We're currently working on some proof of concept type stuff with Azure. We have a virtual network configured to which we've deployed some test Cloud Services (basically basic Web Roles created in VS2013).
Ideally we'd like to be able to make calls within our virtual network to these Cloud Services using internal IP addresses (we do intend to have our own DNS solution in place) but only seem to be able to get the internal addresses for the instances running within the Cloud Service and not the Cloud Service itself (for which we can only get the public VIP address). Obviously making any calls to the instances directly means we lose out on the load balancing/scaling that Cloud Services offers for a Role deployment.
Can anyone tell me if finding out the internal IP address is even possible, or are we trying to do something that quite simply can't be done/is inadvisable?
Related
I have an Azure App Service and multiple Azure Functions that need to call into a specific external API - let's call it external.api.com. I also frequently run the App Service and Azure Functions locally on my laptop during development/debugging etc.
My issue is that I can only have one IP address whitelisted to use this external API.
What is the best way to set up some kind of Virtual Network (or something else?) in Azure to enable all calls to this external API to have the same origin IP address?
I have seen tutorials on ways to do this from internal Azure services/functions, however I haven't been able to see anywhere that explains how to do this for calls from both internal Azure services/functions AND from external IP addresses (i.e. my laptop).
Thanks
Sounds like you need to look for a proxy that would mask your ip.
I have an Elasticsearch cluster that I need to access using an Azure Functions App. The current way to access it is via an IP whitelist. I've created my consumption plan Azure Functions and noticed that the IP address kept changing and after further research found that I'd need to whitelist the whole Azure Cloud which is not a secure option in our case. So I've upgraded Azure Functions to Premium plan and thus the VNet Integration appeared in the app settings allowing me to create a Virtual Network and a static Outbound IP Address.
Now it is working.
But since I'm using the Premium plan and the other mentioned services, the cost went up.
I've experimented with Azure Data Factory in the past and there was an option to install a local Integration Runtime so when ADF was accessing Elasticsearch via the Local Integration Runtime, it worked. Is there something similar I can use with Azure Functions? Like a Data Gateway I can install on a local server that is already whitelisted on Elasticsearch and all I'd need to do is connect from Azure Functions through it?
I guess the ideal scenario I'm looking for is to be able to use a Consumption Plan on Azure Functions.
Kind Regards,
Andrei
Just to close this one, in the end, I've used a Standard AppSevicePlan (S1) (costs $74|£51/month or about $2.5|£1.7/day). I've had to create a static Outbound IP, a NAT Gateway (which costs about another $30|£23/month or $1|£.77/day) and a VNET.
The tutorial can be found here: https://learn.microsoft.com/en-us/azure/azure-functions/functions-how-to-use-nat-gateway
Another option that I've considered to reduce cost was to use a Hybrid Connection which would install a sort of gateway to a local server to which Azure Functions would connect first before reaching the ES endpoint...that would eliminate the need for the Outbound IP, NAT Gateway and VNET (so $30 less per month) but would still require at least an S1...so no option on consumption-based, and I don't know if there is any charge associated with this. However, we didn't go with this option as we want to eliminate any local dependencies (e.g. if the server where the gateway is running would shut down).
To sum up, use an S1, follow the tutorial mentioned above and should cost about $104|£74/month
We have time triggered Azure Function deployed on portal to perform some iterative task at specific time. Our azure function uses the database deployed on Azure VM via connection string provided at AppSettings. The function throws following error on running:
MySql.Data: Authentication to host 'xxx' for user 'xxx using method 'mysql_native_password' failed with message:
Client with IP address 'x.x.x.x' is not allowed to connect to this MySQL server. MySql.Data: Client with IP address 'x.x.x.x' is not allowed to connect to this MySQL server*
When we white-list the IP mentioned in error message, the function runs successfully. But since the azure function has no determined work-station or PC of same IP that handles the execution, whenever the function runs from new IP, it throws the error back. Therefore, we require a mechanism by which we can white-list all IPs of PCs that will be running our function app OR some better mechanism to authenticate and allow azure function to access our database hosted on Azure VM.
What we tried?
We white-listed the Virtual IP address of the function app. But it doesn't work every time.
We tried to white-list the IP ranges obtained from Microsoft Datacenter of the region in which our function app is deployed. But this method also didn't work.
Azure application can't access database on Azure VM?
Thus, is there any way by which azure function can access our database deployed on Virtual machine securely?
I have opened up the issue on github but no reply yet from there.
Finally, after thorough researching, found the solution.
One need to white-list all Outbound IPs of Function App in Virtual Machine where DB is deployed. The outbound IP address can be found from resources.azure.com. On searching your resource (in my case Function app's name), there will be a long json output from where you have to pick possibleOutboundIpAddresses parameter as shown in the image. Whitelist all Ips and then your azure function app can access your database deployed on virtual machine.
Also, I searched whether these IPs tend to change on regular basis or not. While I didn't find any official word from it, but from various internet sources I came to know that even if the IPs gets planned to be changed ever, everyone will get enough notifications before that to prevent any problems.
You need to set up a Virtual Network (VNet) where both your App Service Plan hosting the Azure Function and the VM participate.
Then from Azure Functions, view All Properties > Networking and you should see the virtual network to connect.
This method doesn't require you to whitelist IP addresses for your VM and secures your VM by allowing only internal network traffice.
Note that your Azure Function must be set up on an App Service Plan, rather than on a Consumption plan.
I got a website (Web App) running on Azure (example.azurewebsites.net) and I want to use NEST (http://nest.azurewebsites.net) in my Asp.Net MVC solution. Locally it works fine, but when publishing it to Azure, I can't get a connection to elasticsearch. Because I did not found any useful tutorial, I mixed three together.
First I created a virtual network like described here in Step 1: http://www.kerrb.com/ecAzureVms101/day4-creating-point-to-site-vpn-to-azure-virtual-machines
I called it VirtualNetwork and got a Gateway-IP-Adress. It shows me that 1 Client is connected.
Then I created a virtual machine like described here: http://code972.com/blog/2014/07/74-the-definitive-guide-for-elasticsearch-on-windows-azure
I already had the virtual network, so I skipped the first step here. The cloud service got the name example-elastic-search (example-elastic-search.cloudapp.net) I called the virtual machine elasticsearchvm. I connected via putty, configured elasticsearch like described and I it works fine.
The last step with Azure was to connect the Web App with the virtual network. I did it like this: http://blogs.technet.com/b/canitpro/archive/2015/04/07/step-by-step-connect-an-azure-web-app-to-an-existing-virtual-network.aspx
Finally I changed my code to use the elasticsearchvm.
new ElasticClient(new ConnectionSettings(new Uri("http://example-elastic-search.cloudapp.net")))
Instead of example-elastic-search.cloudapp.net I also tried the name of the virtual machine (elasticsearchvm), the internal and public IPs of the VM, the IP of the cloud service and the IP of the gateway. All of these with http, https, the port and without the port (9200). Nothing worked.
Any ideas, what I have missed? If more informations are needed, feel free to ask :)
I realise that this is not directly answering your question, but I think this is useful to mention for those finding this question in future. The easiest way to get up and running with Elasticsearch on Azure is to use Elastic's ARM template; I wrote a blog post about some of the features available within the template.
The template can be deployed from within the portal UI or using the Azure CLI; the former is good for getting started and playing around, and the latter is useful to integrate the template into your automation environment of choice. You can of course clone/fork the repository and make changes to the template to suit your requirements.
When adding Elasticsearch to an existing web application, the deployed cluster can be attached to an existing virtual network in the same location; you just need to specify
the name of the network
the name of the subnet
the name of the resource group containing the network
An available IP address to use for the internal load balancer
You'll need enough available IP addresses on the network for the cluster you're deploying.
I have created a Virtual Network, when deploying a VM in it, it's unavailable from Internet, and available when I connect via VPN. (And that's what it's supposed to do).
But when I deploy a Cloud Service (and the Cloud Service is correctly deployed in the Virtual Network as I can see it in the VN resources list), it's still available from Internet.
How can I secure the access of a Cloud Service ? I don't want it to be accessible by every one, just by VPN and from dedicated IPs.
Finally I found that by default Cloud Services have EndPoints configured. By adding ACLs to it (http://blogs.msdn.com/b/walterm/archive/2014/04/22/windows-azure-paas-acls-are-here.aspx) I can isolate them into the Virtual Network.
If you do not want the cloud service to be accessible from the Internet, the better way to protect is to remove the endpoints. If you want to ACL the instances at the Virtual Network/Subnet level consider using this article