What is the concept of Private Ports in Azure Virtual Machines? What is its key advantage or use case. There scenarios I checked that for the RDP endpoint the Public Port is 3389 and private is takes up some random port number.
In order to access the VM via RD, I am forced to open that private port as well to access that. In few places I have seen for an HTTP endpoint both Private Port and Public port are made 80 for access?
What is the theory behind this?
Windows Azure places all of your Virtual Machines behind a load balancer. All of your virtual machines can open outbound connections. For inbound connections, you need to explicitly open ports in the firewall. These are input endpoints and instance input endpoints:
Input endpoints are used when you'll load-balance traffic across virtual machines (e.g. a web server)
Instance input endpoints would allow you to have a connection straight to a specific virtual machine (e.g. a database server)
Now, regarding public and private ports: Public ports are the port numbers exposed to the outside world. So for a web site, maybe that's port 80. You can then map that port to a port on the virtual machine itself. Maybe you run your web server on port 8000 for some reason. In this case, you can map public port 80 to private port 8000.
Now imagine SSH. SSH likes to listen on port 22. But if you have, say, 3 Linux vm's in a single service, there's simply no way to access all of them on port 22, since they all share an ip address. Therefore you'd need a specific port number for each machine. In this case, you'd assign, say, port 20000 to vm1, 21000 to vm2, etc. on the public port side, as an Instance Input Endpoint pointing to a specific virtual machine instance at port 22 on the private port side.
Hopefully that makes some sense... :)
Related
Azure endpoints have to be implemented on VMs to let external traffic reach a VM inside a virtual network.
Such endpoints have public and private ports, which can be the same apparently.
What is the exact purpose of the public port? Is there any other purpose than simply hiding the private port of an application (say 1433 for SQL server for example)?
Endpoint are an old concept (dying our, really), with ARM you dont have those, you just have a public IP you attach to the VM (and you cant even do port mapping with public IP, you need load balancer for that)
There is no other purpose, only hiding the private port (which doesnt really change much against a port scan)
Below is my scenario. I have created an Azure VM endpoint. This endpoint is configured to listen on port xxx. The same port number is configured as both public and private port (on the endpoint). This port number within the VM is actually a port that SQL Server endpoint is linked to.
Then I have added an ACL to allow traffic only from a specific public IP. i.e our office public IP.
Now I am trying to connect to SQL Server remotely through this new port and I am not able to. Locally on the VM this SQL Server port is functioning as it supposed to.
I've created Virtual Machines and assigned them the Endpoints.
Question:
Lets assume I have one endpoint:
1 For port 4444 with two acls:
1.1 order=1, action=Permit, ip=3.3.3.3/32
1.2 order=2, action=Deny, ip=0.0.0.0/0
Does it mean that it's possible to connect to this instance only from ip 3.3.3.3 and only to port 4444? All other connections from another IPs or to another ports will be rejected? Including the SSH ones..
This question should be moved to ServerFault, but...
You opened a single endpoint on port 4444. Therefore, only traffic targeted at port 4444 will get through.
You set up a mask with an exact ip address (3.3.3.3/32). That is the only IP address that will be allowed through, on port 4444.
If you set up your VM in Azure, you get an ssh port created for you. You can assign ACLs to that port as well, but each port will have its own ACLs. So your ACL on port 4444 doesn't impact the ssh port.
I have a virtual machine (for testing, not a production server) based on Ubuntu 14.04 LTS. The default SSH port 22 is opened by default on Azure
I want to change it to 12131. I edited my SSH configuration file and changed port to 12131, then reloaded ssh service by:
service ssh reload
Then I logged into my Windows Azure portal and updated endpoint SSH as:
Public Port 12131
Private Port 12131
Now I'm getting timeout with SSH. What is the proper way to change SSH port in Ubuntu 14.04 in Azure?
Thanks for the help.
First of all, the most important is the Public port. This is the Internet facing port. You can absolutely safely edit just the public port to XXXX and leave private port to 22. Azure Load Balancer (there is always a Load balancer in front of your VMs in Azure) will properly route the connection to your VM's 22 Port. Thus no need to edit your SSH daemon config.
I suggest that you start over with a new VM and only change the public port of the endpoint. You will not have issues with such configuration.
The issue you faced can be caused by IPTABLES configuration which does not allow incoming 12131.
Update
ubussl.cloudapp.net is configured exactly the way I describe. I let it there for test to connect. If you cannot connect, then it is our very own ISP that is blocking this connection. Try shifting the SSH public port to 80 or 443, while living the private to 22 to make sure the connection is not intentionally blocked by ISP / CORP firewall.
Change both the public and the private ports in the Endpoints configuration page to the desired port. Here I change the ports for SSH from 22 to 993
I am using Azure Virtual Machine (Windows Server 2008 R2 image) provided from the gallery and created Public port and private port using the portal. I did remote log in to VM and I run a TCP server application inside VM (TCP server binds to the private port of the VM). Problem I face is that I can not connect it through the public IP and port (from external machine). I have created a inbound rule in VM's Firewall, where I enable connection to the Private port of VM. I tried recreating the VM, also the new ports. Still problem persists. One more thing I observed is that my TCP Client is able to connect to RemoteDesktop port of the VM also the PowerShell port. But does not connect to the port that I created through the portal. Pls suggest what can be wrong?
Note: I also observed some weird behavior. I enabled all ports for my TCP Server app in Inbound rule of firewall and found that some unknown IP (was similar to azure internal IP) is connecting to my server. Why it is happening?
I would like to understand as to how you are trying to connect with the Virtual Machine, using RDP or trying to test the connectivity, for example, using Port Ping.
Endpoints for RDP and Powershell are configured by default. So if you are trying to connect using Remote Desktop, you can directly connect to the VM using MSTSC from Run and provide the IP of the VM followed by the Port Number using the below format
xx.xx.xx.xx:3389
However if you would like to test the connectivity to the VM, I suggest you to use Port Ping instead of ICMP ping since ICMP traffic is blocked by the Azure load balancer and the ping requests timeout. While Ping.exe uses ICMP, other tools such as PsPing, Nmap, or Telnet allow you to test connectivity to a specific TCP port.
On the other hand, after creating the VM, you can add endpoints additionally as needed. You can also manage incoming traffic to the public port by configuring rules for the Network Access Control List (ACL) of the endpoint.
The private port is used internally by the virtual machine to listen for traffic on that endpoint.
The public port is used by the Azure load balancer to communicate with the virtual machine from
external resources. After you create an endpoint, you can use the network access control list
(ACL) to define rules that help isolate and control the incoming traffic on the public port. For
more information, see About Network Access Control Lists.