If I have a vm with with 2 interfaces, One for public access, One for private access. Both are within the same vnet but in separate subnets.
I have two NSG's one locked down for the public access and attached to the public interface, and one not so locked down for the private interface.
Is there still a risk of external traffic traversing the inbound rules on the ports if they are set to any/any on the private interface?
If so...how?
Hello,
I have a classic Cloud Service Web App that is utilizing a Reserved IP Address. We offer LDAP authentication as an option, and we provide the Reserved IP address so our customers can whitelist the address.
I'm migrating to an ARM App Service, and would like to bring that Reserved IP address along. Is that possible?
Thanks for the help!
Hi all, I have an ExpressRoute connecting an on-prem network to a VNet. I have an Ubuntu VM in that VNet which I can successfully SSH to, ping etc from my workstation. However this VM cannot access the internet. I can't see anything in the NSG attached to the VNet that appears to be blocking outgoing traffic but I'm no expert at this so who knows. FYI the VM does not have a public IP (dictated by policy) and a static local IP.
How can I start debugging blocked outgoing traffic form a VM?
I have virtual network "abc" created with connected devices, subnet(default), address space.
and Network interface "xyz" created with virtual network "abc" with default subnet and NetworkTap.
above all resources are in single resource group, I want to delete resource group with all resources, not even deleting any resources individually.
pls help me out with these issues
Our developers and I&O team are interested in migrating from our F5 to an application gateway. We currently use an F5, and occasionally developers or I&O want to connect to a specific node behind the F5 without modifying their local hosts file to connect to the machine directly. We set up a special cookie that, when set, will route the traffic to a specific node based on the cookie content.
It looks like this:
NodeSelect=Node1
Is it possible to set up an azure application gateway in the same manner? I have been unable to find a way to route traffic to a specific node other than perhaps setting up URL based routing to a specific POOL based on the URL. I suppose I could try to create a separate pool for each node, but I'd still prefer cookie based node selection rather than URL.
Hi,
One of my customer want to connect two Azure VNET between their tenant and the tenant of one of their business partner. Can we use VNet Peering. Azure VPN Gateway has bandwidth limitation and they need to exchange stream with 10 Gb line.
Any advice or recommandation?
Thanks
Christophe
Please tell me the difference between both gateways: Virtual Private network gateway(Site-to-Site) and on-premise data gateway.
Both gateways connect public cloud to on-premise location.
sakshi mittal
I'm currently testing out Azure Application Gateway (Standard v2).
What I'm trying to do is block / blackhole / reject traffic that hits example.com/manager/, or example.com/admin/*, etc.
I'm sure this probably could be done with an additional web server and path-based rules pointing to it, but that seems a bit excessive for what I'm hoping would be native functionality or options to take care of this.
I found a post on TechNet that asked a very similar question, but unfortunately has no answer. https://social.technet.microsoft.com/Forums/en-US/d5093237-36ce-4082-99c9-f14dd3faf715/block-a-url-path-with-azure-application-gateway?forum=websitesvirtualmachinesonwinserver&prof=required
Thank you!
We have a client (on azure classic), using p2s VPN, each client has their own client cert on the SSTP vpn. For a fired employee, how to we immediately kill the VPN "connection" for that one user so when they try to reconnect, our revoked cert takes over to block them? During all this - we would be removing rights to server resources but want to kill the VPN connection at the same time.
As the title, are VPN, vNet2vNet, vNet Peering okay across different subscriptions of different organization(account)?
I would like to connect the two vNets from different regions, subscriptions and organization. I have tried lots of methods with PowerShell and seem not work. So please advise me.
Thank you.
Hi
I am trying to play with traffic flow on PlaoAlto firewall with UDR. I created three interfaces (trusted, untrusted, dmz) in virtual PaloAlto firewall. Also created nsg for each interface subnet allowing rdp traffic. I have a host in dmz subnet natted to public ip. That public ip is configured as a secondary ip in the untrusted interface of firewall (not sure if its a right way). I configured the nat and acl inside the firewall to allow rdp access from a specific source ip (my home pc). When I try to rdp to that dmz host, it fails. when I check the firewall log, it shows the traffic gets hit on the firewall and it fails. When I check the Azure IP Flow tool providing Local IP, remote IP and ports, it shows traffic successful. Can somebody give me some tips on how can I troubleshoot traffic flow inside the azure and nail down where its being blocked.
When I bypass the UDR and map the dmz host directly to public ip and try to rdp , it works just fine.
hello!
I try to setup custom NVA (simple router with application specific functions) for my azure VNET.
My network:
internet <->subnet 1 with NIC1(NVA) <-> subnet 2 with NIC2 (NVA) and VM
I wish to filter in NVA VM traffic to/from internet.
As far as i understand i can use UDR to route outgoing traffic from VM to internet via NVA (and also i set forwarding flag on NVA NICs).. this step work ...
But after that i have problem . my simple NVA just forward packet from one interface to another (its simple router) - > so packet from NIC2 (with src IP of VM, and dst IP of internet service) forwarded to NIC1 and send to subnet 1 with original src IP (with src IP of VM, and dst IP of internet service)... and i cant see any answer from internet service.
So I have questions:
- can i create working solution for my case (when NVA not using NAT)
- can somebody tell me why my traffic drop somewhere and i can not see anwer in VM (i understand that traffic must not go thru my NVA, but why i can not see answer?)
- has Azure roadmap any plan to support source-based routing policy (as linux have) in UDR ?
Hi Everyone,
I do have a ExpressRoute in place, but I need to add one more in addition to do an IPsecVPN. Where and how do I control my routing? Right now, the expressroute is going to on-prem only. How can I can control the egress traffic in Azure. All the traffic is going to the hub vnet (I have vnets peerings to the hub vnet), but from there where and how do I define the traffic?
thank you
Hi,
i created VM behide Azure Load Balancer. i want to use custom domain to Load Balance Public IP. for example i want to access url like 'xx.mvg.com' instead Load Balance Public IP from internet. how i can do it?
i tried to did followed reference link 'https://docs.microsoft.com/en-us/azure/dns/dns-custom-domain' but still not working.
Please recommend how to register my domain name i wish, i want map my domain name to my application running on VM behide Azure Load Balancer.
and Azure have service about internet domain registrar?
Thanks You,
za_phu
I have a vNet in Thai with one subscription ID. And I have another vNet in Hong Kong with another subscription ID and gateway with VPN connected to another network. They are policy gateway. All the resources are running.
I would like to sync the vNets but I don't know how to do it with the mentioned link.
Is it suitable by Global vNet peering in this case?
Can you please advise me?
Unable to connect to a VM via name, only via IP address.
Any ideas how to resolve this?
Thank you
Decio
I want to authenticate all my requests that pass through the Azure Loadbalancer. And I want the authentication to be done at the loadbalancer level. Is there a way to configure Azure loadbalancer with OIDC authentication? If so how?
Another thing I want the loadbalancer to the let the requests pass through it if and only if the request is of a prticular domain name like xyz.com. But must ignore remaing requests. Is that possible? If so how?
Note: xyz.com will be mapped in our DNS service.
Hello,
I've created and imported some reverse DNS zones into Azure DNS.
However now, when I make a change to the DNS records, the serial number is not incremented for both the newly created zones and the imported zones (which had the serial number imported).
I tried waiting a while and refreshing the views, but the serial number doesn't change.
Is that normal behavior in Azure?