Azure VM: More than one Public IP - azure

Can anyone confirm if Azure VM allows more than one Public IP? We want to host multiple website on single VM and hence want to have different IP for each website. I know we can host more VM, but that will greatly increase our expense too. So, I just want more than 1 Public IP on VM.

You can add multiple IP addresses for a cloud service. Since the VM's are "inside" the cloud service, this gives you in a way multiple public IP addresses for a virtual machine. The procedure is documented at [1]. Additional addresses currently cost about $3/month.
Here's the steps to add a new reserved IP address to a cloud service.
First create a new reserved IP address:
New-AzureReservedIP –ReservedIPName "MyIPAddress" –Location "West Europe"
Associate the IP address with cloud service:
Add-AzureVirtualIP -VirtualIPName MyIPAddress -ServiceName MyCloudService
Create endpoint that maps the IP address to a virtual machines. If you have multiple vm's and want load balancer, repeat this for each vm. In order to run multiple web sites, you would put each website to different port (the localport). The endpoint listens for connections on the public port and forwards them to the virtual machine's localport.
Get-AzureVM -ServiceName MyCloudService -Name myserver `
| Add-AzureEndpoint -Name QuvastoMail -Protocol tcp `
-LocalPort 8002 -PublicPort 80 -VirtualIPName MyIPAddress `
| Update-AzureVM
[1] http://azure.microsoft.com/en-us/documentation/articles/load-balancer-multivip/

It appears you can now have multiple public IPs for a load balanced cloud service:
http://azure.microsoft.com/en-gb/updates/multiple-vips-per-cloud-service/
Now you can assign more than one load-balanced public IP address to a
set of virtual machines, enabling high-availability and high-scale
scenarios. You can host multiple secure websites in a cloud service or
allow multiple SQL Server AlwaysOn Availability Group listeners to
access the same set of virtual machines.
For more information, please vistit the Load Balancer page. There is
no additional charge for this feature.

You would need a different Cloud Service (either Web Role or Virtual Machine) to have different IP addresses. Yes, this will increase overall cost.
The VIP (public IP) for Windows Azure Web Roles and VMs is assigned at the Cloud Service level. Think of a Cloud Service as a logical container - it can contain web/worker roles or VMs (not both currently).

Very possible, very easy actually.
Have your apps listening at your Azure Resource Managed VM, let's say ports 3001, 3002, 3003..
Then create an Load Balancer (just search it).
Create a Public IP Address.
Add it at your Load Balancer's Front-end Pool
Add your VM to your Load Balancer's Back-end Pool
at Inbound NAT rules of your Load Balancer, click "Add"
Select your frontend IP, your VM's network IP configuration, protocol, port and mapped port (click "Custom") to set a custom port.
Sample:
- You want your newly created public ip "52.165.147.25" to route to your vm's port 3001.
- On config that will be port 80 tcp, then port 3001 on mapped port.
- No need to enable "Floating IP (direct server return)" in case you see it.
PS:
On linux VM's you might have to "Optimize Your Network Kernel Parameters"..
Check here (scroll at bottom): http://docs.fluentd.org/v0.12/articles/before-install
sudo nano /etc/sysctl.conf
Add these entries:
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.ip_local_port_range = 10240 65535
Note the spaces, crucial.
Save it.
sudo sysctl -p
Done.
EDIT:
On the above steps you might have to also take care of CORS (Just google it)
Also, Another alternative I forgot to mention is to add NIC's / Network Interfaces to ya VM's. That won't be a viable option though because of azure max-nic-per-vm limits.

In addition to the earlier answer about Cloud Services, it is now possible to have multiple IP addresses on an Azure VM. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-multiple-ip-addresses-portal

You can only have one public IP address per deployment. So if you had 3 VMs in a single deployment, they'd share IP address. You can then choose to load-balance traffic across the instances or direct traffic to a particular VM (or role in cloud services) for a specific port number.
You can use host headers and support multiple websites in a single VM.

We are also having similar problems. We wanted to have multiple SSL certificates applied to multiple sites hosted withing Virtual Machine.
but it seems its not possible at all. Waiting for MS to release this feature.
Comparatively Godaddy and other hosting providers give free 2-3 IP addressed as well if you need more you can request additional Ip Address easily.
as well to get hold of support is too much difficult.
MZ azure really sucks. :(

Related

Cannot access Azure VM Scaleset ip address externally

I have created a Virtual Machine Scaleset in Azure
This scaleset is made up of 5 VMs
There is a public ip
When I do a ping on my public ip I get no response, nor do I get a response with the full name, e.g.
myapp.uksouth.cloudapp.azure.com
Is there something I have missed?
I am wondering if I have to add my machine's IP somewhere?
I am trying to remote into the machines within the scaleset eventually!
This scaleset will be used for azure service fabric
Paul
If you deploy your scale set with "public IP per VM", then each VM gets its own public IP: https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-networking#public-ipv4-per-virtual-machine. However, this is not the default in the portal. In the portal, the default is to create a load balancer in front of the scale set with a single public IP on the LB (today, at least; no guarantee it will stay this way). It also comes with NAT rules configured to allow RDP/SSH on ports 50000 and above. They won't necessarily be contiguous, though (at least in the default configuration), so you will need to examine the NAT rules on the load balancer to see which ports are relevant. Once you do, you should be able to do ssh -p <port-from-nat-rule> <public-ip> to ssh in (or similar in your RDP client for Windows).
When I do a ping on my public ip I get no response
Azure does not support ping.
For test, you can use RDP/SSH public IP address with different ports to test the connection.
Are you create VMSS with Azure marketplace? If yes, the Azure LB will configured.
If the load balancer created by your self, please check LB probes, backend pools(all vms should in that backend pools), load balancer rules and NAT rules.
Also you can configure log analytics for Azure load balancer to monitor it.

Azure gateway with a virtual network

I've got multiple questions on the setup of a gateway and VM, so here is what I have actually.
I've got an Application Gateway, and two VM Ubuntu, everything hosted on Azure. They are all on the same Virtual Network. Both VM have only a private IP (10.1.0.4 and 10.1.0.5) and the Gateway have a private IP (10.1.1.4) and a public IP. Because only the Gateway have a public IP, I guess that everything have to go through it, and this is what I want to.
The goals I try to achieve :
Make a load balancer on the port 1680, redirected to port 1680.
To redirect the SSH of each VM to connect specifically to one because at the moment, they have no public IP. Is it possible to do this with a path based rule ? Like www.example.com/VM1 to connect by SSH to the first VM ? If no, what can be used to differentiate the SSH connection of the VM1 and of the VM2 ?
To redirect the port 80 of the gateway to the port 8080 of a specific VM. As my previous example, www.example.com/adminPanelVM1 to connect to the first VM on port 80 (redirected to port 8080 on the VM)
I already managed to create the redirection of the port 1680 of the Gateway with an HTTP Parameter, a Listener and a Rule.
Azure Application Gateway
The Azure Application Gateway operates at the layer 7 in the OSI model on the HTTP/HTTPS/WebSocket protocols, because of that any other protocol (like SSH), is not possible to route.
You got a few options tho.
You can use a Network Security Group, or NSG, for access control to your virtual machines. In the NSG you define where the traffic can come from that is allowed access to the VMs.
A NSG behaves like a access-control-list filtering traffic based on source and destination information and evaluating rules in order of priority. See this page for more information about NSGs.
Another option is to use a load balancer.
Azure Load Balancer
If you need to do port mapping, like you describe in your question, then a simple load balancer might be a better solution for you. An Azure Load Balancer works at a lower level in the in the OSI model, namely layer 4 (transport layer), handling TCP/UDP traffic.
So, if you are using a load balancer, then you can set up NAT rules to forward your traffic to specific machines, in other words, if you want to do:
LB port 1234 redirects to VM1 port 22 and
LB port 4312 redirects to VM2 port 22
you can do that using PowerShell as described in the Creating a public load balancer in Resource Manager by using PowerShell article.
There are quite a few steps but it walks you through the whole process of creating NAT rules, NICs and associated virtual machines.
Azure Application Gateway vs Azure Load Balancer?
These two cervices are distinctly different services and are trying to solve different problem, although those problems might look similar :)
The primary uses of an Application Gateway are:
SSL termination
cookie-based session affinity
round robin for load balancing traffic
Where as the Azure Load Balancer service works as the TCP/UDP level and support e.g. port mapping.
Cost wise, the load balancer service is free while the application gateway is billed per hour.
There are many great articles on this topic, when to pick which service. See for example the links for more details
When to use Azure Load Balancer or Application Gateway
Frequently asked questions for Application Gateway

How do I safely access one Azure VM from another within a Cloud Service and Availability Set

I have an Azure Cloud Service, mywebapp.cloudapp.net, that consists of two Azure VMs - mywebappvm1 and mywebappvm2. Both VMs are in the same Availability Set and have the same DNS name.
I also have a Regional Reserved IP address assigned to the Cloud Service so that I can give our clients a guaranteed IP address that our app uses.
Part of the app uses a private background process, currently only running on one of the VMs. I want to be able to make a connection to that process over TCP running on mywebappvm1 from mywebappvm2. I could use the public IP and an endpoint on mywebappvm1 but I don't want the background service to be publicly accessible.
I'm currently using the private IP address, but is that safe? Will the private IP of each VM change if it's rebooted? I can't see an easy way of fixing the private IP of each VM - that seems like something you can do with a VNET but I can't find any information on how to do it with a cloud service and an availability group as well.
Is there perhaps another way to run a web app on multiple load-balanced VMs within an availability set that would make this easier?
What you do is absolutely safe and actually a recommended best practice. You should not go out to public IP address in order to communicate between the Virtual Machines.
It is also a recommended best practice to organize your Virtual Machines into Virtual Network and sub-nets.
This excellent blog post describes how can you even use static IP addresses for the VMs, so you are always 100% sure that mywebappvm1 always get XXX.XXX.XXX.XXX IP Address andyour mywebappvm2 always get YYY.YYY.YYY.YYY IP Address.
Please note that if you do not use Static IP Address assigned to the VM, it is guaranteed that the IP Address of the VM may change.
The IP for a webRole VM instance will not change for the lifetime of the deployment regardless of reboot, update or swapping. The IP will be released only if you delete the deployment, detailed here

Azure Reserved IP Address Inconsistency

I had a need to add additional public IP addresses to an Azure VM and found a working solution here:
Azure VM: More than one Public IP
Essentially this creates a reserved IP in Azure and then adds the reserved IP to a cloud service. Once it's bound to a cloud service it can be mapped to a VM endpoint.
This all works great but there is one bit I don't understand - The IP address of the reserved IP and the resultant VM endpoint don't match. I have to set up DNS to point to the IP address of the endpoint to make this work. Is there something I am not doing right, or is this just the way reserved VMs work?
It looks like this unanswered question is the same issue:
azure reserved IP for VM is diffrent than the given
Thanks!
The "Azure Cloud Service" is a container that provides internet connectivity to "Azure VMs". Thus, you assign the Internet facing Public IP to the Cloud Service. This article is relatively good at explaining the relationship: Azure Cloud Services
From above link:
Here’s a definition of an Azure IaaS cloud service that will make it easy for you to understand what it is in the context of Azure Infrastructure Services:
A cloud service is a network container where you can place virtual machines.
All virtual machines in that container can communicate with each other directly through Azure (and therefore don’t have to go out to the Internet to communicate with each other).
This container is also assigned a DNS name that is reachable from the Internet.
A rudimentary DNS server is created and can provide name resolution for all virtual machines within the same cloud service container (note that name resolution provided by the DNS server is only available to the virtual machines that are located within the cloud service).
One or more Virtual IP Addresses (VIPs) are assigned to the container and these IP addresses can be used to allow inbound connections from the Internet to the virtual machines.
Certain services (like FTP) may require your vm have a public IP: Azure VM Public IP
(IaaS v1) An Azure cloud service comes with a permanent DNS name - something.cloudapp.net - and has a single VIP allocated whenever there are VMs deployed in it OR whenever a reserved IP address is associated with it. Traffic is either load balanced or NATted (port forwarded) to the VM from the Azure Load Balancer sitting on the VIP. You can also associate a public instance-level IP address (PIP) with a VM, which gives it an additional IP address. The VIP always has a DNS name (something.cloudapp.net) while the PIP has one only if you specifically add it, I did a post which goes into these differences.
(IaaS v2) VMs are not deployed into cloud services and only have a public IP address if one is specifically added - either by configuring a PIP on the NIC of the VM (and optionally giving it a cloudapp.azure.com DNS name) or by configuring a load balancer and either load balancing or NATting traffic to it. This load balancer is configured with a public IP address and can optionally have a cloudapp.azure.com DNS name associated with it. (Ignoring internal load balancers in this discussion.)

azure multiple public ip for a vm

I want to have three public ip addresses for my VM in azure. I got one when I created the VM and now I want to assign two reserved ip addresses to my VM. I was able to create the reserved ip address but not sure how to assign them to existing VM or assign multiple to a new VM. Any suggestions on how to do this?
In Azure, a Load Balancer is required in order to direct traffic from multiple VIP addresses to a single (or multiple) VMs.
If, for example, you want a single VM to host multiple websites, all of which need to be accessible externally via port 443, you'd need three VIP addresses assigned to the Load Balancer, with a NAT on each at least two of the VIPs; i.e.
Site a: Incoming 443-443 to VM
Site b: Incoming 443-444 to VM
Site c: Incoming 443-445 to VM
All the traffic from the Load Balancer could then be routed to one VM, where you'd direct traffic on each incoming port to the required website based. This MS article explains it really well: https://azure.microsoft.com/en-gb/documentation/articles/load-balancer-multivip/
Reserved IP addresses are a way of ensuring that your VIP is no longer dynamic, which they are by default. The following article explains it well, including how to take an existing Cloud Service's currently-running dynamic VIP and making it static (Reserved): https://azure.microsoft.com/en-gb/documentation/articles/virtual-networks-reserved-public-ip/
An Azure VM can have two public IP addresses - one is the VIP of the cloud service containing the VM (as long as there are endpoints configured for the VM) and the other is the PIP (or public instance IP address) associated with the VM. A reserved IP address is an orthogonal concept to VIPs and PIPs and its use is documented here. I did a post on VIPs, DIPs and PIPs that you may find helpful.

Resources