Is it possible to use an Azure virtual machine that's setup as a domain controller to manage virtual machines hosted on other Azure subscriptions?
Personally I have never tried this before, but do not immediately see an issue with it.
I assume your Domain Controller is deployed using Microsoft's guidelines including assigning a static IP address?
With the ability to connect one VNet to another VNet (See: https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-configure-vnet-to-vnet-connection/) you can create the required network connectivity.
What you probably need to do is use your own DNS server for name resolution (See: https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-name-resolution-for-vms-and-role-instances/) in all connected VNets. I would recommend running DNS on your Domain Controller.
One thing to consider however is the generated traffic for authentication and name resolution. Do know that Azure is charging for traffic traversing from one Azure region to another.
Hope this helps you moving forward.
in this scenario is it required to create DNS server per subscription or one DNS server is enough for multiple subscription.
Related
Hey all I've been trying to look into whether this is possible or not.
I was working with Infra-Engineering to setup a VNet with peering to the on-prem network. Everything was smooth sailing until we found out that the Azure Sandbox for Function Apps blocks the SMB ports. I saw a reply on this thread: https://learn.microsoft.com/en-us/answers/questions/290531/how-can-i-access-a-on-premise-network-file-share-d.html
that if we use a Container App that we would not have this restriction. Can anyone corroborate this? I just want to get some insight before committing to trying this out.
In short - you need a VPN/Express Route connection to on premise, the container app needs to be in a VNet peered with the VPN VNet (if separated), a DNS server able to resolve on-premises DNS records, if there are firewalls, NSGs involved you will also need access rules there, and obviously the IP address ranges need to be routed (BGP or Static) and should not overlap
https://techcommunity.microsoft.com/t5/apps-on-azure-blog/azure-container-apps-virtual-network-integration/ba-p/3096932
https://learn.microsoft.com/en-us/azure/architecture/hybrid/hybrid-dns-infra
I received a call from a business owner. One of his services will only license and whitelist one public IP well he has three locations. When I got involved they were trying to spin up an OpenVPN appliance and have site to site vpns to the remote locations. Well the remote locations have Fortigate firewalls and this will not work I believe with the SSL VPN of OpenVPN.
I would like to recommend something with Azure or AWS but I am unclear on the best VPN setup with Azure. Essentially he will need all remote sites exiting to the internet through Azure.
Late last night tried to test with AWS VPC and a VPN back to the fortigate. Client later expressed he would rather not use AWS.
Also recommended this https://forum.fortinet.com/m/tm.aspx?m=148626&p=
but he did not want to bottlekneck one of his locations
All sites exiting Azure out of one IP address
If you have 3 sites in Azure, you can make all 3 sites exiting Azure with one VPN gateway IP for the same destination.
You need to configure VNET to VNET peering and enable Gateway Transit to make it work. Can you also elaborate your ask here with a Network Diagram ?
On Azure, I have a two-VM set (both classic), whereby my web application resides on one VM, my database on another. Both map to the same DNS and belong to the same Resource Group, but both are acting as standalone cloud services at the moment. Let me explain: currently the web application communicates with the database over the public DNS. However, I need them to be on the same lan, so I can de-risk security and improve latency.
I know for a fact that they're not part of a virtual network because when I try to affix a static private IP to my database VM, I'm shown the following prompt in the portal:
This virtual machine can't be configured with a static private IP
address because it's not deployed in a virtual network.
How should I proceed to fix this misconfiguration and what should my next concrete step be? The website is live, and I don't want to risk service interruption. Ideally, both VMs should be in the same virtual network, and should communicate with eachother via a static internal IP. Please forgive my ignorance. Any help would be greatly appreciated.
I guess i'll be the bearer of bad news. You have to delete both VMs while keeping the VHDs in the storage account, then recreate the VMs (reattaching the disks) in the Virtual Network.
Since these are Classic VMs you can use the old Portal when re-creating them. You'll find the VHDs under "My Disks" in the VM creation workflow.
Alternatively, just restrict the inbound access with an ACL on the database Endpoint. Allow the VIP of the first VM and deny everything else. This is good enough for almost any scenario, since if your Web Server gets compromised it's game over. It makes no difference how they exfiltrate stuff off your database (over a VNET or over VIP).
Here's the relevant documentation page for setting up Endpoint ACLs:
https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-windows-classic-setup-endpoints/
We have a client who wants to connect their premises to Azure. Their main hindrance at this point is determining the best way to connect to Azure given their current connectivity configuration. They have two redundant ISP connections going to the head office for internet access. They want to be able to configure a VPN connection to Azure that would operate in a similar way i.e. if ISP A went down it would seamlessly use ISP B and vice versa. The normal multi-site VPN configuration does not fit this since there is one local network behind which means the network behind separate VPNs over each ISP would have overlapping IP address ranges which is not supported. Is such a configuration possible? (See diagram below)
Either that or is there a way to abstract the two ISP connections onto one VPN connection to Azure.
They’re currently considering using a Cisco ASA device to help with this. I’m not familiar with the features of this device so I cannot verify if it will solve their issue. I know there is also a Cisco ASAv appliance in the Azure marketplace don't know if that could also be a part of a possible solution if they went with such a device.
required vpn configuration
The Site-to-Site VPN capability in Azure does not allow for automatic failover between ISPs.
What you could do are the following
- Have automation task created that would re-create the local network and gateway connection upon failover. Manual and would take some RTO to get it up and running
- Use the Cisco CSRs to create a DMVPN mesh. You should be able to achieve the configuration you want using that option. You would use UDRs in Azure to ensure proper routing
I havent done it in Azure, but here is what you do in AWS (And I am sure there would be parallel in Azure)
Configure a "detached VGW" (virtual Private gateway) in aws. Use DMVPN cloud to connect CSRs to multi-site on-prem.
Also, for failover between ISPs you could have a look at DNS load balancing via a parallel to AWS's Route 53 in Azure.
Reference thread :
https://serverfault.com/questions/872700/vpc-transit-difference-between-detached-vgw-and-direct-ipsec-connection-csr100
I configured two AD controllers and a WINS server in Azure each with static IP's and then turned them off for the weekend. Now that I turn the machines back on, all of the NIC's are setup to obtain an IP automatically.
When I go back into the NIC and reconfigure it for a static IP, I get an error message that the IP address I entered for the network adapter is already assigned to another adopter which is no longer present in the computer. Then it asks me if I want to remove the static IP configuration for the absent adapter.
What is happening here? Is there something I am configuring incorrectly that forces my configured static NIC's to change? Do I want to answer yes and reconfigure the card yet again, or is there a better way to go about this.
Thanks.
I'm going to answer my own question just in case someone is doing a network search looking for an answer and winds up here.
The issue centers on, for me at least, the differences between what is required for setting up bare metal AD environments as opposed to AD environments in Azure. In bare metal we are used to configuring inside of the NIC. In Azure, you work in two places. You create your AD's with DNS and then you use the Azure powershell to configure the AD controller's static IP and then you go back to your virtual network and register the DNS servers that were created.
There are some things happening behind the scenes in Azure that make this work. So, just create your AD's with DNS. Get the IP that was assigned by DHCP and register it with the Azure powershell and then list the name of the AD and it's IP in the virtual network and you are done.
Hope this helps.