I've built a network in Azure that contains two subnets, Back and Front.
I'm now trying to create a gateway using Set-AzureVNetConfig but I'm getting a missing subnet called GatewaySubnet. This word does not exist anywhere in my scripts and Googling the word returns no results so it cannot be a reserved word.
<NetworkConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/ServiceHosting/2011/07/NetworkConfiguration">
<VirtualNetworkConfiguration>
<Dns />
<LocalNetworkSites>
<LocalNetworkSite name="lnt">
<AddressSpace>
<AddressPrefix>10.55.10.0/24</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>1.2.3.4</VPNGatewayAddress>
</LocalNetworkSite>
</LocalNetworkSites>
<VirtualNetworkSites>
<VirtualNetworkSite name="net" AffinityGroup="ag">
<AddressSpace>
<AddressPrefix>10.10.0.0/16</AddressPrefix>
</AddressSpace>
<Subnets>
<Subnet name="Front">
<AddressPrefix>10.10.1.0/24</AddressPrefix>
</Subnet>
<Subnet name="Back">
<AddressPrefix>10.10.2.0/24</AddressPrefix>
</Subnet>
</Subnets>
<Gateway>
<ConnectionsToLocalNetwork>
<LocalNetworkSiteRef name="lnt" />
</ConnectionsToLocalNetwork>
</Gateway>
</VirtualNetworkSite>
</VirtualNetworkSites>
</VirtualNetworkConfiguration>
Why does Azure think my config file is missing a subnet called GatewaySubnet?
Taking a guess that this is a point-to-site network (and it looks like one). If that's the case, you need to add the gateway subnet (you can see this in the portal, for point-to-site network configuration). You can add this from the Configure tab: scroll to the bottom and look at virtual network address spaces - you'll see a button to add the gateway subnet. If you do this, and then export your network, you'll see a GatewaySubnet element.
Related
I have created Azure Virtual Network with address space 10.50.50.0/23, in it, I have created 5 subnets - 10.50.50.0/26, 10.50.50.64/26, 10.50.50.128/26, 10.50.51.0/26 and 172.16.0.0/26, on top of this network I have created Virtual Network Gateway (VPN) with point to site 10.99.99.0/25, I would like to limit routing only to 2 subnets 10.50.51.0/26 and 10.50.51.64/26 - for doing that I've added --custom-routes for only those two network ... but still in my client I've saw routing to whole network range (10.50.50.0/23), same after creating new route table and creating new hop's ... any idea how to modify that ?
If you want to limit the route on the client, you should add a route on the client instead of the Azure virtual network. In fact, you can find the route of the VPN client in the file VpnSettings.xml of the folder Generic from VPN client downloaded folder.
The file VpnSettings.xml will like this:
<?xml version="1.0"?>
<VpnProfile xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<VpnServer>azuregateway-xxxxx-xxx.vpn.azure.com</VpnServer>
<VpnType>SSTP</VpnType>
<CaCert>xxxxx</CaCert>
<Routes>10.0.0.0/16</Routes>
<Auth>EAPTLS</Auth>
<VnetName>example-network</VnetName>
<VnetId>06e10077-xxxx-xxxx-84d6-5aa4db8b6752</VnetId>
<ServerCertRootCn>DigiCert Global Root CA</ServerCertRootCn>
<ServerCertIssuerCn>DigiCert Global Root CA</ServerCertIssuerCn>
<VpnClientAddressPool>192.168.100.0/24</VpnClientAddressPool>
<AadIssuer />
<AadTenant />
<AadAudience />
<CustomDnsServers />
</VpnProfile>
You could try to modify the route to <Routes>10.50.51.0/26,10.50.51.64/26</Routes> then you could reinstall the VPN client package like VpnClientSetupAmd64.exe.
In addition, you can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network.
Confirmed with Microsoft, currently not supported.
I have a Azure cloud service containing several web roles, in an Azure virtual network. I want to set the roles' private ip addresses as static, so that the web roles can communicate over the network. However, the private ip addresses change when the cloud service is updated. How can I set the private ip address as static so that it doesn't change with every deployment? I want to do the same thing I can with virtual machines:
If you really want to have a static IP address for your roles or VMs you will have to use the Reserved IP addresses feature. A maximum of 20 reserved IP addresses are available per subscription.
https://azure.microsoft.com/en-in/documentation/articles/virtual-networks-reserved-public-ip/
In powershell you can do this to create a new Reserved IP
$ReservedIP = New-AzureReservedIP -ReservedIPName "FirewallIP" -Label "WebAppFirewallIP" -Location "Japan West"
In Service config of a role you can specify like this ,
<?xml version="1.0" encoding="utf-8"?>
<ServiceConfiguration serviceName="ReservedIPSample" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceConfiguration" osFamily="4" osVersion="*" schemaVersion="2014-01.2.3">
<Role name="WebRole1">
<Instances count="1" />
<ConfigurationSettings>
<Setting name="Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString" value="UseDevelopmentStorage=true" />
</ConfigurationSettings>
</Role>
<NetworkConfiguration>
<AddressAssignments>
<ReservedIPs>
<ReservedIP name="MyReservedIP"/>
</ReservedIPs>
</AddressAssignments>
</NetworkConfiguration>
</ServiceConfiguration>
In general though, if you do not delete a deployment you will have the same IP address for a given cloud service.
I have an Azure cloud service hosted at example.cloudapp.net and within the portal I have configured two virtual networks one that is linked to a disaster recovery site and one that is linked to the main site.
I was successfully able to deploy the cloud service to within the virtual network by using the following configuration in the ServiceConfiguration.Cloud.cscfg:
<NetworkConfiguration>
<VirtualNetworkSite name="VNET1" />
<AddressAssignments>
<InstanceAddress roleName="mybudget">
<Subnets>
<Subnet name="CloudService" />
</Subnets>
</InstanceAddress>
<ReservedIPs>
<ReservedIP name="mycloudservice" />
</ReservedIPs>
</AddressAssignments>
I want to deploy the Cloud Service not only to VNET1 but also to VNET2, is there any way of deploying to additional VNETs at the same time? The subnets are named the same although have different values. Any help on this would be greatly appreciated.
No, the same cloud service cannot be deployed to two different VNets. You can create a replica of the cloud service by using the same configuration files but in a new cloud service.
As far as I know it is - unfortunately - not possible to restrict an Azure website to available to Azure-internal services only, since Websitess do not support virtual networks - currently.
Is this still correct?
If yes... I'm thinking of creating an Azure worker role instead to host my services. Is it possible to make the service only available to the websites from my subscription?
Thank you in advance
best
laurin
Laurin - you are correct - while Websites can utilise Hybrid Connections to connect back to services on-premises they aren't actually able to connect (and be restricted to) internal Azure services.
If you use a Web Role you will need to setup a Virtual Network with an appropriate private IP address range and then ensure you add your Web Role to this Virtual Network. This is done by editing the service configuration of your Cloud Service deployment in Visual Studio and making it similar to the below:
<?xml version="1.0" encoding="utf-8"?>
<ServiceConfiguration ...>
<Role name="WebRole1">
...
</Role>
<NetworkConfiguration>
<Dns>
<DnsServers>
<DnsServer name="YourDns" IPAddress="10.4.3.1" />
</DnsServers>
</Dns>
<VirtualNetworkSite name="YourVirtualNetwork" />
<AddressAssignments>
<InstanceAddress roleName="WebRole1">
<Subnets>
<Subnet name="FrontEndSubnet" />
</Subnets>
</InstanceAddress>
</AddressAssignments>
</NetworkConfiguration>
</ServiceConfiguration>
I had recently bought Azure subscription and I have created a site-to-site VPN connectivity between the azure network & the Enterprise network. The connectivity shows as successful in the virtual network dashboard & the enterprise VPN gateway logs. We have configured the Virtual address space & the onPremises local network as mentioned in the bottom
Issue
The connectivity between azure & enterprise network shows successful in the dashboard but when we try reaching the enterprise ip 116.197.178.5 we are unable to reach the IP, tried via nmap, ssh etc.
From the **(Ubuntu Linux)**VM we are able to reach the internet but have issues with the enterprise connectivity.
The same configuration was working in march 2014 when we had tried using the Free Azure trial account. Looks like there has been a change in Azure services sometime during march 2014
I don't see anyways to debug this issue
I had followed the doc in msdn site (Configure a Site-to-Site VPN in the Management Portal)
Help
Can someone tell me whether I'm doing anything wrong
Is there a way I can debug this issue
Device Route info
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default **10.2.1.1** 0.0.0.0 UG 0 0 0 eth0
default 10.2.1.1 0.0.0.0 UG 100 0 0 eth0
10.2.1.0 * 255.255.255.0 U 0 0 0 eth0
Local network
<LocalNetworkSite name="EnterpriseNetwork">
<AddressSpace>
<AddressPrefix>10.1.0.0/16</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>xxx.197.179.249</VPNGatewayAddress>
</LocalNetworkSite>
Virtual network
<VirtualNetworkSite name="Azure-network" Location="Southeast Asia">
<AddressSpace>
<AddressPrefix>10.2.0.0/16</AddressPrefix>
</AddressSpace>
<Subnets>
<Subnet name="FrontEndSubnet">
<AddressPrefix>10.2.0.0/24</AddressPrefix>
</Subnet>
<Subnet name="BackEndSubnet">
<AddressPrefix>10.2.1.0/24</AddressPrefix>
</Subnet>
<Subnet name="ADDNSSubnet">
<AddressPrefix>10.2.2.0/23</AddressPrefix>
</Subnet>
<Subnet name="GatewaySubnet">
<AddressPrefix>10.2.4.0/29</AddressPrefix>
</Subnet>
</Subnets>
<DnsServersRef>
<DnsServerRef name="GoogleDNS" />
</DnsServersRef>
<Gateway>
<ConnectionsToLocalNetwork>
<LocalNetworkSiteRef name="EnterpriseNetwork">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
</ConnectionsToLocalNetwork>
</Gateway>
</VirtualNetworkSite>
Rosh,
The IP 116.197.178.5 is a public IP address and should be routed via the internet connections on your VMs (asusming you haven't hardcoded the route table otherwise).
Your private on-premse network is 10.2.0.0/24 and would be the only range that should be being routed via your VPN (again, assuming you haven't played with the route tables on your Azure VMs).
It sounds like you might be trying to route traffic to 116.197.178.5 via your VPN connection which would require you to hardcode the route to be via your local VPN gateway (and not the one to the Internet).
Hope this makes sense.
Simon.