Quantcast
Channel: Azure Networking (DNS, Traffic Manager, VPN, VNET) forum
Viewing all 6513 articles
Browse latest View live

haproxy + keepalived cluster in Azure

September 2, 2016, 9:01 am
$
0
0


I'm trying to setup a haproxy + keepalived cluster - the problem i'm having is the virtual_ipaddress in the keepalive config, seems to be bonding to both hosts, so I dont think keepalived is working as it should !!!

master node ip details

[root@weeu-c-u-pxy01 conf.d]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0d:3a:25:dc:14 brd ff:ff:ff:ff:ff:ff
    inet 10.20.1.39/27 brd 10.20.1.63 scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.20.1.51/32 scope global eth0

slave node ip details

[root@weeu-c-u-pxy02 conf.d]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0d:3a:25:01:77 brd ff:ff:ff:ff:ff:ff
    inet 10.20.1.40/27 brd 10.20.1.63 scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.20.1.51/32 scope global eth0
       valid_lft forever preferred_lft forever

Master node

vrrp_instance VI_1 {
        notify /usr/local/bin/keepalived-notify.sh
        smtp_alert
        virtual_router_id 51
        state MASTER
        interface eth0
        priority 151
        advert_int 1
        virtual_ipaddress {
                10.20.1.51
                }
        track_script {
                haproxy
                }
        }

Slave node

vrrp_instance VI_1 {
        notify /usr/local/bin/keepalived-notify.sh
        smtp_alert
        virtual_router_id 51
        state MASTER
        interface eth0
        priority 91
        advert_int 1
        virtual_ipaddress {
                10.20.1.51
                }
        track_script {
                haproxy
                }
        }

Does this have something to do with multicast / unicast not being supported ???

regards

James

Search

More than 128 Azure Point-to-Site connections?

August 15, 2018, 2:42 pm
$
0
0

Hi All, 

I'm currently working with a customer to design a Windows 10 AlwaysOn VPN solution.

In order to keep infrastructure to an absolute minimum, I was hoping to recommend that we Azure Virtual Network Gateway as the VPN endpoint. However, they have around 200 users and I'm aware that a single Azure VNG only supports up to 128. 

Is there any other way that we could get more than 128 clients to work with Azure VNG(s)?

The customer will be using a hub-spoke topology, one idea i had was to deploy multiple 'core' VNETs and VNGs - and then use traffic manager to load balance clients between the 2 VNGs. Although I think this would work technically, it's not a practice that I've seen or heard of being done before.

Thank you in advance

Jon

Static MAC Address for Azure VM using Loopback NIC?

February 23, 2017, 5:56 am
$
0
0

I'm trying to find out if it's possible to either assign a static MAC address to a NIC of an Azure (ARM) VM or if it's still possible to add a second NIC as a loopback adapter?

A client is using an Azure VM to host a 3rd party application which binds it's license to the VMs MAC address. At the moment the MAC address changes occassionaly which stops the applications from working.

If we can assign a static MAC or use a Loopback adapater (as per some older posts) we can stop this problem from occuring in the future.

Cheers for now

Russell

IPv6 Support in Application gateway

September 18, 2018, 3:53 am
$
0
0

 Do Azure support IPv6 with Application gateway ? If yes kindly let us know on how to configure the same. 

How to verify account

September 23, 2016, 9:40 am
$
0
0

Apparently I can't include an image until my account had been verified...

...But I can't see a link anywhere to allow that to happen.

So: How does one verify an account on these 'ere forums?

Global Deployments: Is Multi-tenant or Intra-tenant locations the best way to go?

September 18, 2018, 4:58 pm
$
0
0

I have been tasked with building a PoC in Azure to "simulate" a future global deployment where data transfer time is important factor. The actual deployment will be using fully on-prem resources. So, as odd as it sounds, I am looking for the worse performance possible between the two options.

Architecture A (single tenant):

  1. Create a single Azure tenant in the US region
  2. Create a Resource Group with a US-based location
  3. Create another Resource Group with an EU-based location

Architecture B (dual tenant):

  1. Create an Azure tenant in the US region with a US-based RG
  2. Create an entirely separate Azure tenant in an EU region with a EU-based RG

Would the dual-tenant structure above make any measurable difference one way or the other from the single-tenant (assuming all vNetwork, VMs, etc are identical)? I am thinking the single-tenant setup would be faster since (presumably) the traffic never leaves the Azure Service Fabric. But that's just speculation.

ASA5516 9.8(2) IKEv2 negotiation aborted due unsupported failover version

September 19, 2018, 2:22 am
$
0
0

I have a site to site connection from the ASA to an Azure subscription. The site to site session starts up fine, but after a few minutes (from 3 to 25) the connection fails. If on ASDM I open Monitoring > VPN > VPN Statistics > Sessions, the session is still there, but no communication (e.g. ICMP, RDP, ..) can be performed. If I logout the session, the communication is reestablished, until the next failure a few minutes later.

Every time the connection fails, I observe this warning on the syslog:

4 Sep 18 2018 17:40:58 750003 Local:80.x.y.z:500 Remote:51.a.b.c:500 Username:51.a.b.c IKEv2 Negotiation aborted due to ERROR: Detected unsupported failover version

This is the configuration I have used to setup the site to site connection on the router:

object network HQ-LAN
 subnet 10.0.0.0 255.0.0.0
 description The HQ local network address space on premise
object network Azure-UKSouth-LAN
 subnet 172.16.0.0 255.255.0.0
 description Azure virtual network address space on UKSouth Azure
object-group network AzureLabNet-network
 description Azure AzureLabNet Virtual Network
 network-object object AzureLabNet-LAN
object-group network HQ-network
 description HQ on-premises Network
 network-object object HQ-LAN
object-group network HQ-UKSouth-network
 description The HQ Azure UK South network
 network-object object HQ-UKSouth-LAN
access-list uksouth-s2s-acl extended permit ip object-group HQ-network object-group HQ-UKSouth-network 
nat (LAN,INTERNET) source static HQ-network HQ-network destination static HQ-UKSouth-network HQ-UKSouth-network no-proxy-arp route-lookup
!
crypto ipsec ikev2 ipsec-proposal AZURE-TRANSFORM-2
 protocol esp encryption aes-256
 protocol esp integrity sha-256

crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto ipsec security-association pmtu-aging infinite
crypto ipsec inner-routing-lookup

crypto map CRYPTO-MAP 2 match address uksouth-s2s-acl
crypto map CRYPTO-MAP 2 set peer 51.a.b.c 
crypto map CRYPTO-MAP 2 set ikev2 ipsec-proposal UKSouth
crypto map CRYPTO-MAP 2 set ikev2 pre-shared-key *****
crypto map CRYPTO-MAP 2 set security-association lifetime seconds 3600
crypto map CRYPTO-MAP 2 set nat-t-disable
crypto map CRYPTO-MAP interface INTERNET

crypto ca trustpool policy

crypto ikev2 policy 2
 encryption aes
 integrity sha256
 group 19
 prf sha256
 lifetime seconds 28800
crypto ikev2 enable INTERNET
group-policy AzureGroupPolicy-UKSouth internal
group-policy AzureGroupPolicy-UKSouth attributes
 vpn-tunnel-protocol ikev2 

dynamic-access-policy-record DfltAccessPolicy
tunnel-group 51.a.b.c type ipsec-l2l
tunnel-group 51.a.b.c general-attributes
 default-group-policy AzureGroupPolicy-UKSouth
tunnel-group 51.a.b.c ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
no tunnel-group-map enable peer-ip
tunnel-group-map default-group 51.a.b.c

sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows
From the Azure side, the site to site connection uses custom policies:
$RG = "RG"
$ConnectionName = "UKSouth-HQ-S2S"

$connection = Get-AzureRmVirtualNetworkGatewayConnection -Name $ConnectionName -ResourceGroupName $RG
$ipsecpolicy = New-AzureRmIpsecPolicy -IkeEncryption AES128 -IkeIntegrity SHA256 -DhGroup ECP256 -IpsecEncryption GCMAES128 -IpsecIntegrity GCMAES128 -PfsGroup ECP256 -SALifeTimeSeconds 3600 -SADataSizeKilobytes 2048

Set-AzureRmVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $ipsecpolicy
Any suggestion on how to prevent this communication failure?

ExpressRoute Private Peering - Static route instead of BGP ?

September 19, 2018, 3:55 am
$
0
0

Is it possible to connect a VNET to an ExpressRoute Private peering and route it with static routes from onprem router ? Or do I need to have BGP enabled routes on-premise?

Thx, Magnus

Search

Transfer DNS to Azure while keeping site hosted on AWS

April 5, 2016, 12:16 pm
$
0
0

From Fernando Moreira @Fernand49453039 via Twitter

Hi, how can insert an A Top Level record pointing to an AWS hosted site?

We are moving our DNS from Amazon to Azure, but site still hosted in amazon.

How can I transfer the A register to Azure? 

Submitted via DM
Thanks,
@AzureSupport

AWS to AZURE VPN Connection Issue

September 20, 2018, 7:17 am
$
0
0

I'm trying to establish a connection between AWS and AZURE. All the steps required for VPN Connection has been worked on for Azure and AWS. Still the status is displaying as Connecting in Azure Virtual Network Gateway. In Virtual Network Gateway i have also run the diagnostics and troubleshooting too on my Virtual Network Gateway but now the status is displaying Unhealthy. Please provided with any solution or support over the same. Request all to kindly help me out with this.

Thanks.

Ping Network Address in Azure

September 20, 2018, 12:40 pm
$
0
0
 I have a VNet in Azure that has an address space of 10.2.0.0/16. I also have S2S VPN to my subscriptions. As part of testing the connectivity I was instructed to ping 10.2.0.0. It was successful but I do not understand how I am able to ping the network address. What exactly am I hitting when I am pinging this?

Load Balancer reports incorrect public IP Address?

September 20, 2018, 1:00 pm
$
0
0

Hi MS Team:

I have a WIndows VM with a single NIC (private IP adddress only) setup behind a load balancer with a public IP address.  The public IP address has never once changed since I first set the thing up and, at least according to the Azure portal, it still hasn't changed.  However, if I log into the VM and use a third-party website to report my public IP address, it reports a different IP.  On top of this, I have a NSG inbound rule setup restricting access to certain ports on the VM to just this VM (via the Internet, not localhost) and, as of this morning, the VM can no longer access itself on those ports (as if the public IP address has changed).

Any thoughts or suggestions?

Thanks in advance,

Mosh

How to configure azure External Load Balancer for SOFS on top of VM

September 13, 2018, 2:04 am
$
0
0

Hi Guys,

i follow this article for configure SOFS on top of VM Azure : https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-storage-spaces-direct-deployment

After SOFS finish, i can access file share by DNS name \\sofs\share in another VM but cannot access file share by IP Address\\10.200.131.5\share (i thing anomaly in azure).with this condition i try to configure Azure External Load balancer but not working.

How to configure Scale Out File Server using External Azure Load Balancer?

please help me to solved this issue

thanks

Hendra 

Load balancer confusion - for direct RDP access to VM

September 20, 2018, 5:21 pm
$
0
0
Seeking clarification on how best to allow direct RDP access to AZURE VM's (despite security concerns).

I'm moving 6 VMs to a new subnet and subscription. Currently each VM has its own Load Balancer, with  NAT to forward incoming traffic on a port (Eg 5989)  to the (associated) VM.

Should  I  copy this model in the new environment? or assign each VM NIC a public IP and configure a NSG? Can I use the one Load balancer for all 6 VM's?





How to configure azure External Load Balancer for SOFS on top of VM

September 13, 2018, 2:04 am
$
0
0

Hi Guys,

i follow this article for configure SOFS on top of VM Azure : https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-storage-spaces-direct-deployment

After SOFS finish, i can access file share by DNS name \\sofs\share in another VM but cannot access file share by IP Address\\10.200.131.5\share (i thing anomaly in azure).with this condition i try to configure Azure External Load balancer but not working.

How to configure Scale Out File Server using External Azure Load Balancer?

please help me to solved this issue

thanks

Hendra 

Search

ipsec configuration question (between a fortinet and azure)

September 21, 2018, 5:55 am
$
0
0

Hi,

In the ipsec phase 2

should i match the list of network with the azure address space or the azure subnets

Thank you

Marc

connecting azure to the lan (existing vm are not listed)

September 21, 2018, 6:19 am
$
0
0

hi,

I just created a vpn between azure and the company

when trying to troubleshoot (menu connection troubleshooting)

i noticed that no existing vm where available

even the resource group is empty

what have i done the wrong way ?

Marc

Not able to ping VMs over ETH1,2 interface in different region and different VNets connected to each other via VNet Peering or VPN Gateway

September 5, 2018, 10:58 pm
$
0
0

Not able to ping VMs over ETH1,2 interface in different region and different VNets connected to each other via VNet Peering or VPN Gateway.

I have one VNet created in West US and another VNet created in Central US.

There are 2 Subnets created in each VNet and 1 VM in each region.

Each VM has two NIC cards associated with it.

ETH0 is having first subnet assigned and ETH2 is having second subnet assigned.

After this created VNet Peering to connect these networks.

I am able to ping eth0 interface from VM1 to VM2 and vice-versa.

But I am not able to ping eth1 interface from VM1 to VM2 and vice versa.

Setup is as below:

  • VNet-1: 10.234.0.0/16
    • Subnet-1: 10.234.1.0/24
      • Eth0 IP: 10.234.1.5/24
    • Subnet-2: 10.234.2.0/24
      • Eth1 IP: 10.234.2.4/24

 

  • VNet-2: 10.235.0.0/16
    • Subnet-1: 10.235.1.0/24
      • Eth0 IP: 10.235.1.5/24
    • Subnet-2: 10.235.2.0/24
      • Eth1 IP: 10.235.2.5/24

Eth0 IPs are reachable across VNets but Eth1 IPs are not reachable across VNets.

I have tried the similar setup using VNet to VNet VPN Gateway also instead of VNet Peering.

Same observation is made there also.

VPN P2S authentication with especific enterprise certificate

September 23, 2018, 8:47 pm
$
0
0

I solved that the vpn client p2s will work with intelligent cards, but I haven´t can solved that the p2s vpn authorize especific client certificates, not all the issued by the CA indentitied by the root certificate registered in the p2s vpn definition. How I make that only especified certificates can will connect with vpn client to p2s vpn gateway, not all certificates issued by root certificate?

Facing issue while setting up Site-to-Site VPN between Azure and an on premise Check Point Security Gateway

September 24, 2018, 5:41 am
$
0
0
I'm trying to setup policy based VPN between Azure and an on premise Check Point Security Gateway but unable to setup connection.  IKE version 1 recommended by firewall vendor(Check Point), but when i'm trying to provision VPN gateway.  Under configuration download only four Device vendor  are available (Cisco, juniper, Ubiquiti and Generic sample). 
Viewing all 6513 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>