I have an Azure cloud service hosted at example.cloudapp.net and within the portal I have configured two virtual networks one that is linked to a disaster recovery site and one that is linked to the main site.
I was successfully able to deploy the cloud service to within the virtual network by using the following configuration in the ServiceConfiguration.Cloud.cscfg:
<NetworkConfiguration>
<VirtualNetworkSite name="VNET1" />
<AddressAssignments>
<InstanceAddress roleName="mybudget">
<Subnets>
<Subnet name="CloudService" />
</Subnets>
</InstanceAddress>
<ReservedIPs>
<ReservedIP name="mycloudservice" />
</ReservedIPs>
</AddressAssignments>
I want to deploy the Cloud Service not only to VNET1 but also to VNET2, is there any way of deploying to additional VNETs at the same time? The subnets are named the same although have different values. Any help on this would be greatly appreciated.
No, the same cloud service cannot be deployed to two different VNets. You can create a replica of the cloud service by using the same configuration files but in a new cloud service.
Related
I have deployed a cloud service (classic) to an Azure Virtual Network (classic), using this config:
<NetworkConfiguration>
<VirtualNetworkSite name="Group Group test" />
<AddressAssignments>
<InstanceAddress roleName="webrole1">
<Subnets><Subnet name="webroles" /></Subnets>
</InstanceAddress>
<InstanceAddress roleName="webrole2">
<Subnets><Subnet name="webroles" /></Subnets>
</InstanceAddress>
<InstanceAddress roleName="workerrole">
<Subnets><Subnet name="workerroles" /></Subnets>
</InstanceAddress>
The roles are up and running, but they are not appearing under 'Resources in this subnet' in the portal. It therefore looks like the roles haven't been deployed to the virtual network. Are there any powershell commands I can run to list resources deployed to a virtual network, or list subnets connected to a cloud service?
I tried to add Cloud Service (classic) to Virtual Network (classic), but an error appears when I deploy (new portal - Update your deployment):
The update deployment operation failed for the domain
'developementtajgowebservicev1' in the deployment slot 'staging' with
the name 'not working': 'The virtual network devvirtual-Network does
not exist.'.
I added this code after Role tag into config file.
<NetworkConfiguration>
<VirtualNetworkSite name="devvirtual-Network"/>
<AddressAssignments>
<InstanceAddress roleName="WorkerRole1">
<Subnets>
<Subnet name="Subnet-1"/>
</Subnets>
</InstanceAddress>
</AddressAssignments>
</NetworkConfiguration>
The virtual network with this name exist in same subscription.
There's a solution for this issue here: https://thelonedba.wordpress.com/2015/07/17/new-azurevm-badrequest-the-virtual-network-foo-does-not-exist/
Basically, the problem seems to be that the Azure portal's name for the network isn't the same as the name you need to use in the cloud service configuration.
I was able to get the "correct" name by using the Azure CLI tools:
azure network export networks.json
And then examining the networks.json file.
In my case, the "correct" name of the Virtual Network was "Group [ResourceGroup] [NetworkName]". (ie, the network is called "network1" which is in the Resource Group "group1", so the "correct" name is "Group group1 network1") This was for a "classic" Virtual Network - I haven't tried with the Resource Manager based Virtual Networks.
You should double check the virtual network name.
Do not use the name you just created, just use "Virtual network site name (for .cscfg file)
" column in virtual network details in Azure portal.
When you are deploying in the new portal, you are deploying to resource manager. You have to recreate the vnets in resource manager or migrate them to resource manager.
Mor info on classic vs resource manager: resource-manager-deployment-model
At this point of time Cloud services cannot connect to a Virtual network (Resource manager type), you can only connect them to a Virtual network (classic). I hope they add the support for Resource manager type Virtual networks in a near future.
As far as I know it is - unfortunately - not possible to restrict an Azure website to available to Azure-internal services only, since Websitess do not support virtual networks - currently.
Is this still correct?
If yes... I'm thinking of creating an Azure worker role instead to host my services. Is it possible to make the service only available to the websites from my subscription?
Thank you in advance
best
laurin
Laurin - you are correct - while Websites can utilise Hybrid Connections to connect back to services on-premises they aren't actually able to connect (and be restricted to) internal Azure services.
If you use a Web Role you will need to setup a Virtual Network with an appropriate private IP address range and then ensure you add your Web Role to this Virtual Network. This is done by editing the service configuration of your Cloud Service deployment in Visual Studio and making it similar to the below:
<?xml version="1.0" encoding="utf-8"?>
<ServiceConfiguration ...>
<Role name="WebRole1">
...
</Role>
<NetworkConfiguration>
<Dns>
<DnsServers>
<DnsServer name="YourDns" IPAddress="10.4.3.1" />
</DnsServers>
</Dns>
<VirtualNetworkSite name="YourVirtualNetwork" />
<AddressAssignments>
<InstanceAddress roleName="WebRole1">
<Subnets>
<Subnet name="FrontEndSubnet" />
</Subnets>
</InstanceAddress>
</AddressAssignments>
</NetworkConfiguration>
</ServiceConfiguration>
I am planning to enable Azure Cloud Service and On Premise environment connection using Site To Site Connectivity.
Here are specific details that i want to know
1. What would be required from On Premise network team in terms of
enabling the connection?
2. How do i setup and enable the connection on every deployment build that i do for my Azure cloud service?
3. What are the ways to troubleshoot if the connection is down?
Basically you'll need a Virtual Network with a VPN to your on premise. After that, you'll add your cloud service to this virtual network. You can do that editting your ServiceConfiguration (.cscfg file)
<ServiceConfiguration serviceName="<service-name>" osFamily="<osfamily-number>" osVersion="<os-version>" schemaVersion="<schema-version>">
<Role …>
…
</Role>
<NetworkConfiguration>
…
</NetworkConfiguration>
</ServiceConfiguration>
To monitor the traffic you'll just need to watch the Virtual Network dashboard. You'll see data in / out and if connection of the VPN is down.
More info in here:
http://blogs.technet.com/b/askpfeplat/archive/2014/03/03/connect-an-on-premises-network-to-azure-via-site-to-site-vpn-and-extend-your-active-directory-onto-an-iaas-vm-dc-in-azure.aspx
How would one make a TCP connection from an Azure PaaS hosted Web Sites to a Worker Role? That's deployed in one virtual network. Can this be done without opening an Input Endpoints, Internet facing port on the worker role? It looks like WebSites cannot currently be part of virtual network deployments as per Azure Virtual Network FAQ:
Can I use Windows Azure websites with Virtual Network? No. We do not support websites with virtual networks.
I'm new to Azure and playing with various configurations and it looks like this is something that could perhaps be done with the new regional vnets (and perhaps the internal load balancer), but then again there isn't really information around regarding this other than that they are on different virtual machines and in different networks and thus making them to communicate is a more involved process.
If it helps discussion, I have the following are the regional vnet configurations, which are used by the worker Xyz.ComputeRole. This role is the one accepting TCP connections.
<edit: I found a really good post regarding this matter Network Isolation Options for Machines in Windows Azure Virtual Networks. As it stands, it looks like I could open an Input Endpoint to the worker role and then restrict access to it only from the WebSites deployment. However, it looks like a lot of work to do, and hops over the networking elements like a load-balancer, and perhaps I'd need to find out the Web Sites deployment IP.
Am I off-base and there's a simple way to connect a WebSites to a Azure computer role via TCP connection?
Network configuration
<VirtualNetworkConfiguration>
<Dns>
<DnsServers>
<DnsServer name="XyzVnetDns" IPAddress="192.168.50.0" />
</DnsServers>
</Dns>
<VirtualNetworkSites>
<VirtualNetworkSite name="XyzVNet" Location="North Europe">
<AddressSpace>
<AddressPrefix>10.0.0.0/8</AddressPrefix>
</AddressSpace>
<Subnets>
<Subnet name="Sub1">
<AddressPrefix>10.0.0.0/11</AddressPrefix>
</Subnet>
</Subnets>
<DnsServersRef>
<DnsServerRef name="XyzVnetDns" />
</DnsServersRef>
</VirtualNetworkSite>
</VirtualNetworkSites>
Cloud service configuration
<NetworkConfiguration>
<VirtualNetworkSite name="XyzVNet" />
<AddressAssignments>
<InstanceAddress roleName="Xyz.ComputeRole">
<Subnets>
<Subnet name="Sub1" />
</Subnets>
</InstanceAddress>
</AddressAssignments>
You cannot add Azure Web Sites deployments to a VNet because there's no dedicated outbound IP address for Web Sites. This will also preclude you from setting up Access Control Lists (ACL's) on the worker role's input endpoints.
For Web Sites -> Worker Role (cloud service) security, you'd need to rely on something app-specific (maybe an SSL cert or something else).
By the way: regarding "a lot of work to do" for restricting access: Not sure exactly what you tried (or if you tried it), but it's trivial through the portal (just enter a subnet mask and... done), and very easy through command-line as well.
There are now two ways to connect to resources in your Azure VNET from your Azure Website. You can find details written up in several blogs.
The Hybrid Connections capability involves you downloading a relay agent that can access both Azure and your desired endpoint. This works for access to resources in your VNET or in any other network for that matter. You can install the agents on premise to enable TCP access to resources there. Each Hybrid Connection endpoint you define can only provide access to a single host:port. You can have 5 endpoints for free and if you need more you can pay to get them.
The VNET Integration capability allows you to access resource in your VNET. Under the cover it is using point to site technology to do this so your VNET needs a dynamic routing gateway and you need point to site to be enabled. If you also use site to site VPN to connect your on premise network to your VNET you can then access on premise resources.
None of these methods provide private access to your website. They only are intended to enable your website to access resource in other networks. Both features are also currently in preview and are being improved upon.
If you would like details on either there are a number of blogs and documents online. For an example you can refer to this one: using vnet or hybrid connections with Azure websites