Test case:
Created new cloud project with standard asp.net web site template.
Deployed.
The default configuration defines an endpoint on port 80 without any host headers.
I would have thought this translates to a binding of
*:80:
However, it actually creates a binding of:
10.211.196.111:80:
Where 10.211.196.111 is an IP address of the web role instance.
If we look at the available IP addresses on the machine we have 2:
10.211.196.111
2001:0:4137:9e76:c8c:387d:f52c:3b90
What's interesting is that if we change our IIS binding to listen on all IP addresses *:80 the web site actually stops working. Instead we get a 503 - Service unavailable error.
Why is this important to me? Well we've been recently making use of the Azure Accelerator for web roles and have found that it does not work if you don't specify a host name. The reason, as explained above, is that it will interpret an empty host name as *.80 which of course results in the 503 error.
So the first question is - could someone explain this behaviour (why listening on all IP addresses doesn't work) and what that second IP address is used for?
Since it looks like I need to patch the azure accelerator so that it uses a specific IP address of the instance, what's the recommended way of finding this? Do you think it's safe to look for an adapter that starts with Microsoft Virtual Machine Bus Network Adapter or perhaps a specific subnet?
Thanks,
Ben
I believe the other IP address is for a second network adapter in the VM that's used for internal communication between the VMs and the fabric controller. It's possible you don't have permission to bind to that other address (so the wildcard "all unassigned IP addresses" mapping doen't work).
However, I'm not quite convinced of that. If (which is I believe what you're saying) the Windows Azure Accelerator for Web Roles binds everything to *:80:hostname, that seems like evidence that you can do bindings like that.
In any case, to get the IP address, you'd just use RoleEnvironment.CurrentRoleInstance.Endpoints["name"].IPEndpoint. I think for name you'll want HttpIn for the accelerator. You can try using that IP address instead of "*" in that code and see if it helps, but note that the management UI itself has a wildcard mapping, so you're likely to have some sort of conflict (and be unable to make other management changes) unless you also change the management UI to listen on a specific hostname.
Related
I am very new to Cloudflare. So please bear with me. I need to access my website (hosted in Microsoft Azure - App Services) via IP address instead of the domain name.
To do this, I need to add HOST=www.mydomain.com into the HTTP header when requesting the website via IP address.
I heard it can be solved via Cloudflare, but the person I asked will not elaborate further. Is it possible? If yes, what service should I purchase? Any manual or instruction will be appreciated.
If Cloudflare isn't possible, do you have any service recommendations?
Thanks :)
The reason the host header is needed is because Azure App Services are multi-tenant (multiple apps on a single IP) by default. So, the server needs some way to know where to route your request to (the host name). In addition, IPs are not guaranteed to be static (they can change as you scale for instance).
It should be possible to secure a single static IP address using the following method -
https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips#get-a-static-inbound-ip
What is unclear is whether or not this IP would also be dedicated (meaning only your domain would use it). This is what would be required in order to allow you to access the app service without a hostname specified.
Cloudflare will not solve this issue, as it sits at the DNS layer (domain name access). Accessing a server via IP would bypass Cloudflare entirely.
How do I find the following for my azure web app. I am on a premium service. and I am unsure of where to look.
Source FQDN
Source IP
Port
Protocol
Service
Is the flow bi-directional?
Thanks in advance.
I'm not entirely sure what your question is asking, but I'll provide some info based on some assumptions of what you're asking for:
FQDN: When you created your app service, you gave it a name. If you named it "gcase" then your FQDN would be gcase.azurewebsites.net.
IP: It depends on what you mean by this. If you're trying to address your App Service, then go into the Custom Domains tab of the blade and you will see an IP address for mapping custom DNS to. Note that this is only available for certain tiers of App Service Plans. However, if you need to know what IPs this can potentially connect to other services from, then go into the Properties tab of the blade and you will see a field labelled "Outbound IP Addresses".
Port and Protocol and Bi-Directional Flow: This totally depends on the software you install on there. We cannot tell you this.
If you can clear up your question, we can help you more. Otherwise, this is the best answer I can give you to your question as it is currently written.
I just created a new site on my IIS on Amazon's EC2 and I was wondering if there is a way to access it publicly without assigning a domain.
In detail. I created a new site dev.example.com which is accessible when I am logged in my instance. Is there a way to access it outside by doing let's say 54.xxx.xx.xxx:80:dev.example.com
I don't know if that's even possible so any hints are appreciated
You can definitely do this, but here's what you'll need to do:
Make sure IIS is configured to route any incoming connection on a particular IP address to your site. This is distinct from IIS specifically listening for a particular hostname (e.g. mywebsite.com).
As an alternative to the above, you could also manually set your DNS on your local computer and then use your web browser to visit mywebsite.com. From IIS's perspective, a user will have requested mywebsite.com just as if public DNS were set
As far as the IP address you visit, your instance will either have an ephemeral Public IP Address which will be reset when the instance is stopped and started, or an Elastic IP Address, which persists across restarts.
As #Anthony Manzo mentioned, you'll need to make sure that your Security Group associated with this instance allows Port 80. In addition, you may want to disable Windows Firewall completely (or check that it allows Port 80 on all three "Zones" (Windows Firewall has 3 different zones to manage).
Afaik the IP addresses assigned to EC2 instances can change throughout its lifetime and therefore you should instead generate an Elastic IP Address (which will always direct to your instance). That way, you don't have to deal with DNS yourself and still are always able to connect to your instance.
Have a look at the "Security Groups" on the left hand of your EC2 web console. You'll have to allow TCP 80 (and whatever else) in the Security Group (probably 'default') first.
I configured two AD controllers and a WINS server in Azure each with static IP's and then turned them off for the weekend. Now that I turn the machines back on, all of the NIC's are setup to obtain an IP automatically.
When I go back into the NIC and reconfigure it for a static IP, I get an error message that the IP address I entered for the network adapter is already assigned to another adopter which is no longer present in the computer. Then it asks me if I want to remove the static IP configuration for the absent adapter.
What is happening here? Is there something I am configuring incorrectly that forces my configured static NIC's to change? Do I want to answer yes and reconfigure the card yet again, or is there a better way to go about this.
Thanks.
I'm going to answer my own question just in case someone is doing a network search looking for an answer and winds up here.
The issue centers on, for me at least, the differences between what is required for setting up bare metal AD environments as opposed to AD environments in Azure. In bare metal we are used to configuring inside of the NIC. In Azure, you work in two places. You create your AD's with DNS and then you use the Azure powershell to configure the AD controller's static IP and then you go back to your virtual network and register the DNS servers that were created.
There are some things happening behind the scenes in Azure that make this work. So, just create your AD's with DNS. Get the IP that was assigned by DHCP and register it with the Azure powershell and then list the name of the AD and it's IP in the virtual network and you are done.
Hope this helps.
I have a WebJob on an Azure Website that needs to connect to a VM Endpoint to make REST calls.
My Endpoint is configured to deny all except my company's IP range. Now what rule would I need to add or url should I use so my webjob can connect to the endpoint?
I have tried the following without success:
Allow my website virtual IP address in the ACL
Connect to the endpoint using the internal IP instead of the DNS without changing
the ACL
Connect to the endpoint using the public virtual IP instead
of the DNS without changing the ACL
This works but is not what I am looking for:
Remove the current ACL and allow all
Keep the ACL but add a /16 rule with my website IP
Thank you for your help, and let me know if you need precision!
I need the same thing but it seems as though is not possible right now. Looking at this answer on a related question:
Azure Web Sites do not have dedicated outbound IP addresses for each
deployment. This precludes you from using ACLs or Virtual Networks to
connect to your Redis / Solr virtual machines.
So even though you can have a (reasonably) fixed incoming IP address on Azure Websites, the outgoing address is highly unpredictable and as far as I can see, the only exclusion that you could make was to restrict it to the entire range of IP addresses for that data centre which is far from ideal.
A solution moving forward will be to connect your Azure Website and the VM on the same Virtual Network. As of my writing this it is still in Preview so it still is not ready for production use just yet.
Here is more information on it: http://azure.microsoft.com/blog/2014/09/15/azure-websites-virtual-network-integration/