I was wondering if it was possible to connect to a Service Insight hosted on a Virtual Machine locally? What I mean is:
I have Service Insight installed on a VM in the cloud
Can remote into it via Remote Desktop
Can launch Service Insight on the box to view message traffic
However, I have Service Insight installed locally and when I attempt to connect to the Service Control hosted on my VM not sure how to do this. Looking at the Particular website can't find much documentation either. Service Control expects a URL which I believe should be http://serviceins.cloudapp.net:33333/api/ however this resolves to nothing.
The name of my VM is called serviceins.
I have made changes to ServiceControl.config:
<appsettings>
<add key="ServiceControl/Hostname" value="serviceins.cloudapp.net"/>
<add key="ServiceControl/HoursToKeepMessagesBeforeExpiring" value="24"/>
</appsettings>
ServicePulse.config
service_control_url: 'http://serviceins.cloudapp.net:33333/api/'
I guess my question is how can I access Service Insight without having to remote onto the VM? Can I access to this via simply providing a URL to Service Insight?
Thanks, DS.
Security Warning
ServiceControl has no built in security layer so if you exposing the API URL to the Internet then all of the messages stored in ServiceControl will be accessible by anyone who can connect to port 33333. This is why it's restricted to localhost by default.
I can't stress enough that it should not be done on a production system
For Azure a more secure method would be to use something like a point to site VPN connection. (See: https://msdn.microsoft.com/en-us/library/azure/jj156206.aspx) but this may require a bit of reconfiguration.
If you are still keen to expose the URL in an insecure way here is how you would go about it:
1. Set the hostname in the App.config to a wildcard:
<add key="ServiceControl/HostName" value="*" />
2. Update the URLACL to respond to the wildcard.
You can view the URLACL settings by issuing this command at cmd prompt:
netsh http show urlacl
If you have an existing setting for port http://localhost:33333/api/ or http://serviceins.cloudapp.net:33333/api/ remove them using:
netsh http delete urlacl URL=http://localhost:33333/api/
netsh http delete urlacl URL=http://serviceins.cloudapp.net:33333/api/
Add the wildcard URLACL
netsh http add urlacl URL=http://*:33333/api/ User=Users
Check it via the show command and it should have an entry like this
Reserved URL : http://*:33333/api/
User: BUILTIN\Users
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;BU)
3. Windows Firewall
Add an inbound rule to the Windows Firewall. By default the port 33333 will be blocked for incoming connections.
You can do this via an Admin Powershell using the following command (I'm assuming you're VM is Win2012)
New-NetFirewallRule -Name ServiceControl -Direction Inbound -Protocol TCP -LocalPort 33333 -Action Allow -Enabled True
4. Add an Azure Endpoint
You'll also need to open up an Azure Endpoint connection to allow connection to port 33333. This is essentially another firewall. Rather than document this I'll refer you to Microsoft's own doco here: http://azure.microsoft.com/en-us/documentation/articles/virtual-machines-set-up-endpoints/
As part of the endpoint configuration you can add some security by limiting the IP range that is allowed to connect to the port. This is really only useful if you've got a static IP.
Related
I have an azure pc in Windows server 2008 r2. The fire wall is off. I have defined html, opened port 80 and evneport8080. I have defined a end point too
but when I do psping ipaddress:80 the remote computer refused the network connection. But if I try to psping ipaddress:3389 it seems to work, but not any new port I have created.
What is this msg, and will it impact my connectivity?
You will need to add an NSG rule to allow TCP traffic on port 80.
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/nsg-quickstart-portal
By default, an NSG rule is added to allow only port 3389.
According to your description, we should check your web service is running or not, we can use netstat -ant to check it.
Update:
Does your VM create in Azure classic module?
if yes, we should add endpoints to your Azure VM via azure portal, like this:
More information about add endpoints, please refer to this link.
Also we can add endpoints in Azure classic portal:
I'm banging my head on this seemingly simple task. I'm trying to stand up a Redhat VM in Azure. I've tried both the resource group approach and the classic approach.
I currently have a classic deployment. I've installed httpd via yum. I confirm that I can SSH to the server via the virtual IP. Once in, I start httpd and I can perform wget http://localhost/ and get the content that I expect.
However, when I attempt to connect to the virtual IP from my local browser, there is no response. I've also tried creating a static public IP with no success.
I have created an HTTP "endpoint" in Azure portal. I set the public and private ports to 80 with a protocol of TCP. There are no ACL values (I assume it's defaulting to allow everything).
There is no network security group assigned to the VM.
Still no success. What else am I missing!?
Well, if you really setup an endpoint on the portal to allow port 80, the only thing thats left is the firewall on the Linux VM itself, allow port 80 on the firewall and you are good to go
1) service httpd restart and 2) service firewalld restart did the trick
For a pet project I'm attempting to spin up a VM on Azure that can run as my webserver, providing an Umbraco powered site, as well as some other web applications (such as a forum + planner) that require PHP. Now I've followed the steps of every guide out there, but I cannot get an external connection through to the VM's IIS and I can't find out why.
I'm hoping someone else has been through the pain that I'm currently experiencing and might point me in the direction of whatever setting I'm missing.
Spun up the VM with Server 2012 R2.
Configured it to run IIS.
Installed Umbraco, disabling the default web site and setting the Umbraco site as my default on port 80.
Checked that http://localhost maps to Umbraco - this works.
So after I had it running internally, I started tackling the external connection setup.
Navigated to the Network Security group, and added the inbound Http rule on Port 80.
Disabled Windows Firewall entirely for the sake of testing.
Added a custom dns name to the front of the xxx.[azurecloudappurl].com
Now my requests resolve but then timeout and I can't see why or where? Has anyone else experienced this? Every guide states that it should be as easy as this.
As you can visit localhost on your VM env, so it seems there is no problem with your env on VM.
Have you added the endpoint with 80 port of your VM server on Azure manage portal? As by default, the endpoint with 80 port is not opened.
You can refer to How to set up endpoints on a classic Azure virtual machine for how to add an endpoint on Azure VM.
In addition to #Gary Liu's answer if you are doing it on Azure Portal(and not on classic one).
For any new VM added through Azure exists a Network Security Group (NSG). Ports need to be opened in order to make them accessible from outside the VM. Specifically to allow your VM to serve requests coming to port 80 you need to enable HTTP port in Network Security Group. Here are the steps:
Search for VM Name on Azure portal.
Select the VM by Clicking on VM Name.
Click on Network Interfaces from left menu and select(double click) the listed one. This will show overview of Network Interface.
Now click on Network Security Group.
Click on Inbound Rules.
Add new rule selecting service as HTTP(TCP/80).
Voila done!
And here is the answer to manage an inbound rule
I have a problem with my windows azure virtual machine.
I need to open the Port 443 (HTTPS) on the VM.
In the Endpoint Config. of the virtual machine, I opened it and configure the ACL with the following parameters:
Permit
0.0.0.0/0
It's a Windows Server 2012 VM and I created the firewall rule for the public Connection.
A Port Check from ping.eu shows that the port 443 is closed.
The Location of the virtual machine is Western Europe.
I hope, you can help me.
Kind Regards
Sebastian
I also had this issue and it was very annoying! I thought at first I was not setting up the SSL bindings correctly or that it was a certificate issue, then moved on to firewall issues. In the end it was the Azure endpoint at fault.
I had added the 443 endpoint, disabled local firewall and got nothing nothing. I got suspicious when I added a new endpoint on 8080, bound to https and it worked fine.
I deleted the 443 endpoint, shut the Azure VM down from the webinterface after shutting down the client. Created a new 443 endpoint and restarted the VM (I had already tried restarting my win2012r2 vm). It worked.
It must be a glitch in the networking stack of azure endpoints. You are not going mad!!
Hope that helps!
P
Did you also configure the Endpoint Configuration through the web management portal to forward connections from the ext->int ports ?
Anything you change on the Win2k12 Virtual machine will just affect the VM itself. i.e. opening 443 in the firewall, or configuring routes etc...
But you also need to allow a connection forward from the cloudapp.net public IP address to the internal IP of the box. See the below screenshot.
Another gotcha. In addition to setting up the Endpoint configuration, you need to enable IP Forwarding. This is disabled by default.
IP Forwarding can be found in the IP Configuration settings of the network interface.
I have setup an http endpoint (port 80) for my Azure VM. I have verified that the firewall is allowing port 80 both in and out. (My VM operating system is Windows Server 2012.)
Yet still, I am unable to hit IIS on port 80 from a remote machine. (Locally I can hit localhost just fine.)
So I'm wondering if what I'm missing is a network acl. However, the Azure documentation (as of 12/2/2013) seems contradictory:
When a virtual machine is created, a default ACL is put in place to
block all incoming traffic. However, if an endpoint is created for
(port 3389), then the default ACL is modified to allow all inbound
traffic for that endpoint.
Yet below it says:
It’s important to note that by default, when an endpoint is created,
all traffic is denied to the endpoint.
Which is correct? Do I need to create an allow all ACL? Am I missing something else about how Azure DNS and network traffic works?
That same page follows on to write
No ACL – By default when an endpoint is created, we permit all for the
endpoint.
I believe that the comment suggesting all traffic is denied by default is wrong.
To confirm I have just deployed a brand new Windows Server 2012 Data Centre VM, installed IIS, open the Windows Firewall and configured an endpoint for TCP port 80 and it all worked just fine although its worth pointing out that it took a few minutes between configuring the endpoint and being able to browse to the server.