8888 rules. firewall is inactive. associated nsg to the subnet of the VM. Not able to remote connect to port 8888, but telnet to port 80 ok, and port 8080 also ok, even though there is no rule allowing 8080. I experimented and removed port 80 inbound rule, but still can access port 80.
netstat -ant | grep 8888 shows one process is listening
tcp 0 0 127.0.0.1:8888 0.0.0.0:* LISTEN
It just appears that the access is not following my inbound rules but obeying some default. What can it be doing?
As you said, your service is listening on 127.0.0.1, the service is only accessed inside VM.
You should set your service listen on 0.0.0.0 or VM's private IP.
Four reasons:
Firewall on VM level.
No application listening on said ip\port.
Network security group attached to the vm\subnet blocking traffic.
Azure Firewall (highly unlikely, preview feature).
You appear to be rocking case number 3. How to edit NSG.
I have a Linux VM on azure, which I can access using SSH without any issues. I needed access to another port(lets say 7077) from outside, and here is what i have done so far, but unable to establish connectivity
Created an inbound rule from the networking settings, it created the rule on the Network security Group attached to the network interface.
Added a new Network Security Group, attached it to the Subnet
If I do a netcat request on port 22, i get a successful connectivity, but for the port 7077 I get connection refused.
Also with IP flow verification passes for the port
Any pointer would be helpful.
You need to allow that same port in the firewall settings of the VM. The OS itself is what is refusing the connection suggesting you have not setup any firewall rules to allow that port.
Try adding a allow rule in the firewall settings and see if you can reach that port.
https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules
http://www.thegeekstuff.com/2011/02/iptables-add-rule/
Ubuntu 17.04
https://help.ubuntu.com/lts/serverguide/firewall.html
I know that ping'ing into Azure VMs is disabled. The following page shows how to use Sysinternals' PsPing to do a TCP-based ping:
https://blogs.msdn.microsoft.com/mast/2014/06/22/use-port-pings-instead-of-icmp-to-test-azure-vm-connectivity/
Unfortunately, I cannot get PsPing to work from my premises to the Azure VM I have. I created an inbound rule in the Network Security Group through the Azure portal:
My Azure VM is a Windows 2012 Datacenter server. I added the following rule to its firewall:
Nevertheless, I can't get PsPing to work when targeting port 80. Incidentally, PsPing to port 3389 (the RDP port) works.
What else should I try?
You should check whether your port is listening. According to your description, it seems that port 80 is not listening on your VM. You could use the following command to check.
netstat -ant|findstr 80
Please ensure the port 80 is listening on tcp, the result should be like below:
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING InHost
Also, you should check your NSG. NSG could be associated to a subnet or a VM nic.