Azure Reserved websites to virtual network - azure

Is it possible to connect azure websites (type reserved mode) to a VM in an existing virtual network? I want to configure the connectionstring of the websites to the internal ip of the SQL Server VM and not over it's public ip due to security reasons.
I know that it works with a web/workerrole to connect directly to the internal ip, but it's no option to create all websites within a webrole....

No we don't support Virtual Network (yet) but you can consider using Service Bus Relay for some scenarios, look at http://www.bradygaster.com/windowsazurewebsites-onprem-servicebus

Related

Azure:Grouping VMs using Cloud service or Virtual Network

We are planning to rent have two VMs (one for Web Server and another for Database server) on Azure. I would like to know what would be the best way to communicate Database server from web server.
Direct communication using DNS.
Keep both the VMs in Cloud service and use host name to communicate.
Form a virtual network and use the persistent virtual machine IP address to connect to.
Thanks In Advance
you don't want to use the Clud Service host name to communicate between the VMs.
If you want to use DNS, you have to provide DNS - you don't need that too.
For that particular scenario, I would recommend something even simpler:
Put the VMs in the same Cloud service
Do not go for any Virtual Network or DNS Solutions
Use VM Name to connect between the machines.
when the VMs are deployed in the same Cloud Service and not in Virtual Network, Windows Azure provides automatic name discovery. The simplest approach is usually the best.
For more information on name resolution scenarios in Windows Azure, read this paper.

How does one setup two non-load-balanced VM web servers in Azure, capable of communicating on private ports?

I'd like to setup the below infrastructure in Azure. I have one possible solution, but it seems like it makes compromises in security architecture. Is there a better way to do this in Azure than in my compromised workaround?:
VM #1: Role: SQL Server and IIS. Server should have a unique public IP address. The hosted websites will be available through public port 80, and connect to local SQL Server.
VM #2: Role: IIS. Server should have a unique public IP address. The hosted websites will be available through public port 80, and will connect to SQL Server on VM #1.
This has been my experience so far:
No issues setting up VM #1.
With VM #2, I tried building it in the same cloud service as VM #1. When I did that, it was assigned the same public IP address as VM #1. Thus, in this scenario, hosting websites on port 80 on both machines doesn't work.
Next I tried building VM #2 in a different cloud service. This resulted in assignment of a unique public IP address. However, I was unable to obtain connectivity to SQL Server on VM #1.
Things I tried for the above: VM #1 SQL Server set as mixed mode, named SQL account provisioned (and connectivity confirmed locally), SQL configured to allow incoming remote TCP connections, firewall rule opened for incoming connections on TCP port that SQL runs under, but so far have not been able to connect to it from VM #2.
One architecture I believe would work is to open a public port on VM #1 and map that to the private SQL Server port. Then VM #2 could connect using the fully-qualifed public DNS name of VM #1. I believe Azure also would allow connectivity to be constrained to the public IP address of VM #2.
However, this seems less than ideal, because now SQL communication is being routed through a more public route than one would normally design for a data center, and an extra public port has to be opened on VM #1 (even if constrained by IP address, I'd rather not expose that surface area if not necessary). Additionally, sending the SQL Server data over a more public network hypothetically means transport security may need to be considered.
Research indicates connectivity between 2 VMs on different cloud services may not be possible using private ports, although the info I've found so far is not conclusive. So again, is there a better way to do this in Azure?
A single cloud service is a security boundary and the only way into it is through a public (input) endpoint on the unique public VIP of the service. A Virtual Network (VNET) can be used to host multiple cloud services and allow private visibility among them without going through a public endpoint.
A typical model would be to put an IIS website in a PaaS cloud service with a public VIP and the backend SQL Server in an IaaS cloud service with a public VIP but NO public endpoints declared on it. Both these cloud services would be hosted in the same VNET. This allows the front end web role instances access to the backend SQL Server instance over the private VNET. There is a hands-on lab in the Windows Azure Training Kit that describes precisely how to implement this.
In this case I would recommend separating the IIS/SQL Server combination so that the SQL Server box is in an IaaS cloud service with no public endpoint (although it will always have a public VIP). I would also recommend using either a Point-to-Site or Site-to-Site VPN which would allow you to access the VMs without exposing a public RDP endpoint. A point-to-site VPN is developer focused and very easy to configure. A site-to-site VPN is more of an IT thing since it requires configuration of a VPN router such as Cisco, Juniper or Windows Server.

Connecting to an Azure Virtual Network from PC

We have a Virtual Network of VMs, storage accounts and websites hosted and working together in the Azure cloud.
Is it possible to connect my work/home PC to this Virtual Network using some VPN software?
Generally speaking two options exist, you can read about these here -
Windows Azure Connect let's you configure machine-to-machine VPN and is agent based
Configuring a private network let's you create a site-to-site VPN, but it typically requires a VPN appliance. I've seen posts on the internet about people managing to configure their router as the VPN gateway but, at least at this point, this is not easy nor supported.
Also worth reading is this overview of Windows Azure Networking features that covers both (and Traffic Manager) by David Chappel
have a look at using Azure Virtual Networks in conjunction with Azure Virtual Machines: http://www.windowsazure.com/en-us/manage/services/networking/add-a-vm-to-a-virtual-network/

Azure VMs Virtual Network inter-communication

I'm new to Azure (strike 1) and totally suck at networking (strike 2).
Nevertheless, I've got two VMs up and running in the same virtual network; one will act as a web server and the other will act as a SQL database server.
While I can see that their internal IP addresses are both in the same network I'm unable to verify that the machines can communicate with each other and am sort of confused regarding the appropriate place to address this.
Microsoft's own documentation says
All virtual machines that you create in Windows Azure can
automatically communicate using a private network channel with other
virtual machines in the same cloud service or virtual network.
However, you need to add an endpoint to a machine for other resources
on the Internet or other virtual networks to communicate with it. You
can associate specific ports and a protocol to endpoints. Resources
can connect to an endpoint by using a protocol of TCP or UDP. The TCP
protocol includes HTTP and HTTPS communication.
So why can't the machines at least ping each other via internal IPs? Is it Windows Firewall getting in the way? I'm starting to wonder if I've chose the wrong approach for a simple web server/database server setup. Please forgive my ignorance. Any help would be greatly appreciated.
If both the machines are in the same Virtual Network, then just turn off Windows Firewall and they will be able to ping each other. Other way is to just allow all incoming ICMP traffic in Windows Firewall with Advanced Settings.
However there is a trick. Both the machines will see each other by IP Addresses, but there will be no name resolution in so defined Virtual Network. Meaning that you won't be able to ping by name, but only by direct IP address. So, if want your Website (on VM1) to connect to SQL Server (on VM2), you have to address it by full IP Address, not machine name.
The only way to make name resolution within a Virtual Network is to use a dedicated DNS server, which you maintain and configure on-premises.
This article describes in details name resolution scenarios in Windows Azure. Your particular case is this:
Name resolution between virtual machines and role instances located in
the same virtual network, but different cloud services
You could potentially achieve name resolution, if you put your VMs is same cloud service. Thus you will not even require dedicated virtual network.
If your VMs are inside a Virtual Network in Azure, then you have to make sure two things.
Required Port is enabled.
Firewall is disabled on the server.
I was trying to connect to one VM where SQL Server DB was installed, from another VM. I Had to enable 1433 port in the VM where SQL was installed. For this you need to add an MSSQL endpoint to the VM on the azure management portal. After that i disabled windows firewall. Then i was able to connect to the VM from another.

Connecting Windows Azure to On-Premise Active Directory

I am trying to connect my Windows Azure Virtual machines to my On Premise network. I have established a site to site VPN tunnel, and have created the appropriate subnets and placed a virtual machine in one of the subnets that isn't the gateway subnet.
My on premise test network is 192.168.9.x/24 my Azure Network is 10.4.x.x/16 with a subnet for DMZ - 10.4.2.x/24 and ServerNetwork at 10.4.3.x/24.
I have confirmed that the tunnel is up and running both on the Windows Azure side, as well as on my Cisco ASA 5505.
I want my servers to be able to communicate across the tunnel, however currently they cannot see each other. I am missing something, I tried static routes between the two servers, and have not had any success. Has anyone gotten this to work? If so what did you do on the networking side of the config to make it work?
Thanks,
Steve
Windows Azure Virtual Network enables you to create secure site-to-site connectivity, as well as protected private virtual networks in the cloud.
You can specify the address space that will be used for both your virtual network and the virtual network gateway.
Additionally, new name resolution features allow you to connect directly to role instances and virtual machines by hostname.
These features allow you to use Windows Azure as you would a branch office, or as a protected private virtual network in the cloud.
You can read more about it here:
http://msdn.microsoft.com/en-us/library/windowsazure/jj156007.aspx
Here is a lab exercise to walk you through the process:
http://www.windowsazure.com/en-us/manage/services/networking/create-a-virtual-network/

Resources