Summary: I have 2 VM's set on the same network security group in Azure. The two computers cannot see or connect to each other.
Details:
Running a third party tool that installs an agent software from a server/host computer. This tool has a wizard to create the connectivity as long as the computers are on the same network. Both server and agents are the 2 VM's on the same NSG and will not connect.
Hi!
So I have an Azure P2S VPN configured to assign IPS in the range 172.16.201.0/24
The first client that connects to the VPN gets IP 172.16.201.0
Everything works well (internet access and subnet access), however I have another IPSEC S2S tunnel and the router (a fortinet firewall) on the other end of the tunnel considers IP 172.16.201.0 to be invalid (as in the /24 range, the first IP should be .1). This means my first VPN client cannot access the machines beyond the S2S tunnel.
The next client and all of the next ones have a >= .1 IP and access works everywhere, including beyond the S2S tunnel.
Is there a way to forbid assigning this .0 IP address?
Thank you very much!
Hi All,
I have VNET Configured with Gateway and Point 2 Site VPN. I have an App Service which is available to everyone now. I have been told that I need to restrict my APP Service to only some of IP addresses. Absolutely I can do that using IP Restriction feature of App Service But they also want ability to connect VPN from any of the dynamic IP Address (When they are not accessing from whitelisted IP Address) and able to connect APP Service.
So Is it possible to connect a POINT TO SITE VPN and then have access to App Service along with others with whitelisted IP Addresses. Thanks in advance.
Hello Guys,
So the issue is that I have Successfully create Site to Site Gateway from my Azure VMs to my Local VMs, and already Connected even have in & out data traffic.
My Azure VMs can ping to Local VMs
But on the other hand, my Local VMs Cannot ping (psping) / telnet (ex: 3389 (rdp port)) to my Azure VMs. Here is theTracert Result :
All VMs Windows Firewall already turned off, and in Fortigate there is no filtering rule except allow traffic via tunnel azure.
I tried already:
* Reset Azure VPN Gateway
* Allow Any Any on Azure NSG Inbound Rule
* Successfully psping / telnet to the VMs Public IP
* as Azure VM can ping/telnet to my OnPrem VM, i try join domain Azure VM to onprem Domain, and success (i dont know if this normal).
Any Clue ? :) thanks before
Hi - I have an azure network where the VMs do not have public IP addresses. The only public IP is attached to a virtual appliance acting as the gateway. when i go to a VM inside of azure and open a web browser i can go to whatismyip.com and it shows me an ip address that is close to my public IP but it is not my IP.
Does anyone know why this would be happening?
Thanks
Hi Team,
Can we use Azure Application Gateway for SSL offloading for internal applications (Not Internet Facing)?
Regards,
Prasant Rana
I have setup a Traffic Manager profile.(Cname added in domain name)
The endpoints are two web servers with Public IP's assigned and DNS names mapped to traffic manager.
The Monitor status is showing Online in traffic manager.
In NSG if i open the traffic from Source ANY to Destination (Private IP of Web) the site opens fine (Port 80, 443) but if i put the Source as "Azure Traffic Manager" and Destination (Private IP of Web) (Port 80, 443), the site stops working.
What is the reason for this?
Can someone let me know which is the Azure's built in default routs support
* Routing within the subnet
* Routing from a subnet to another subnet in the same vnet
* Routing vnet to vnet using VPN gateway
* Routing vnet to on-premises using vpn gateway
Hello,
I have followed the MS document regarding P2S connections. The VPN is up. From the Azure VM, I can configure JDBC connections to databases on-premise. However, if I want to do the opposite, connect to Denodo Virtual DataPort installed on Azure using a JDBC connection, I cannot connect. I have configured Inbound rules on the Network Security Group that should allow my workstation to connect to the Virtual Machine. Since I set up the VM using Powershell, I can remote to the VM without any issues.
What is the IP that I should be using to make this connection?
The IP of the VPN Gateway?
Thanks in advance for any assistance,
Lorrin
Hii There,
I need to know what circuit means? Can i create multiple circuit with a single expressroute or there can only be one circuit per express route.
Also i would like to know is there "If i have single expressroute line provided by provider from on premise to Azure, do express route maintains high availability? or i need to take other express route connection for high availability? "
What i know Exressroute maintains high availability in built provided by Microsoft. Please help in clarifying.
pawan
I am getting this error while creating a vpn gateway in my subscription and I dont have anyexisting ExpressRoute gateway.
The following issues must be fixed in order to use this virtual network: The VPN gateway cannot have a basic SKU in order for it to coexist with an existing ExpressRoute gateway.
slevik
Hi
We are building a hybrid Azure cloud environment. There will be two Azure data centers (Melbourne and Sydney) both connected using ExpressRoutes from different peering locations by same provider.
The organization has decided to use Forced tunneling to force all the Azure traffic to on-prem and from there it would route to Internet through the edge firewall.
I read and know that in case of Forced Tunnelng, a default 0.0.0.0/0 BGP route is advertised to ensure that all the traffic destined for address space outside the Azure vNET address space will be sent over the ExpressRoute to on-prem. However, I'm not able to find details on:
1. Which side this BGP default route (0/0) is advertised at - from Azure or from the ExpressRoute connectivity provider?
2. Our organization has decided to enable just private peering and I understand that the public endpoints in Azure require some special configurations - is this detailed in any document?
3. Also read that in case the ExpressRoute fails, the forced tunneling configuration is ignored and Azure VMs can send directly out to Internet. To prevent this we can configure NSG rules. As our organization has decided to place a HA pair of network firewall virtual appliance (NVA) in Azure, not sure if UDRs to send next hop to NVA will work in case of ExpressRoute failure or we still need those NSG rules to be put in-place?
Thanks
Taranjeet Singh
zamn
How to monitor if my VM (IIS - IaaS) under DDos Attack ?
- is it possible with IIS logs ?
with DDos protection and without ? (Ddos Standart)
Thank you.
#SETUP
$resourceGroupName = ""
$nsgResourceName = ""
$ruleName = ""
$desiredDefaultIp = "xxx.xxx.xxx.xxx/32"
$newIP = "xxx.xxx.xxx.xxx/32"
#GET NSG
$nsg = Get-AzureRmNetworkSecurityGroup -Name $nsgResourceName -ResourceGroupName $resourceGroupName
#FIND RULE
$specificRule = $nsg.SecurityRules | Where-Object { $_.Name -match "$($ruleName)" }
$index = $nsg.SecurityRules.IndexOf($specificRule)
#IF THERE ARE EXISTING IPS IN THE RULE, KEEP THEM, ELSE, MAKE SURE WE HAVE A DEFAULT IP AT LEAST.
$allowedAddresses = New-Object "System.Collections.Generic.List[String]"
if($specificRule.SourceAddressPrefix) {
$allowedAddresses = $specificRule.SourceAddressPrefix
} else {
$allowedAddresses.Add("$desiredDefaultIp")
}
#ADD A NEW IP, IF IT DOESN'T ALREADY EXIST
if($allowedAddresses.Contains($newIP)) {
Write-Host "IP address already allowed"
return
} else {
$allowedAddresses.Add($newIP)
$nsg.SecurityRules[$index].SourceAddressPrefix = $allowedAddresses
Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $nsg
}Running the following code, I'm getting this error: "Set-AzureRmNetworkSecurityGroup : Required security rule parameters are missing for security rule with Id: [RESOURCE ID] Security rule must specify SourceAddressPrefixes, SourceAddressPrefix, or
SourceApplicationSecurityGroups.
StatusCode: 400
ReasonPhrase: Bad Request"
This is occuring because while the rule I want is OK, another resource in the network security group uses a port range for the "DestinationPortRange" - specifically 10930-10939. When using the get call - the security rule for this range is returning an empty "SourceAddressPrefix". I have also tried to write out the rule as 10930,10931,109312...,10939 - which also returns an empty "SourceAddressPrefix". When I go to run the Set command the error is thrown because it is expecting a value on this security rule. I don't really want to break up each port to it's own individual rule - and I had similar code to this working not long ago - so I'm wondering if something has changed in the azure API.
Hi all,
My customer and I have been attempting to create a Route Based VPN to Azure from a Cisco ASA. A few other people around the internet have been able to achieve this but documentation is sparse.
We've been able to establish the tunnel without issue, but we're unable to bring BGP up. The Azure BGP PeerID is unreachable from the ASA and the BGP neighbourship remains down. When we use static routing over these tunnels Azure is reachable.
The use of BGP is so that eventually we can establish multiple tunnels with failover - static routing with a primary and secondary tunnel (even with routing weights added) caused asymmetric routing, as Azure tried to return traffic over either tunnel. The configuration below focuses on one tunnel.
We're deploying the tunnel with powershell as follows:
$gatewayName = "HQVPN"
$connectionNamePrime = "vpnssPrime"
$localNetworkGatewayPrime = "ISPPrimary"
$localNetwork1 = "169.254.11.1/32"
$localNetworkGatewayPrimeIP = "x.x.x.x"
$remoteBgpPeerPrimeIP = "169.254.11.1"
$localASN = "65010"
$remoteASN = "65050"
$sharedKey = "OurSharedKey"
$ipsecpolicy = New-AzureRmIpsecPolicy `
-IkeEncryption AES256 `
-IkeIntegrity SHA384 `
-DhGroup DHGroup24 `
-IpsecEncryption AES256 `
-IpsecIntegrity SHA256 `
-PfsGroup PFS24 `
-SALifeTimeSeconds 86400 `
-SADataSizeKilobytes 49152
foreach ($subscription in $subscriptions) {
$subscriptionName = $subscription.Name
$resourceGroup = $subscription.ResourceGroup
$location = $subscription.Location
$environment = $subscription.Environment
Select-AzureRmSubscription -SubscriptionName $subscriptionName
$vnetGateway = Get-AzureRmVirtualNetworkGateway -Name $gatewayName -ResourceGroupName $resourceGroup
$vnetGateway.EnableBgp = $true
$vnetGateway | Set-AzureRmVirtualNetworkGateway -Asn $localASN
New-AzureRmLocalNetworkGateway -Name $localNetworkGatewayPrime `
-ResourceGroupName $resourceGroup `
-Location $location `
-GatewayIpAddress $localNetworkGatewayPrimeIP `
-Asn $remoteASN `
-PeerWeight $routingWeightPrime `
-BgpPeeringAddress $remoteBgpPeerPrimeIP `
-AddressPrefix $localNetwork1
$localGatewayPrime = Get-AzureRmLocalNetworkGateway -Name $localNetworkGatewayPrime -ResourceGroupName $resourceGroup
New-AzureRmVirtualNetworkGatewayConnection `
-Name $connectionNamePrime `
-ResourceGroupName $resourceGroup `
-VirtualNetworkGateway1 $vnetGateway `
-LocalNetworkGateway2 $localGatewayPrime `
-RoutingWeight $routingWeightPrime `
-Location $location `
-ConnectionType IPsec `
-IpsecPolicies $ipsecpolicy `
-SharedKey $sharedKey `
-EnableBgp $true `
-UsePolicyBasedTrafficSelectors $falseThe Cisco configuration is as follows:
! crypto ikev2 policy 1 encryption aes-256 integrity sha384 group 24 prf sha384 sha256 sha lifetime seconds 86400 ! crypto ipsec ikev2 ipsec-proposal AES256-AZ protocol esp encryption aes-256 protocol esp integrity sha-256 ! ! group-policy AzureS2S internal group-policy AzureS2S attributes vpn-idle-timeout none vpn-session-timeout none vpn-tunnel-protocol ikev2 ! tunnel-group x.x.x.x type ipsec-l2l tunnel-group x.x.x.x general-attributes default-group-policy AzureS2S tunnel-group x.x.x.x ipsec-attributes isakmp keepalive threshold 60 retry 5 ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** ! ! interface Tunnel11 nameif VPN-AZURE ip address 169.254.11.1 255.255.255.0 tunnel source interface OUTSIDE tunnel destination x.x.x.x tunnel mode ipsec ipv4 tunnel protection ipsec profile AZR-PROF ! ! route VPN-AZURE 10.5.255.254 255.255.255.255 x.x.x.x ! ! router bgp 65050 bgp log-neighbor-changes address-family ipv4 unicast neighbor 10.5.255.254 remote-as 65010 neighbor 10.5.255.254 ebgp-multihop 255 neighbor 10.5.255.254 activate network 192.168.1.0 mask 255.255.255.224 network 192.168.2.0 mask 255.255.255.224 network 192.168.3.0 mask 255.255.255.224 network 192.168.4.0 mask 255.255.255.240 no auto-summary no synchronization exit-address-family !
Thanks,
SJ
I'm having trouble getting my custom domain to redirect to my host in Azure. I have followed the tutorial here [MSDN docs: "Configuring a custom domain name for an Azure cloud service". Link to follow once my account is verified] but I am getting an error message when I try to add www.mydomain.uk as a CNAME in Azure (in this example, for root: mydomain.uk). It says it cannot validate ownership of the domain, and that I should add a CNAME to the root azurewebites.net domain. I have done this, and a few days have passed but it still can't detect it.
I was deploying VM in West location using free license.
Maximum vCPUs I was able to use in West was 4.
I wanna know is it limitation of free license that we can use 4 vCPU in single location.
Or is there any other method by using which we could increase vCPU in free license?
Thanks!
We are creating VPN b/w Azure and On-prem. So while deploying VNet Gateway public IP address is also created and while deploying VM as well.
So I wanna confirm that do we require to register these Public IP address or these are by default registered and Microsoft will charge money by itself.
Team,
As we all know, Azure’s DHCP servers are responsible for assigning private IP addresses to any resources deployed inside of an Azure VNet (e.g. a VM). Therefore, you do not need to, and should not, bring your own DHCP solution to Azure.
However, this is somewhat problematic, as it does not allow us to centrally assign TCP/IP configuration values to Azure VMs by means of DHCP options. For example:
In the example above, these NTP servers could be specified either through (1) post-deployment activities (for example, Custom Script Extension) or (2) some kind of Configuration Management tool (maybe PowerShell DSC if an appropriate module for setting NTP is available, or other enterprise-grade solutions such as Chef or Puppet).
So questions: