I've created Virtual Machines and assigned them the Endpoints.
Question:
Lets assume I have one endpoint:
1 For port 4444 with two acls:
1.1 order=1, action=Permit, ip=3.3.3.3/32
1.2 order=2, action=Deny, ip=0.0.0.0/0
Does it mean that it's possible to connect to this instance only from ip 3.3.3.3 and only to port 4444? All other connections from another IPs or to another ports will be rejected? Including the SSH ones..
This question should be moved to ServerFault, but...
You opened a single endpoint on port 4444. Therefore, only traffic targeted at port 4444 will get through.
You set up a mask with an exact ip address (3.3.3.3/32). That is the only IP address that will be allowed through, on port 4444.
If you set up your VM in Azure, you get an ssh port created for you. You can assign ACLs to that port as well, but each port will have its own ACLs. So your ACL on port 4444 doesn't impact the ssh port.
Related
when i try to do rdp, it doesn't work.
sudo netstat -plnt | grep rdp
tcp 0 0 127.0.0.1:3350 0.0.0.0:* LISTEN 106888/xrdp-sesman
The above command is supposed to return one more line having port 3389 as open, but it doesn't.
In the NSG, i have opened inbound connections on port 3389, and in a connection test in the azure console, it shows that inbound connections to the port is working.
This doesn't make sense to me.
I assume that you created a Windows/Linux VM from Market Place image, so by default 3389 is allowed inside Windows Firewall, for Linux this port 3389 might be your service running on this port. When you create a NSG rule form traffic outside, you must use private IP of your VM.
You need to make sure that your NSG is associated either to your NIC or SUBNET of VM, so I suggest you to test it using Network Watcher, use the same Remote IP address 200.200.200.200 and port 45654, it is up to you, it must has a public IP and a port from the source. For local IP address and port you put information about your VM (private IP). In my case it is not allowed port 3389.
Another test you can do, in case that you have another VM in the same SUBNET of this one, try to telnet PRIVATE_IP 3389.
I've installed a Windows 2012 R2 VM (free tier) and enabled all ports for external communication (including port 80).
I logged in to my VM and installed nginx webserver (I've also tried to python development server).
I can access the website internally on the VM (using 127.0.0.1 or the internal address of the server 10.1....) but when trying to access it from outside, using the external IP address (which is also the IP address I used in order to login to my server using RDP) I get no response.
Can you please help me understand what I'm doing wrong?
Thanks!
As #evilSnobu points out from his comments, the short answer is to allow the TCP port 80 in the windows firewall on windows VM itself.
Usually, we could login to that Windows VM and run the CMD command netsh advfirewall set allprofiles state off to disable the windows firewall temporarily. Then we can use telnet tool to check if TCP 80 port can be connected.
When we face the same issue no response outside of Azure VM. we can try one or more of the followings:
There is an NSG at the subnet level or NIC level as well which is not allowing data through.
There is a firewall on the VM itself (windows firewall etc.)
There is nothing listening on that port. It should be listening on 0.0.0.0 instead of 127.0.0.1 when you use netstat -ano in the windows CMD.
The service is not staring when you verify the port listening.
Outbound traffic with a specific port is denied from your local machines.
Hope this helps.
I set up an Azure ubuntu VM, created the network security group, added port 80 and 8888 rules. firewall is inactive. associated nsg to the subnet of the VM. Not able to remote connect to port 8888, but telnet to port 80 ok, and port 8080 also ok, even though there is no rule allowing 8080. I experimented and removed port 80 inbound rule, but still can access port 80.
netstat -ant | grep 8888 shows one process is listening
tcp 0 0 127.0.0.1:8888 0.0.0.0:* LISTEN
It just appears that the access is not following my inbound rules but obeying some default. What can it be doing?
As you said, your service is listening on 127.0.0.1, the service is only accessed inside VM.
You should set your service listen on 0.0.0.0 or VM's private IP.
Four reasons:
Firewall on VM level.
No application listening on said ip\port.
Network security group attached to the vm\subnet blocking traffic.
Azure Firewall (highly unlikely, preview feature).
You appear to be rocking case number 3. How to edit NSG.
I have a linux vm on Azure. I opened an inbound rule for port 20212 tcp and furthermore in created a rule in iptables to allow traffic to this port.
But when i do telnet 127.0.0.1 20212 i get a connection refused error and also when i do telnet SERVER-IP 20212 i get the same error. Is there any other step in need in opening a custom port on Azure VMs
There are 3 moving pieces to this puzzle:
Network Security Group allowing a port
Linux VM firewall allowing a port
Application that is running and listening on the port
It appears that you are missing the third one.
What is the concept of Private Ports in Azure Virtual Machines? What is its key advantage or use case. There scenarios I checked that for the RDP endpoint the Public Port is 3389 and private is takes up some random port number.
In order to access the VM via RD, I am forced to open that private port as well to access that. In few places I have seen for an HTTP endpoint both Private Port and Public port are made 80 for access?
What is the theory behind this?
Windows Azure places all of your Virtual Machines behind a load balancer. All of your virtual machines can open outbound connections. For inbound connections, you need to explicitly open ports in the firewall. These are input endpoints and instance input endpoints:
Input endpoints are used when you'll load-balance traffic across virtual machines (e.g. a web server)
Instance input endpoints would allow you to have a connection straight to a specific virtual machine (e.g. a database server)
Now, regarding public and private ports: Public ports are the port numbers exposed to the outside world. So for a web site, maybe that's port 80. You can then map that port to a port on the virtual machine itself. Maybe you run your web server on port 8000 for some reason. In this case, you can map public port 80 to private port 8000.
Now imagine SSH. SSH likes to listen on port 22. But if you have, say, 3 Linux vm's in a single service, there's simply no way to access all of them on port 22, since they all share an ip address. Therefore you'd need a specific port number for each machine. In this case, you'd assign, say, port 20000 to vm1, 21000 to vm2, etc. on the public port side, as an Instance Input Endpoint pointing to a specific virtual machine instance at port 22 on the private port side.
Hopefully that makes some sense... :)