I being working with the Azure application gateway, and stuck at the following error.
Here, my Network Diagram
Here, the powershell script which I had configure
Poweshell Output
PS C:\Users\shabbir.akolawala> Get-AzureApplicationGateway sbr2appgateway
Name : sbr2appgateway
Description :
VnetName : Group Shabs-AppGateway2 sbag2vnet
Subnets : {sbag2subnet1}
InstanceCount : 2
GatewaySize : Small
State : Running
VirtualIPs : {104.41.159.238} <-- Note IP Here
DnsName : 01b9b0e4-4cd2-4437-b641-0b5dc4e3efe7.cloudapp.net
Here, public IP of the application gateway is 104.41.159.238
Now, if I hit for first time you hit the gateway, you get following output
Note, this website doesn't render correctly, as many request (css/images) fail with 502.
Now, when if I hit this second time, I straightway get the 502 error
But, when hit the cloud service IP, I get my website correctly
I had configure the Azure Gateway with following configuration XML
My Questions are,
1] Does one have an idea how how to access logs which are generated in Application Gateway (In theory, Application gateway runs on IIS 8.5 / ARR)
2] Any obvious error, I made in design or configuration?
It is because of timeout.
1, Probe has by default 30 seconds timeout. if you application needs authentication, you will have to set custom probe.
2, Application Gateway has default 30 seconds timeout as well. if your Application Gateway cannot get response from backend virtual machine. it will return HTTP 502. it can be changed via "RequestTimeout" configuration item.
PowerShell:
set-AzureApplicationGatewayConfig -Name <application gateway name> - Configfile "<path to file>"
Config file:
<BackendHttpSettings>
<Name>setting1</Name>
<Port>80</Port>
<Protocol>Http</Protocol>
<CookieBasedAffinity>Enabled</CookieBasedAffinity>
<RequestTimeout>120</RequestTimeout>
<Probe>Probe01</Probe>
For detail : https://azure.microsoft.com/en-us/documentation/articles/application-gateway-create-probe-classic-ps/
Just extending this #Lang's answer for people using the Resource Manager rather than Classic. The following Powershell script will update set a new requested timeout of 120 seconds for every BackendHttpSetting within the target app gateway.
# Variable setup
$agName = "my gateway name"
$rgName = "my resource group name"
$newRequestTimeout = 120
# Retrieve gateway obj
$appGW = Get-AzureRmApplicationGateway -Name $agName -ResourceGroupName $rgName
$allHttpBackendSettings = Get-AzureRmApplicationGatewayBackendHttpSettings `
-ApplicationGateway $appGW
foreach($s in $allHttpBackendSettings)
{
# Retreive existing probe
$probeName = $s.Probe.Id.Split("/") | Select-Object -Last 1;
$probe = Get-AzureRmApplicationGatewayProbeConfig -ApplicationGateway $appGW `
-Name $probeName
# Update http settings
$appGW = Set-AzureRmApplicationGatewayBackendHttpSettings -ApplicationGateway $appGW `
-Name $s.Name -RequestTimeout $newRequestTimeout -Port $s.Port -Protocol $s.Protocol `
-Probe $probe -CookieBasedAffinity Enabled -PickHostNameFromBackendAddress
}
# Persist changes to the App Gateway
Set-AzureRmApplicationGateway -ApplicationGateway $appGW
I created custom healthchecks, but never seen attempts in websever access-log.
So I just set route on backend to serve any domain including IP address and add htpasswd protection to real domains.
Azure application gateway check http://backend_ip:80/ and became happy gateway :)
Related
I am trying to setup my first Azure point-to-site VPN. If I'm reading things correctly, the URL I get from this PowerShell code:
$profile = New-AzVpnClientConfiguration -ResourceGroupName $ResourceGroup -Name $GWName -AuthenticationMethod "EapTls"
$profile.VPNProfileSASUrl
should download an executable called VpnClientSetupAMD64.exe that will be in the WindowsAmd64 folder of the downloaded zip file. That executable should do the setup on the native Win 10 1909 client.
The zip file I get doesn't have any executable in it and doesn't have that directory in it. I only get the XML and OVPN files with the config data for the VPN client.
I also tried using the Download VPN Client selection in the GUI Azure portal on the VnetGW/point-to-site page and I get the identical zip file - still no setup exe.
I looked for a way to either directly download the VpnClientSetupAMD64.exe file or to specify the azurevpnconfig.xml file that I do get as a parameter to setup the VPN client but I see nothing applicable.
I understand that I can manually configure the VPN client using the info I have but that doesn't scale.
Can someone give me any pointers?
I had the same issue trying to setup Azure P2S VPN today, the downloaded VPN client is just a configuration file.
Did a bit research and found the solution: https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-client
Open Windows store, and install a app "Azure VPN Client". Then you can run Azure VPN Client and import the configuration file.
Be default, the Tunnel type is OpenVPN(SSL) in the Point-to-site configuration UI. Before you generate files using PowerShell, you should select the VpnClientProtocol to SSTP and IKEv2, or one of them because they are used for Windows clients. So you will get the VpnClientSetupAMD64.exe file. You could get more details here.
You also could refer to create a VPN Gateway and add point-to-site configuration using PowerShell.
New-AzVirtualNetworkGateway -Name VNet1GW -ResourceGroupName TestRG1 `
-Location 'East US' -IpConfigurations $gwipconfig -GatewayType Vpn `
-VpnType RouteBased -GatewaySku VpnGw1 -VpnClientProtocol "IKEv2"
# Add the VPN client address pool
$Gateway = Get-AzVirtualNetworkGateway -ResourceGroupName $RG -Name $GWName
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $Gateway -VpnClientAddressPool $VPNClientAddressPool
# Create a self-signed root certificate
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=P2SRootCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
# Export the root certificate to "C:\cert\P2SRootCert.cer"
# Upload the root certificate public key information
$P2SRootCertName = "P2SRootCert.cer"
$filePathForCert = "C:\cert\P2SRootCert.cer"
$cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2($filePathForCert)
$CertBase64 = [system.convert]::ToBase64String($cert.RawData)
$p2srootcert = New-AzVpnClientRootCertificate -Name $P2SRootCertName -PublicCertData $CertBase64
Add-AzVpnClientRootCertificate -VpnClientRootCertificateName $P2SRootCertName `
-VirtualNetworkGatewayname "VNet1GW" `
-ResourceGroupName "TestRG1" -PublicCertData $CertBase64
On Azure Portal, I am able to setup path-based rules which have some default setting, and a list of sub-rules (UrlPathMap).
Each of those sub-rules has a name, paths, backend pool, and HTTP setting that have to be configured.
As I can see I can update this map easily through Azure Portal.
I want to be able to create such sub-rules dynamically from code as part of the application installation. I would prefer to do this directly from .NET (ASP.NET Core 3.1) application, but Azure CLI or Azure Powershell script should be OK for me as well.
At this point, I tried to use Microsoft.Azure.Management.Fluent library, Azure CLI and Azure Powershell but I do not see the direct option to do what is need.
Will be really glad to get some help here.
According to my test, we can use the following PowerShell script to create a sub-rule.
Connect-AzAccount
$groupName=""
$gatewayName=""
$poolNmae=""
$httpName=""
$pathRuleName=""
# get original sub-rule in your path rule
$appgateway=Get-AzApplicationGateway -Name $gatewayName -ResourceGroupName $groupName
$pathmap=Get-AzApplicationGatewayUrlPathMapConfig -ApplicationGateway $appgateway -Name $pathRuleName
$t =$pathmap.PathRules.ToArray()
# add a new sub-rule to the path rule
# 1. get the require backendpool or backendhttp settings
$pool=Get-AzApplicationGatewayBackendAddressPool -Name $poolNmae -ApplicationGateway $appgateway
$http=Get-AzApplicationGatewayBackendHttpSetting -Name $httpName -ApplicationGateway $appgateway
# 2. create the sub-rule
$r=New-AzApplicationGatewayPathRuleConfig -Name "rule01" -Paths "/path" -BackendAddressPool $pool -BackendHttpSettings $http
$t += $r
# 3. update the path rule to add the new sub rule
Set-AzApplicationGatewayUrlPathMapConfig -ApplicationGateway $appgateway -Name $pathmap.Name -PathRules $t -DefaultBackendAddressPool $pool -DefaultBackendHttpSettings $http
# 4. make the update effective
Set-AzApplicationGateway -ApplicationGateway $appgateway
I'm trying to create a new Backend Pool in PowerShell.
In Azure's UI, these Backend Pools can refer to an App Service (e.g. a single container).
The PowerShell cmdlet however doesn't appear to support this, as far as I can see:
$AppGw = Get-AzureRmApplicationGateway -Name "ApplicationGateway01" -ResourceGroupName "ResourceGroup01"
$AppGw = Add -AzureApplicationGatewayBackendAddressPool -ApplicationGateway $ AppGw -Name "Pool02" -BackendIPAddresses "10.10.10.10", "10.10.10.11"
$AppGw = Get-AzureRmApplicationGateway -Name "ApplicationGateway01" -ResourceGroupName "ResourceGroup01"
$AppGw = Add-AzureRmApplicationGatewayBackendAddressPool -ApplicationGateway $AppGw -Name "Pool02" -BackendFqdns "contoso1.com", " contoso1.com"
I was hoping that it would be something along the lines of...
$AppService = Get-AzureRmWebApp -Name 'WebApp01'
$AppGw = Add-AzureRmApplicationGatewayBackendAddressPool -ApplicationGateway $AppGw -Name 'Pool02' -BackendWebApp $AppService
Does anyone know if there's any way around this?
For PowerShell, it seems there no cmdlet can achieve it that you expected:
Add-AzureRmApplicationGatewayBackendAddressPool -ApplicationGateway $AppGw -Name 'Pool02' -BackendWebApp $AppService
In the Azure portal, it is just convenient for people to find the App Service with the type App Services and get the FQDN. But for PowerShell cmdlet, it is more direct to input the FQDN.
By the way, people usually use an FQDN to access Azure Web Service. You can get more details about Configure App Service Web Apps with Application Gateway here.
I am running the following commands to try and create a new Backend Address Pool in Azure's Application Gateway service.
$NewBackendPool = New-AzureRmApplicationGatewayBackendAddressPool -Name "MHA-DEVOPS-TEST-2" -BackendFqdns "test.com"
Write-Host "Provisioning state: $($NewBackendPool.ProvisioningState)" -ForegroundColor Magenta
$NewBackendPool
The output I get is as follows:
I receive no error, but the ProvisioningState value is blank and when I try to attach this to my Application Gateway using the Add-AzureRmApplicationGatewayBackendAddressPool, nothing fails but the Backend Address Pool is definitely not created/attached.
Where am I going wrong?
Try the command below, it will work fine.
$AppGw = Get-AzureRmApplicationGateway -Name "<Your ApplicationGateway Name>" -ResourceGroupName "<ResourceGroupName>"
$AppGw = Add-AzureRmApplicationGatewayBackendAddressPool -ApplicationGateway $AppGw -Name "test11" -BackendFqdns "test11.com"
Set-AzureRmApplicationGateway -ApplicationGateway $AppGw
Result snippet:
Check in the portal:
I have followed this article and i didn't miss any step except the sharing config which i don't need. Like the article says, i have create a local user with the same name and password.On ‘Test Settings’ option ,‘Authentication’ passed (ignored the ‘Authorization’ error as mentioned )
I'm able to see the azure files in the content view of the virtual directory. But when i browse, it says
HTTP Error 500.19
"The requested page cannot be accessed because the related configuration data for the page is invalid."
Config Error Cannot read configuration file
It is actually looking for a config file at the UNC path \\staticcontent.file.core.windows.net\repo.
Here are the steps I had followed. Reach out to me at renash at microsofyt dot com if you have questions.
http://fabriccontroller.net/deploying-a-load-balanced-high-available-ftp-server-with-azure-files/
Step 1
configure an availability set for Windows virtual machines in the classic deployment model
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/classic/configure-availability
Step 2
$vm1name = 'cltkdemovm1'
$vm2name = 'cltkdemovm2'
$servicename= 'cltkdemodomain'
Login-AzureRmAccount
Select-AzureSubscription -SubscriptionName "Windows Azure Internal Consumption"
$vm = Get-AzureVM -Name $vm1name -ServiceName $servicename
.\Add-AzureFtpEndpoints.ps1 $vm 21 10000 10050
$vm = Get-AzureVM -Name $vm2name -ServiceName $servicename
.\Add-AzureFtpEndpoints.ps1 $vm 21 20000 20050
Step3
On vm1:
Install-FTP.bat cltkdemoftp <storageaccountname> <storageaccountkey> <sharename> 21 10000 10050 <VMIPAddress>
Example:
Install-FTP.bat cltkdemoftp cltkdemosa <storage account key>== ftp 21 10000 10050 40.76.29.172
On vm2:
Install-FTP.bat ctdemoftp cltkdemosa <storage account key>== ftp 21 20000 20050 <VMIPAddress>
Example:
Install-FTP.bat cltkdemoftp cltkdemosa <storage account key>== ftp 21 20000 20050 40.76.29.172
Step4
Added sa to IISUser Group
Add sa to Application Pool ->Poolname->advancedsetting->identiy
On VM2
Added sa to IISUser Group
Add sa to Application Pool ->Poolname->advancedsetting->identiy