Azure VM Endpoint Allow All or Deny All by Default? - azure

I have setup an http endpoint (port 80) for my Azure VM. I have verified that the firewall is allowing port 80 both in and out. (My VM operating system is Windows Server 2012.)
Yet still, I am unable to hit IIS on port 80 from a remote machine. (Locally I can hit localhost just fine.)
So I'm wondering if what I'm missing is a network acl. However, the Azure documentation (as of 12/2/2013) seems contradictory:
When a virtual machine is created, a default ACL is put in place to
block all incoming traffic. However, if an endpoint is created for
(port 3389), then the default ACL is modified to allow all inbound
traffic for that endpoint.
Yet below it says:
It’s important to note that by default, when an endpoint is created,
all traffic is denied to the endpoint.
Which is correct? Do I need to create an allow all ACL? Am I missing something else about how Azure DNS and network traffic works?

That same page follows on to write
No ACL – By default when an endpoint is created, we permit all for the
endpoint.
I believe that the comment suggesting all traffic is denied by default is wrong.
To confirm I have just deployed a brand new Windows Server 2012 Data Centre VM, installed IIS, open the Windows Firewall and configured an endpoint for TCP port 80 and it all worked just fine although its worth pointing out that it took a few minutes between configuring the endpoint and being able to browse to the server.

Related

HTTP Access to Linux VM in Azure

I'm banging my head on this seemingly simple task. I'm trying to stand up a Redhat VM in Azure. I've tried both the resource group approach and the classic approach.
I currently have a classic deployment. I've installed httpd via yum. I confirm that I can SSH to the server via the virtual IP. Once in, I start httpd and I can perform wget http://localhost/ and get the content that I expect.
However, when I attempt to connect to the virtual IP from my local browser, there is no response. I've also tried creating a static public IP with no success.
I have created an HTTP "endpoint" in Azure portal. I set the public and private ports to 80 with a protocol of TCP. There are no ACL values (I assume it's defaulting to allow everything).
There is no network security group assigned to the VM.
Still no success. What else am I missing!?
Well, if you really setup an endpoint on the portal to allow port 80, the only thing thats left is the firewall on the Linux VM itself, allow port 80 on the firewall and you are good to go
1) service httpd restart and 2) service firewalld restart did the trick

Cannot access Neo4j browser on a Windows Server

I have a Windows Server 2012 virtual machine provisioned on Azure. I installed Neo4j server on this virtual machine and I'm accessing the Neo4j browser on localhost:7474.
However I cannot access the browser outside using my virtual machine's public IP e.g <machineIP:7474>
Here's what I have done so far:
In the Azure portal, I added inbound rules for the NSG to allow http and https ports 80 and 443 (I have done the same on a Linux virtual machine also hosted in Azure and I can access the browser just fine)
I also added an inbound rule in Windows Firewall to allow Port 80 and 443 as well
What possibly blocks me from accessing the virtual machine's IP from the outside?
You have to add TCP port 7474 to the firewall in the Azure portal:
change your neo4j-server.properties
set
org.neo4j.server.webserver.address=0.0.0.0
To remotely access Neo4j installed on a Windows VM in Azure, these are the changes you'll need to make:
In the Azure portal, add TCP port 7474 to the Endpoints of your Windows VM
On your Windows VM, in the Windows Firewall Advances Security, add a new Inbound Rule for port 7474
Change the conf/neo4j.conf and uncomment this line:
org.neo4j.server.webserver.address=0.0.0.0
Note: In case you also want full access to Neo4j's browse interface including Bolt, then also add port 7687 both in the Azure Endpoints and the Windows Firewall.

Not able to access application hosted on Linux VM on Azure cloud

I have created a CentOS 7.1 VM using Resource Manager deployment model.
I am not able to access the application using a browser on a machine connected to internet.
However I am able to access the application on same machine and other VM on same virtual network using private IP address.
I configured Network Security Group and allowed port 80 and 443 in Inbound Rules.
Well, it turned out that I needed to open ports under "Inbound Security Rules" and needed to open all in "Source Port Range". For doing so, i needed to put * there and in Destination port for https - 443 etc.
This * thing was the catch which i was missing in all the Inbound security rules for allowing the ports.

Windows Azure Endpoint not working

I have a problem with my windows azure virtual machine.
I need to open the Port 443 (HTTPS) on the VM.
In the Endpoint Config. of the virtual machine, I opened it and configure the ACL with the following parameters:
Permit
0.0.0.0/0
It's a Windows Server 2012 VM and I created the firewall rule for the public Connection.
A Port Check from ping.eu shows that the port 443 is closed.
The Location of the virtual machine is Western Europe.
I hope, you can help me.
Kind Regards
Sebastian
I also had this issue and it was very annoying! I thought at first I was not setting up the SSL bindings correctly or that it was a certificate issue, then moved on to firewall issues. In the end it was the Azure endpoint at fault.
I had added the 443 endpoint, disabled local firewall and got nothing nothing. I got suspicious when I added a new endpoint on 8080, bound to https and it worked fine.
I deleted the 443 endpoint, shut the Azure VM down from the webinterface after shutting down the client. Created a new 443 endpoint and restarted the VM (I had already tried restarting my win2012r2 vm). It worked.
It must be a glitch in the networking stack of azure endpoints. You are not going mad!!
Hope that helps!
P
Did you also configure the Endpoint Configuration through the web management portal to forward connections from the ext->int ports ?
Anything you change on the Win2k12 Virtual machine will just affect the VM itself. i.e. opening 443 in the firewall, or configuring routes etc...
But you also need to allow a connection forward from the cloudapp.net public IP address to the internal IP of the box. See the below screenshot.
Another gotcha. In addition to setting up the Endpoint configuration, you need to enable IP Forwarding. This is disabled by default.
IP Forwarding can be found in the IP Configuration settings of the network interface.

Can't get Azure Virtual Machine to serve websites

I've just set up a windows azure VM and installed IIS on it.
When I remote desktop onto the box I can see the default IIS website fine but I can't get this to serve on the web from the IP address of the box.
I've opened up port 80 on windows firewall and also added an endpoint for port 80.
I've tried to access it with the firewall completely turned off also but to no avail...
I cant work out if there is anything else I need to do to get this working?
Add endpoints for port 80 (http) and port 443 (https) to the VM in the Azure portal (tip: this can be automated with powershell or the Azure cli).
Remote desktop to the machine. Open the Windows firewall control panel and allow traffic to port 80 (http) and port 443 (https) or just turn it off ... the firewall is ON by default (tip: can also be scripted through the VM agent / powershell).
Go to the Azure portal and find the cloudapp.net subdomain for your VM (actually the cloud service) your VM is running under. Try accessing the site with that domain. If that doesn't work, try browsing to http://localhost on the server (remote desktop) to make sure IIS works and troubleshoot from there.
Modify the DNS records of your custom domain to use a CNAME to the .cloudapp.net domain. If you need A records make sure to use the public IP of the cloud service (just ping the .cloudapp.net domain to find it or look in the Azure portal).
You might want to look into Azure Websites or Azure Cloud Services (web roles). Those are a lot easier to manage and a lot cheaper. They still offer most of the functionality.
What fixed the issue for me was to go into the Azure Portal, browse to 'Network Security Groups', select the VM and then create an inbound rule to allow traffic to port 80.
Note: Also ensure that the inbound rule to port 80 is added and enabled on the actual VM.
Well, I deleted the existing VM and Cloud service and started again - all worked fine out of the box this time.
How annoying! The only thing I did notice was that before my cloud service had the same name as my VM - this time they had different names so that might have been what was causing the issue.
Cheers
For the newer VMs and pre-configured setups (2015+), it's possible your setup is using an azure asset called "Public IP". If so, you can set a custom DNS name label in it, inside "Configuration". Note that this name will consider any type of region used when creating the VM (e.g. my-site.brazilsouth.cloudapp.azure.com).
It's good to remember that for testing purposes, it still suffices to use the value of the public IP that is randomly designated to you.
The VMs are actually accessed via a Cloud Service (well they are for me). Azure created a Cloud Service automatically to be the scaling engine/load balancer on the front of the VM. I have to connect to the web site via that cloud service, not the VM directly.
Its possible you were using the internal IP rather than the external IP.
The sites have to use the internal IP address in the bindings section of IIS. However, in your dns you will need to use the external IP. This is presumably since the 'internal IP' is just a virtual one that Azure uses to map traffic from the external network to the VM's inside azure.
You should find both the internal and external IP's are visible on the VM's desktop.
Switch off TLS 1.3 in the Registry Editor.
This is what worked for me as of writing this in Mar 2021.

Resources