I set up 2 virtual machines on 2 BizSpark accounts (team members). One is for a web application and another for PostgreSQL database. Currently I connect to the Postgres server via public IP address. Is there a way to set up virtual network between the 2 servers on different accounts/subscriptionIds using the new Azure Portal?
Virtual networks do not span subscriptions (regardless of subscription type). You can still set up IP filtering on the input endpoints (or inbound network security rules, for ARM-based deployments) to only allow traffic from your source web application, since traffic is coming from a virtual machine.
Or you can also setup Vnet based Site to Site VPN between the 2 Virtual networks.
Here is some guidance : https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-configure-vnet-to-vnet-connection/
I saw two solutions for that that you can use in your case:
1) PaaS instead of IaaS
2) If VPN is absolutely mandatory, some of BizSpark startups are using OpenVPN for a few subscriptions and it works.
Related
Right now we have multiple resources like storage accounts and key vaults where the team is using the firewall setting within the networking tab on the individual services. This means when their ip changes after a disconnect/connect to the company VPN they have to go in to each service and add their new IP address.
Not being well versed in Azure networking possibilities, what are some of the options we have to allow a group of incoming IP addresses to be able to access all these services without having to individually touch each service to add their new ip address?
All services are also on the same virtual network.
Thank You
I used to work on Azure Cloud services as a DevOps in the past.
There should be multiple ways to control incoming network traffic to your landing zone or azure resources. But you should consider your requirements meet the solution.
Here are few you could take a look at which I used:
Virtual network service endpoints
Azure Firewall
Network Security Groups
ExpressRoute
I am considering to use Azure Lab Services and I'm trying to find a way to create everything in it with no Public IPs but I can't find a way.
I noticed I can make the VMs from each lab to use private IP using a peered Vnet with a selected address space but when I create a lab it creates the Template VM with Public IP so I tried to search for a way to change it but there were no options on changing it neither in the Azure Lab Services site or in the infrastructure. I thought maybe using Azure CLI I could create a Lab using Azure Lab Services with no Public IP but this is all the CLI PowerShell commands I found.
I'd be really grateful if anyone knows if there's a way to create a Template VM without a Public IP or if there isn't yet I'd like to know it too.
This is by design in Azure Lab Services. Azure Lab Services is a SaaS solution, which means that the resources needed by Lab Services are handled for you. The lab account is hosted in your subscription. The student VMs, along with the resources needed to support the VMs are hosted in a subscription owned by Lab Services. Here is the basic architecture:
Each organization or school will set up their own network in a way that best fits their needs. Because Azure Lab Services runs in the public cloud, some extra configuration may be needed to allow students to access their VM when connecting from the campus network, like setting firewall rules that block RDP or SSH connections to machines outside their own network.
So, each lab uses a single public IP address and multiple ports. All VMs, both the template VM and student VMs, will use this public IP address. The public IP address will not change for the life of lab. However, each VM will have a different port number. The port numbers range from 49152 to 65535. The combination of public IP address and port number is used to connect instructor and students to the correct VM.
Here are some more FAQs about Azure Lab Services.
Creating a lab that uses a private ip is now possible with the April 2022 Update of Azure Lab Services, with some caveats. An advanced networking feature call vnet-injection allows users to have more control over the network used for the lab.
You can see advanced networking architecture diagram in the using shared server article. (Sorry, I can't post images yet.)
You would need to:
Create a virtual network in your subscription.
Create a subnet that is delegated to Microsoft.LabServices/labplans.
Create a lab plan with advanced networking and connect it to previously created subnet.
Create lab using the previous lab plan.
Update NSG to deny traffic through public ip.
CAVEAT: The 'connect' button Azure Lab Services website will no longer work for students. (Known issue on the team's backlog.) You will need to provide a separate rdp file for students to use. It would contain something like:
full address:s:10.0.0.1:3389
prompt for credentials:i:1
administrative session:i:1
Is it possible to have Site to site Azure tunnel from on premises network to all vnets on Azure?
The short answer is yes, see our FAQ. The longer answer would involve understanding your requirements more. Depending on the "SKU" you pick for your VPN gateway in Azure, there is a limit to the number of tunnels. The largest SKU limits at 30 tunnels. If you need more than 30 S2S tunnels, you may want to look at Azure Virtual WAN.
Azure Virtual WAN is a networking service that provides optimized and automated branch-to-branch connectivity through Azure. Virtual WAN lets you connect and configure branch devices to communicate with Azure.
this might be a dumb question.
is it possible to restrict the access to my Azure website http://sitename.cloudapp.net so that only the computers connected to my VPN will be able to access the site?
I use cloud services, and i have a vpn on my local computer(for now). the idea is(if possible), to have a connection between my vpn (which is local network) AND my cloudservice. Then allow the site access to only the computers within the vpn
You can set up a VPN and disable the public endpoints, so only machines within the VPN have access, but I think this is only available for VM's and Cloud Services - and not Windows Azure Websites. You don't say which you use.
"Windows Azure Virtual Network provides you with the capability
to extend your network into Windows Azure..."
Channel 9 offers some useful guides
Windows Azure Virtual Machines and Virtual Networks
I am trying to connect my Windows Azure Virtual machines to my On Premise network. I have established a site to site VPN tunnel, and have created the appropriate subnets and placed a virtual machine in one of the subnets that isn't the gateway subnet.
My on premise test network is 192.168.9.x/24 my Azure Network is 10.4.x.x/16 with a subnet for DMZ - 10.4.2.x/24 and ServerNetwork at 10.4.3.x/24.
I have confirmed that the tunnel is up and running both on the Windows Azure side, as well as on my Cisco ASA 5505.
I want my servers to be able to communicate across the tunnel, however currently they cannot see each other. I am missing something, I tried static routes between the two servers, and have not had any success. Has anyone gotten this to work? If so what did you do on the networking side of the config to make it work?
Thanks,
Steve
Windows Azure Virtual Network enables you to create secure site-to-site connectivity, as well as protected private virtual networks in the cloud.
You can specify the address space that will be used for both your virtual network and the virtual network gateway.
Additionally, new name resolution features allow you to connect directly to role instances and virtual machines by hostname.
These features allow you to use Windows Azure as you would a branch office, or as a protected private virtual network in the cloud.
You can read more about it here:
http://msdn.microsoft.com/en-us/library/windowsazure/jj156007.aspx
Here is a lab exercise to walk you through the process:
http://www.windowsazure.com/en-us/manage/services/networking/create-a-virtual-network/