I have a VM running SQL Server. I have port 1433 open on the Windows firewall and an Endpoint on the corresponding cloud service forwarding port 57501 to 1433. I haven't specified any ACLs on that endpoint. I want the endpoint to only be accessible from a specific subnet in the VNet where the VM exists.
If I set that in the ACL, it doesn't work - the ACL only seems to care about the public IP of the client. Since the public IP may change, this isn't an option.
What's the recommended approach here? Note that I don't want to connect directly to the VM hostname because I want to use the CNAME that the cloud service sets up for me (the actual Windows computer name is a random long string).
NSGs apply rules on the incoming/outgoing traffic at a VM or cloud-service-role-instance level.
Note that NSGs default rules allow traffic within the virtual network, and outbound to Internet. All other traffic is denied by default. You need to explicitly specify rules to change this behavior or allow any other traffic in/out.
You can create an NSG rule like below to allow only traffic from a specific subnet within a VNet.
Get-AzureNetworkSecurityGroup -Name "NSG-FrontEnd" `
| Set-AzureNetworkSecurityRule -Name rdp-rule `
-Action Allow -Protocol TCP -Type Inbound -Priority 100 `
-SourceAddressPrefix 192.168.1.0/24 -SourcePortRange '*' `
-DestinationAddressPrefix '*' -DestinationPortRange '1433'
Related
I am creating an Azure container instance to host an index for testing purposes. Currently I can only get it to work with IpAddressType set as Public, but of course this makes the index available to the world.
Is it possible to secure an Azure container instance with IP restrictions, preferably using PowerShell?
When I configure the container image with IpAddressType set as Private, I am unable to access the index.
Below is the command I am using to create the container instance:
New-AzureRmContainerGroup -ResourceGroupName $resourceGroup `
-Name indexcontainer `
-Image $image `
-IpAddressType Public `
-Location $resourceGroupLocation `
-MemoryInGB 6 `
-Cpu 2 `
-Port 9200
TODAY:
Not with Container Groups, if you open up a port on the container group, it is public to the world.
Container-Group is the little brother (mini version) of full-on AKS.
AKS, the big brother, gives you more control.
See : https://learn.microsoft.com/en-us/azure/aks/internal-lb
-IpAddressType Accepted values: Public
https://learn.microsoft.com/en-us/powershell/module/azurerm.containerinstance/new-azurermcontainergroup?view=azurermps-6.13.0
Note, the only value accepted in documentation is "Public"
However, they put the placeholder in for future arguments besides "Public"...so I think they see this as a gap in functionality........
As mentioned in the above comment, you can expose them to VNET now (in Preview)
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-vnet
Once connected to a VNET you can use Network Security Groups to only allow traffic from allowed IPs or networks. The route you are currently taking will not work.
Seems like no, at least natively with Azure Container Instance.
There are two options to deploy Azure Container Instances:
publicIP - you can't restrict access to this type of deployment.
Custom VNet - you can apply restrictions with the network security groups (NSG), but Azure Container Instances doesn't support exposing containers publicly in this case.
See documentation:
Unsupported networking scenarios:
Public IP or DNS label - Container groups deployed to a virtual network don't currently support exposing containers directly to the internet with a public IP address or a fully qualified domain name
As an option, you can try to do the following (it supports restrictions for HTTP/HTTPS traffic only):
Put the Application Gateway before the ACI deployed in custom VNet to expose containers publicly (you can find some examples, like this one)
Add IP whitelisting restrictions to NSG in custom VNet for ACI.
I have added a new VM to a Subnet that has no NSG assigned to. I have a NSG where I have added rules to allow 3389 (RDP) port, but I did not associate this NSG to either the Subnet or the VM n/w interface. But still I am able to RDP into it and am also being able to reach the web server. Basically n/w traffic to port 80 and 3389 is going through.
How come this can happen, when there is no NSG assigned. Does n/w interface of the VM allow this traffic by default? If so where can I find the allowed rules and how can I restrich such a traffic?
Yes, with no NSG around nothing is being blocked (imagine NSG is a firewall, what happens when there is NO firewall?).
Attach the NSG and it will work as you expect it.
I am trying to secure some subnets in a virtual network.
I have Virtual Network 1 with Subnets A, B, C.
I have a VM in each subnet with default endpoints (RDP and WinRM).
I used the following commands to create and attach the Network Security Group to subnet C:
$SGName = 'SecurityGroupC'
$location = 'West US'
$virtualNetwork = '1'
$subnet = 'C'
New-AzureNetworkSecurityGroup -Name $SGName -Location $Location -Label $SGName
Get-AzureNetworkSecurityGroup -Name $SGName | Set-AzureNetworkSecurityGroupToSubnet -VirtualNetworkName $VirtualNetwork -SubnetName $Subnet
I can see the default rules by running:
Get-AzureNetworkSecurityGroup -Name $SGName -Detailed
Which shows the expected default rules:
Name : SecurityGroupC
Rules :
Type: Inbound
Name Priority Action Source Address Source Port Destination Destination Protocol
Prefix Range Address Prefix Port Range
---- -------- ------ --------------- ------------- ---------------- -------------- --------
ALLOW VNET INBOUND 65000 Allow VIRTUAL_NETWORK * VIRTUAL_NETWORK * *
ALLOW AZURE LOAD 65001 Allow AZURE_LOADBALAN * * * *
BALANCER INBOUND CER
DENY ALL INBOUND 65500 Deny * * * * *
Type: Outbound
Name Priority Action Source Address Source Port Destination Destination Protocol
Prefix Range Address Prefix Port Range
---- -------- ------ --------------- ------------- ---------------- -------------- --------
ALLOW VNET OUTBOUND 65000 Allow VIRTUAL_NETWORK * VIRTUAL_NETWORK * *
ALLOW INTERNET 65001 Allow * * INTERNET * *
OUTBOUND
DENY ALL OUTBOUND 65500 Deny * * * * *
Based on these rules my RDP endpoint on my VM in subnet C should stop working. However I am still able to RDP directly to my VM from the internet. Is there something I am missing?
When you create a VM it will create a RDP endpoint automatically. It appears that this setting overrides your Network Security Group values.
I usually add an ACL to it "0.0.0.0/0" "DENY" so I can re-enable it if I need to.
Per the function of Network Security Groups:
"Network security groups are different than endpoint-based ACLs. Endpoint ACLs work only on the public port that is exposed through the Input endpoint. An NSG works on one or more VM instances and controls all the traffic that is inbound and outbound on the VM."
The first inbound rule = "ALLOW VNET INBOUND 65000 Allow VIRTUAL_NETWORK * VIRTUAL_NETWORK * "
This allows all traffic inside to the virtual machine. Since there is no endpoint ACL on the VM and that RDP endpoint is enabled, then traffic can get to the VM.
Update: You are correct. It should not allow RDP access. As per this link under FAQ: http://azure.microsoft.com/blog/2014/11/04/network-security-groups/
4. I have defined RDP endpoint for my VM and I am using a Network Security Group do I need a Access control rule to connect to the RDP port from Internet?
Yes, the default rules in Network Security Group does not allow access to any port from Internet, the users have to create a specific rule to allow RDP traffic.
I have just found the same thing. I also found that deleting and recreating the endpoint then allows the NSG to function as expected, i.e. it seems that if the NSG is created/linked after the endpoint, it doesn't work but if the NSG is done first, it does!
You have to apply the changes, that's why you're not getting the expected behaviour:
Set-AzureRmVirtualNetwork -VirtualNetwork $virtualNetwork
Hope this helps!
Can anyone confirm if Azure VM allows more than one Public IP? We want to host multiple website on single VM and hence want to have different IP for each website. I know we can host more VM, but that will greatly increase our expense too. So, I just want more than 1 Public IP on VM.
You can add multiple IP addresses for a cloud service. Since the VM's are "inside" the cloud service, this gives you in a way multiple public IP addresses for a virtual machine. The procedure is documented at [1]. Additional addresses currently cost about $3/month.
Here's the steps to add a new reserved IP address to a cloud service.
First create a new reserved IP address:
New-AzureReservedIP –ReservedIPName "MyIPAddress" –Location "West Europe"
Associate the IP address with cloud service:
Add-AzureVirtualIP -VirtualIPName MyIPAddress -ServiceName MyCloudService
Create endpoint that maps the IP address to a virtual machines. If you have multiple vm's and want load balancer, repeat this for each vm. In order to run multiple web sites, you would put each website to different port (the localport). The endpoint listens for connections on the public port and forwards them to the virtual machine's localport.
Get-AzureVM -ServiceName MyCloudService -Name myserver `
| Add-AzureEndpoint -Name QuvastoMail -Protocol tcp `
-LocalPort 8002 -PublicPort 80 -VirtualIPName MyIPAddress `
| Update-AzureVM
[1] http://azure.microsoft.com/en-us/documentation/articles/load-balancer-multivip/
It appears you can now have multiple public IPs for a load balanced cloud service:
http://azure.microsoft.com/en-gb/updates/multiple-vips-per-cloud-service/
Now you can assign more than one load-balanced public IP address to a
set of virtual machines, enabling high-availability and high-scale
scenarios. You can host multiple secure websites in a cloud service or
allow multiple SQL Server AlwaysOn Availability Group listeners to
access the same set of virtual machines.
For more information, please vistit the Load Balancer page. There is
no additional charge for this feature.
You would need a different Cloud Service (either Web Role or Virtual Machine) to have different IP addresses. Yes, this will increase overall cost.
The VIP (public IP) for Windows Azure Web Roles and VMs is assigned at the Cloud Service level. Think of a Cloud Service as a logical container - it can contain web/worker roles or VMs (not both currently).
Very possible, very easy actually.
Have your apps listening at your Azure Resource Managed VM, let's say ports 3001, 3002, 3003..
Then create an Load Balancer (just search it).
Create a Public IP Address.
Add it at your Load Balancer's Front-end Pool
Add your VM to your Load Balancer's Back-end Pool
at Inbound NAT rules of your Load Balancer, click "Add"
Select your frontend IP, your VM's network IP configuration, protocol, port and mapped port (click "Custom") to set a custom port.
Sample:
- You want your newly created public ip "52.165.147.25" to route to your vm's port 3001.
- On config that will be port 80 tcp, then port 3001 on mapped port.
- No need to enable "Floating IP (direct server return)" in case you see it.
PS:
On linux VM's you might have to "Optimize Your Network Kernel Parameters"..
Check here (scroll at bottom): http://docs.fluentd.org/v0.12/articles/before-install
sudo nano /etc/sysctl.conf
Add these entries:
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.ip_local_port_range = 10240 65535
Note the spaces, crucial.
Save it.
sudo sysctl -p
Done.
EDIT:
On the above steps you might have to also take care of CORS (Just google it)
Also, Another alternative I forgot to mention is to add NIC's / Network Interfaces to ya VM's. That won't be a viable option though because of azure max-nic-per-vm limits.
In addition to the earlier answer about Cloud Services, it is now possible to have multiple IP addresses on an Azure VM. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-multiple-ip-addresses-portal
You can only have one public IP address per deployment. So if you had 3 VMs in a single deployment, they'd share IP address. You can then choose to load-balance traffic across the instances or direct traffic to a particular VM (or role in cloud services) for a specific port number.
You can use host headers and support multiple websites in a single VM.
We are also having similar problems. We wanted to have multiple SSL certificates applied to multiple sites hosted withing Virtual Machine.
but it seems its not possible at all. Waiting for MS to release this feature.
Comparatively Godaddy and other hosting providers give free 2-3 IP addressed as well if you need more you can request additional Ip Address easily.
as well to get hold of support is too much difficult.
MZ azure really sucks. :(
I've got a load-balanced end-point being served by 2 vms, and I shut down one of them through the web interface, however it seems that the shut-down endpoint is still being included in the load-balancer rotation. Is this the case or am I missing a silly mistake on my part?
Are you talking about new "Windows Azure Virtual Machines" or "Web/Worker based VM"?
With Windows Azure Virtual Machine, you can create multiple separate Virtual Machines and use Powershell cmdlets "get-azurevm" with parameter "-LBSetName" to set probe Load balancing undersame -LBSetName setting as below:
get-azurevm -ServiceName "XXXX" -Name "XXX" | Set-AzureEndpoint -Name "HttpIn" -Protocol "tcp" -PublicPort 80 -LocalPort 80 -LBSetName "XXX" -ProbePort 80 -ProbeProtocol "http" -ProbePath "/" | Update-AzureVM
If you configured the Load Balancer and shutdown the instance, the Load Balancer will still shows all machines configured with probe.