Currently our team trying to automate ExpressRoute provisioning and configuration using Azure Management API and we are experiencing the error The resource type could not be found in the namespace 'Microsoft.Network' for api version '2019-07-01'.

We tried a few different API versions and issue seems to be across versions. We found the below operations/ calls are working alright under the same namespace;

However, not the list of operations below;

• express route gateways
• express route cross connections
• express route connections
• express route cross connection peerings
• express route links

We also verified by executing the Powershell command

(Get-AzureRmResourceProvider -ProviderNamespace Microsoft.Network).ResourceTypes

which also seems to be missing the operations under Microsoft.Network provider. This looks like a bug in the Azure Management API where it is missing some sort of linkage/ relationship. The error we experience seems to be consistent with the docs portal when using the 'Try It' as well

e.g.: https://docs.microsoft.com/en-us/rest/api/expressroute/expressroutecrossconnections/get

{
  "error": {
    "code": "InvalidResourceType",
    "message": "The resource type could not be found in the namespace 'Microsoft.Network' for api version '2019-07-01'."
  }
}

Andrej Rosic

Our subscription has multiple ResourceGroup. We have 1 SLB in each ResourceGroup and associated with 1 VMSS backendpool.  

For blocking the traffic – removing the load balancer rules had work flawless, but we need to redirect the traffic to a maintenance page.

Using a VM with the maintenance page and adding it in a backend pool would not help as it can be associated for one backend pool and it should be part of same VNET

We have multiple SLB, and hosting a maintenance VM across multiple RG and VNET is difficult. I am looking for a way to re-direct the traffic to a common place which can be used across all the SLB’s.

Could you please help.

Anand

Apparently I can't include an image until my account had been verified...

...But I can't see a link anywhere to allow that to happen.

So: How does one verify an account on these 'ere forums?

Hi Experts,

I need to create a VPN between AWS and Azure. A resource in AWS needs to connect to a SQL server in an Azure Vnet. The problem is, I cannot create my VPN connection within the AWS VPC based on the Azure address space and vice versa. So let's say my VPC is 10.0.0.0/16 and my Azure Vnet is 192.168.10.0/24. For complicated reasons, in AWS I cannot set up the VPN based on 192.168.10.0/24 being the 'customer' address space. Essentially, I have a need to create a very large number of VPN connections to multiple networks, at somer point or another I'll overlap. 

My current work around is to use a generic range of Ip addresses (let's say 10.240.0.0/12) and route matching traffic to my VPG via route tables. I then set up my customer gateway and VPN connection. In my VPN connection, I set a static route for let's say 10.240.0.1/32. I have tested this theory with an on-prem VPN solution. It works fine but of course, I have to NAT 10.240.0.1 to the private IP of my SQL server. This is the route the traffic takes (as far as I understand):

Resource looks for 10.240.0.1 for SQL server. Route tables tell traffic it needs to go to the VPG. Static route tells traffic to go through my VPN connection. VPN device at the other end translates the destination to let's say 1192.168.10.15. Traffic lands at SQL server.

So in Azure, I have replicated this process and successfully created a VPN connection with two tunnels. However I can't work out how to translate the traffic. I have tried a loadbalancer and route tables to no effect. Can anybody suggest how I can DNAT?

Hi

I'm trying to configure a proof of concept.

At the moment i can not get firewalls to test with the VPN's. I was planning to get a P2S connected to each Hub but its not allowing me to configure this.

As you can see with the diagram below I have 2 Hubs one in the UK and 1 in the US.

I need to achieve the following.

1. Windows 7 PC's in each Vnet can communicate with each other.
2. User in site 1 can access both PC’s in VNet 1 and VNet 2.
3. User in site 1 can access Windows pcs in site 2,3, and 4.
4. P2S connection to the Hub in region 1 and connect again to both Windows Pc’s and users PC’s in sites 1,2,3 and 4.

Requirement 1

This would not work and I had to peer the two VNets.

Requirement 2

Due to not having the firewalls I’m unable to test at this moment in time. Can someone advise if this would work.

Requirement 3

Due to not having the firewalls I’m unable to test at this moment in time. Can someone advise if this would work.

Requirement 4

Cant even set this up due to errors when it creates the hub after adding the P2S details while doing the initial configuration of the Hub. Any help appreciated. I have tried via the standard Azure portal crated a new Hub and doing the Wizard added the P2S, added certificates and this failed to create the Hub. In the preview portal there is no wizard and I do not have any P2S option available.

I understand this is preview, can anyone advise how to get this working and If I can’t has anyone done this and can verify requirement 4 would work?

Thanks

Mark

Thanks for taking a look at my post.

My overall goal is to cloudify a Line of Business App that uses MSSQL to scan, index, and store documents with the LOB app running on local machines connected to optical scanners.  To that end I have set up an Azure free account and set up an SQL server and file storage.

The customer's only available hi-speed ISP is Comcast Business, which blocks port 445 and therefore throws a monkey wrench into the local machines and the app seeing Azure File Storage as a network share.  To workaround the port 445 block I have read that setting up a VPN would work, so using the built-in Windows VPN client, I have set up an Azure VPN Gateway and installed certificates on Azure and two test workstations, one within the customer's Comcast-connected network and one at another location on Verizon FiOS, which at this writing does not block port 445.

I have been able to get both test workstations (both are W10Pro Build 1703) to connect P2S (point to site) to the Azure VPN Gateway and verified connectivity by noting that ipconfig /all shows the VPN connections are pulling IPs from the range implemented in Azure.

Following Azure docs, I ran the net use command provided in the File Storage share interface on both test wks.  The one connected via FiOS successfully maps the drive to the Azure share***; the one connected via Comcast does not, failing with error 53, which means a port block issue.  Ran PortQuery to the FQDN for the Azure file share and it says that 445 is still "FILTERED" aka blocked.

To eliminate computer based issues, I turned off both the Norton firewall and the Windows firewall and restarted, then reattempted the drive mapping which failed again with the same error 53, and PortQuery still reports port 445 is filtered aka blocked.

Looking for advice on what to check next.  I was under the impression that the P2S VPN would carry port 445 traffic thru the tunnel and escape Comcast's block but apparently that's not the case.  Is it a matter of somehow directing Windows to send port 445 traffic thru the VPN tunnel and not out in the open where Comcast can block it?

***Note that the FiOS connected wks will also map the drive without the VPN be connected, since Verizon does not block port 445.

I am planning of integrating WAF with our Azure services. However, my main agenda is to protect the application against malicious users identified with high risk IPs. I know Azure provides a real time blacklisted IP list that keeps updating with time if we go with their Firewall. I am confused to whether the same service is also available with WAF v1 or v2?

Will highly appreciate any help on this topic.

In the ExpressRoute FAQs, it states "ExpressRoute circuits are configured to allow you to burst up to two times the bandwidth limit you procured for no additional cost."  For clarification by way of example, if I have a 500M ExpressRoute service, is this implying because there is a Primary and Secondary, I can burst by sending 500M to the Primary and overflow to the Secondary up to 500M giving me an aggregate total of 1G (but never exceeding 500M on the Primary or Secondary)?

Or, which I believe to be the case, if I purchased 500M ExpressRoute service, I could potentially burst up to 1G on the Primary, or potentially burst up to 1G on the Secondary (or technically I could potentially send up to 2G in total aggregate).

I'm studying best practices with Azure ExpressRoute:

Hub and spoke method, as explained in Microsoft docs (https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke), can be used for example along with ExpressRoute so that different Vnets (spokes) can communicate with hub (Vnet with the ExpressRouteGateway). 

Each Vnet that is spoke can belongs to a subscription of an enrollment that is different from the enrollment (and subscription) related to hub one?

In general, which is the best practice to connect Vnet1 belonging to SubscriptionA1 (enrollment1) with other Vnets (for example with Vnet2(SubscriptionA2, enrollment2), Vnet3(SubscriptionA3, enrollment3) and so on)?

Thank you in advance,

Lorenzo  

HI guys,

Hi having issue with connecting to my vms using S2S VPN

VPN status shows as connected.but when i try to ping or RDP it wont work

Here is the trace route details.can someone help?

------------------------- From CAMMS To UK Azure --------------------

C:\WINDOWS\system32>tracert 172.x.x.x

Tracing route to 172.x.x.x over a maximum of 30 hops

  1     3 ms     2 ms     2 ms  172.x.x.x

  2     3 ms     2 ms     3 ms  116.12.85.97

  3    18 ms    18 ms    17 ms  198.18.23.237

  4    19 ms    19 ms    18 ms  198.18.9.137

  5    19 ms    19 ms    19 ms  tit.f31 [203.143.0.36]

  6    20 ms    19 ms    20 ms  bct.g01 [203.143.1.29]

  7     *        *        *     Request timed out.

  8     *        *        *     Request timed out.

  9     *        *        *     Request timed out.

10     *        *        *     Request timed out.

11     *        *        *     Request timed out.

12     *        *        *     Request timed out.

13     *        *        *     Request timed out.

14     *        *        *     Request timed out.

15     *        *        *     Request timed out.

16     *        *        *     Request timed out.

17     *        *        *     Request timed out.

18     *        *        *     Request timed out.

19     *        *        *     Request timed out.

20     *        *        *     Request timed out.

21     *        *        *     Request timed out.

22     *        *        *     Request timed out.

23     *        *        *     Request timed out.

24     *        *        *     Request timed out.

25     *        *        *     Request timed out.

26     *        *        *     Request timed out.

27     *        *        *     Request timed out.

28     *        *        *     Request timed out.

29     *        *        *     Request timed out.

30     *        *        *     Request timed out.

Trace complete.

C:\WINDOWS\system32>

--------------------------------------------------------------------------

---------------------------- From Azure To local ----------------------

C:\windows\system32>tracert 172.x.x.x

Tracing route to 172.x.x.x over a maximum of 30 hops

  1     *        *        *     Request timed out.

  2     *        *        *     Request timed out.

  3     *        *        *     Request timed out.

  4     *        *        *     Request timed out.

  5     *        *        *     Request timed out.

  6     *        *        *     Request timed out.

  7     *        *        *     Request timed out.

  8     *        *        *     Request timed out.

  9     *        *        *     Request timed out.

10     *        *        *     Request timed out.

11     *        *        *     Request timed out.

12     *        *        *     Request timed out.

13     *        *        *     Request timed out.

14     *        *        *     Request timed out.

15     *        *        *     Request timed out.

16     *        *        *     Request timed out.

17     *        *        *     Request timed out.

18     *        *        *     Request timed out.

19     *        *        *     Request timed out.

20     *        *        *     Request timed out.

21     *        *        *     Request timed out.

22     *        *        *     Request timed out.

23     *        *        *     Request timed out.

24     *        *        *     Request timed out.

25     *        *        *     Request timed out.

26     *        *        *     Request timed out.

27     *        *        *     Request timed out.

28     *        *        *     Request timed out.

29     *        *        *     Request timed out.

30     *        *        *     Request timed out.

Trace complete.

C:\windows\system32>

I have a Azure Function App deployed inside of an Azure App Service Environment in a Virtual Network, which I want to expose this Function App to public internet by using some gateway. I tried multiple approaches to get this working, but I am unable to find a concrete solutions to this issue. Reading through some articles on the internet I could find that this can be done in 2 ways 

• Azure Application Gateway 
• Azure API Management

Can someone help with the Exact Steps or Article links to be followed configure Application Gateway / API Management Gateway to achieve this task. 

Note : The Azure App Service Environment is created after May 2019 , so it does not have the provision to Upload the Certificate.

My apologies for this question (I assume it to be a dumb question), but I have spent a bit of time on this and Googling to no avail.

I have an ExpressRoute connection via our provider to our MPLS network. The connection is provisioned and enabled.  I was able to go into the tenant and successfully build a VM.  I cannot reach my MPLS from the Azure network, and I cannot reach the Azure network from the MPLS. 

I did check the ARP table within the Azure ExpressRoute and I can see my MPLS subnets are populated in there.

I thought that perhaps I didn't have a return route defined so just from my PC I defined a static route to the Azure VM subnet and I still cannot reach it either way.

I am sure I am missing something dumb.  Any ideas?

I'm trying to create a P2S VPN connection to my computer but Azure won't save my self-signed root cert . 

1.  I create a private key

>>>oopenssl genrsa -aes256 -out myVPNkey.key

2. I generate a root certificate

>>>openssl req -x509 -sha256 -new -key myVPNkey.key -out myVPNroot.cer -days 1825 -subj /CN="mySubject"

I navigate to the point-to-site configuration page in Azure, paste my certificate data into the appropriate field, give it a name and hit save.

Azure starts trying to save then barfs up an incomprehensible error message:

"Failed to save virtual network gateway 'myAzure_ng'. Error: Operation 0461be90-996c-4643-b0b1-f3e8a01c8e92 not found."

Nevermind. Looks like 'Resolve-DnsName' works with Azure functions.

--------------

Hi,

I want to setup a Network Security Group rule to allow incoming traffic to a VM from one of our office locations. The issue is that the IP in the office location is dynamic, so it is not reliable to just use the current IP as it will change.

I have setup DDNS to store the office's IP in a subdomain/A record, e.g. sub.domain.com.

It's not possible to use FQDNs in network security group rules, only IPs. So I thought to write a script which runs regularly to update the rule with the latest IP from DNS records.

// set NSG name
$NetSecGrp-Name = NSG1
// set RG name
$ResGrp-Name = RG1
// set NSR name
$NetSecRul-Name = AllowIncomingRDP
// set IP
$Dyn_IP = Resolve-DnsName -Name sub.domain.com -Type A -DnsOnly //fix this to get IP only

$nsg = Get-AzureRmNetworkSecurityGroup -Name $NetSecGrp-Name -ResourceGroupName $ResGrp-Name
$nsg | Get-AzureRmNetworkSecurityRuleConfig -Name $NetSecRul-Name
Set-AzureRmNetworkSecurityRuleConfig -Name $NetSecGrp-Name -NetworkSecurityGroup $nsg -Access "Allow" -SourceAddressPrefix $Dyn_IP

Now, the problem is that 'Resolve-DnsName' is not recognised on Azure powershell. How can I get a domain's IPv4 address/A record?

Thanks

Hi, I nethogs my ubuntu and found that there are many programs that download data with a stable rate. This already sum up to more than 3Gb network in total from my VM started. These programs are not my client or services. This is really a big data using. But I could not understand what these programs are? And why they download data always? Could someone help me to figure this out please? Thanks very much. ^-^

I could not attach a pic. The programs look like this:

PID USER     PROGRAM                    DEV        SENT      RECEIVED
      ? root     ...0.1.4:42092-52.239.129              0.297       7.404 KB/sec
      ? root     ...0.1.4:42080-52.239.129              0.297       7.404 KB/sec
   1522 root     python3                    eth0        0.299       2.036 KB/sec
      ? root     ...0.1.4:48906-52.239.227              0.299       2.023 KB/sec

Let’s say that I have a Azure instance with a security group, for example, that denies all UDP traffic. Suppose that there is a UDP DDoS attack, with very high UDP bandwidth. Do I pay for that security group filtered traffic (denied DDoS UDP) or is the filtered traffic considered as no additional charge?  Thanks!