Hello,
Has anyone setup a VPN from Azure to an onsite firewall before as I can't workout where in Azure to do this?
We currently have an Express Route from Azure to our Datacentre for out private and public peering, but now want to add a backup to this in the form of a VPN.
The team that look after our firewalls have asked for the public IP to connect in Azure but I can't locate this.
Any advise would be most helpful.
Thanks
Hello,
We currently use MFA for our Office 365 users.
Is it possible to utilise MFA (for the same Office 365 users) to access a Azure Virtual Network instead of just using the standard Azure VPN Client which uses only certificates for authentication.
Hi guys,
I have address space 172.30.0.0/16 with one VNet subnet 172.30.0.0/24 and Gateway subnet 172.30.1.0/24.
When I configure address pool 172.30.2.0/24 for Point-To-Site VPN I get an error that this range is overlapping with 172.30.0.0/16.
Should address pool for Point-To-Site VPN be outside of address space 172.30.0.0/24?
Regards
I have been reading this article Azure VPN Gateway about High Availability Cross-Premises and VNet - to - VNet Connectivity
It does provides VPN Gateway Redundancy information in terms of Site to Site VPN only.
But Could anyone provide more information regarding App Services (Paas) & VPN Gateway (Point to Site-VNet Integration Latency) Redundancy as I couldn’t find the following info in Microsoft Azure Site.
1. What is Azure Pass service Point to site latency time for any planned maintenance or unplanned disruption that happens to the active instance, Would the standby instance would take over (failover) automatically?
2. Can we make Active-Active connection from azure web app (Paas) to VPN gateway in case VPN is enabled with Active-Active mode?
3. If we use VPN gateway as Active-standby mode and then if active VPN instance got failed the point to site VPN connection will be reconnected automatically?
Thanks.
KN
Hello,
From time to time, I experience a 'Failed' value for the 'properties.provisioningState' field (JSON response) when querying a network interface. This state iis 'Succeeded' again after restarting the attached VM.
1. What exactly the 'Failed' state means? (in regards to network interface/IP configurations)
2. What may be the reason(s) for this state?
Some more details:
Our application is running on Ubuntu 14 VM. Two identical setups are created, each with single NIC and single local and public IP. Both NICs share the same subnet.
From time to time one of the applications (there's always an active one and a backup) swaps the public IP between the NICs by using Azure REST APIs. Part of the swap process is to verify NIC status. For that a query for NIC info is sent, but as mentioned above, sometimes the response's 'provisioningState' field is in 'Failed' state (I'm getting this state in both 'properties.provisioningState' and 'properties.ipConfigrations[0].properties.provisioningState')
3. Are there any logs to search for the cause of this failure?
Hope I'm clear.
Thanks,
Zion
My scenario is like below:
BGP session I would like to setup but I am not entirely sure if that will work.
we have two Express route from two physically diverse data center terminating on the same Azure Vnet.
DC 1:
Firewall 1 ASN 6501 <--> Azure Sydney VNET-1 - ASN 12076 - Private
Firewall 1 ASN 6501 <--> Azure Sydney VNET-1 - ASN 12076 - Public
Firewall 1 ASN 6501 <--> Azure Sydney VNET-1 - ASN 12076 - MS
DC 2, ASN 6502
Firewall 2 ASN 6502 <--> Azure Sydney VNET-1 - ASN 12076 - Private
Firewall 2 ASN 6502 <--> Azure Sydney VNET-1 - ASN 12076 - Public
Firewall 2 ASN 6502 <--> Azure Sydney VNET-1 - ASN 12076 - MS
As I am planning to use the firewall there is no VRF.
I am also planning to use the BGP parameters Local pref 150 in DC1 and preped x 2 on DC2 to make sure DC1 prefer all the time.
My questions ?
Q1: Do this setup work where two different ASN from client terminating on the single ASN ad VNET at Azure.
Q2: Do I need to have the VRF or Firewall policy to set apart the all 3 session is good enough?
Q3: Can I control Azure Vnet via BGP Prepend to make sure it always send the traffic to DC1 and if the DC1 is not available then only it sends the traffic to DC2?
Q4: Do Azure has Networking only read only or read and write access as it is going to be hard to get control from Server team for azure unless it is only networking part.
Thanks,
Nilay.
I have been tasked with filtering all traffic from my web app except *.gov clients. I have limited things available
in the Government Azure. Does anyone have any ideas to make the NSG's block with domain names and not by IP addresses?
Jim
Hi Guys,
i follow this article for configure SOFS on top of VM Azure : https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-storage-spaces-direct-deployment
After SOFS finish, i can access file share by DNS name \\sofs\share in another VM but cannot access file share by IP Address\\10.200.131.5\share (i thing anomaly in azure).with this condition i try to configure Azure External Load balancer but not working.
How to configure Scale Out File Server using External Azure Load Balancer?
please help me to solved this issue
thanks
Hendra
Hi Expert,
I have the following scenario and need to some validation(s)
1. In a scenario where a customer has a main datacenter e.g. Main Datacenter A and with over 10 branch offices (sites) connected to the same WAN as the main center.
However, overtime the main datacenter will be decommissioned after all servers have been migrated to Azure using ASR. Will the ExpressRoute connectivity still be valid/established and will users in other branch offices still able to connect to Azure when Main Datacenter A is decommissioned after the servers migration is completed.
2. When it comes to site-to-site VPN co-existence with ExpressRoute can we have Multi-site site-to-site VPN set up also?
Note: All Windows Server used are version 2012 R2
On-Premise (Existing Infrastructure)
10.10.1.58 - ADFS01
10.10.1.59 - ADFS02
10.10.1.60 - sts.domain.com (Windows Network Load Balance)
Note: There is an existing site to site VPN configured between on-premise and Microsoft azure
Azure - Virtual Machine , This will serve as high availability for ADFS and should be added as member of on-premise Windows Network Load Balance
192.168.10.60 - ADFS03
My issue, when I'm trying to join Azure VM 192.168.10.60 - ADFS03 as member ofon-premise 10.10.1.60 - sts.domain.com (Windows Network Load Balance) theAzure VM 192.168.10.60 - ADFS03 network interface breaks every time and I have to reset the network interface of Azure VM for me to reuse it.
I would like to know if this is a supported scenario? as per reading this post from this link below. Windows Network Load Balance is not supported in Azure.
https://www.itprotoday.com/microsoft-azure/q-can-i-use-network-load-balancing-feature-azure
https://support.microsoft.com/en-us/kb/2721672?wa=wsignin1.0
https://www.itprotoday.com/microsoft-azure/azure-load-balancer-use-premises-and-azure
is Azure Internal Network Load Balance can be an alternative? what's the concept of implementing this scenario using Azure ILB
We had encountered an issue after move our web application from Apache web proxy to Azure Application Gateway, in which our web application will authenticate an incoming user session from internet via his/her incoming public IP address, technically from http header field called ‘Remote_Addr’, however after move our web application to Azure application gateway, the same header field does not contains the actual public IP address instead it contains the private IP address of Azure Application Gateway.
After we did some research, we knew that the header field is changed to ‘x-forwarded-for’. Our question is do we have ways to re-configure Azure application Gateway to log/write user’s incoming public address to ‘Remote_Addr’? Otherwise, our application might have a bunch of internal modules need to be rewritten in order to cater for this header field changes.
Hi Azure Team,
Can you please confirm if it's possible to assign a /29 subnet for Primary and another /29 for the Secondary link for the ExpressRoute?
The reason behind is that we will have to terminate EACH LINK into different set of firewalls which will require 3 (three) IP addresses including the VIP for each. So the set-up is something like this:
FW Active--------
|
|-----------------> Primary Subnet Link (/29)
|
FW Passive ------
FW Active--------
|
|-----------------> Secondary Subnet link (/29)
|
FW Passive ------
Example:
FW Active IP - x.x.x.1
FW Passive IP -x.x.x.2
VIP IP - x.x.x.3
Azure IP - x.x.x.4
Cheers,
Daryl
Hi #Azure Support Team,
I am trying to migrate the on-premises datacentre located in US to Azure.There are some remote offices connected to this primary dc using the cisco router cisco891-k9.So can you please help in understanding how i can use the same router for connecting the remote offices to Azure datacentre. Onpremises uses checkpoint also.
Thanks,
Hello,
i'm trying to deploy a WAF on my subscription but i'm getting this error:
previosly the waf got "failed state" alone. Now i deleted it and tried to redeploy(on same vnet, is the only one that i have) and now i had that problem. I have another one in the same subscription and in the same resource group and it works fine.
Thank you
Is it possible to use Kerberos constrained delegation through a traffic manager profile? I have two endpoints (as defined in a traffic manager profile) that when I hit directly (via local host A record) the configured HTTP/<name> SPN allows integrated authentication to occur but when I add a CNAME in DNS to the trafficmanager.net address the application says 'unknown' or 'invalid token presented' (don't expect any help on the application, just a question as to whether traffic manager even supports this configuration)?
Hi,
I cannot deploy <g class="gr_ gr_13 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="13" id="13">a HTTPS-enabled</g> Application Gateway in South Central US. However, I am able to open
the resource after that and it displays a "Failed" red bar. I've been facing this issue since last week.
Getting the Error 853 code when trying to connect to VPN using Window Azure VPN client. Only getting the errors on the Window 7 machines. We have another machine that's running on window 10 and it works fine. I tried reinstalling the certificate and it's still not working. Need Help
"The remote access connection completed, but authentication failed because the certificate that authenticates the client to the server is not valid. Ensure that the certificate used for authentication is valid."
Hello,
I have a web application configured with 3 deployment slots, each with a custom subdomain. I am trying to configure an application gateway to simply route to one of the slots (test.mydomain.com). The backend pool of the AG has just one FQDN, mydomain-testing.azurewebsite.net. End to end SSL is setup.
What I am finding is that when I enter "https://test.mydomain.com" in the browser, it is actually redirecting (and changing the URL) to (mydomain-testing.azurewebsite.net). My expectation, and what I see on numerous tutorials, is the URL should be retained as https://test.mydomain.com, rather than exposing the FQDN of the backend pool.
Is this expected behavior, or is there a limitation due to having a deployment slot FQDN as a backend pool member? Is there any way to retain the custom domain name?
Thanks,
Jack