Right now I have 2 vnets that are peered but one of them is supposed to be a DMZ subnet with only a couple ports going back to the "internal" subnet. i.e. dns, ad trust and a few other ports.
what is the best way to achieve this? we are putting up the base infrastructure right now so I want to get it right before it goes production.
Chaos causes progress, Order inhibits it.
Hi All,
Does anyone know of a good guide or can provide some advice on how to go about using RDP to log into an Azure Virtual Machine via an Azure point to Site VPN.
I have setup the below following the guides on docs.micrsoft.com.
The VPN works and I can connect to it via my computer with an ip of 172.16.25.2 and it shows as connect in Azure.
But I am unable to ping or rdp to the Azure Virtual Machine (I have checked the Azure Virtual Machine firewall and RDP and ping is enabled)
If I tracert 10.100.0.4 with vpn disconnected to try to go out via my route (as expected), but when I connect the VPN and try again I get:
* * * Request timed out.
So, it does appear to be trying to route though the VPN, but it can’t see to get to VDI.
Environment Details
Azure Virtual Network
Name: VN-01
Address Space: 10.100.0.0/16
Subnet:
Default 10.100.0.0/24
GatewaySubnet 10.100.1.0/24
Virtual network gateways
Name: VN-01-GW
Type: Route-based
Point-to-site configuration:
Address Pool: 172.16.25.0/24
Tunnel type: IKEv2 and SSTP
Authentication type: Azure Certificate
Azure Virtual Machine
Name: VM-01
Type: Windows 10
IP: 10.100.0.4
Virtual network/subnet: VN-01/default
Hi, I would like to configure a simple redirection within my Application Gateway. In my case, I have several VMs running a Tomcat with several webapps. When I call the public IP of the gateway, I will get to the Tomcat landing page. I would like to redirect
it to a webapp of my choice, so to a "<IP>/<weppapp>".
Hi.
I cannot deploy a new or update an existing Azure Firewall when a Express Route gateway with a connection is present. If I delete the connection I can deploy or update (e.g. create a new network rule collection) the Azure Firewall.
The setup is quite simple:
HUB VNet
gateway subnet with the ER-gateway
FirewallSubnet
Has anyone experienced the same?
Best regards
Andreas
Hello Gurus,
I have created Virtual machine and attached the Security group and configured the ports for my applications requirement. The NSG is allowing traffic for the required ports from my other VMS. However I observed that unless I disable the firewall on the first VM or allow the specific ports on the VM where my service is running, i cant reach the service from another VM. I get an error "No route to host x.x.x.x is the port x.x.x.x reachable?"
Has anyone faced similar issue? If we have to disable the firewall, what is the purpose of configuring the inbound/outbound security rules at the NSG?
Thanks,
Murali
Hello,
I have an API Management which was connected to my Virtual Network. I want to change this so I have changed the Virtual network to Off.
My Subnet being useless, I want to delete it but the portal tells me Failed, the subnet is in used by the API Management.
I have checked in resources.azure.com, I can still see the resource link active while the API Management is not in any virtual network.
I tried to use the REST API call from this doc https://docs.microsoft.com/en-us/rest/api/resources/resourcelinks/get
But I get an unauthorized error. GET call works so the access seems right.
Do you have an idea how I could remove this ghost link ?
Kind regards,
Teddy
Hi all,
Ok, this is the situation and I would like to know if this is intended behavior or not. I have a running machine that needs to communicate to the outside world for reasons. To minimise downtime I do the following
Deploy Public IP (PIP),
Deploy Network Security Group (NSG),
Associate NSG to existing NIC 'Some_Nic_nic0',
Associate PIP to existing NIC 'Some_Nic_nic0'.
This all seems to work just fine, no errors and the reason I do this is to prevent the machine for even a second to be on the open internet.
However, when you do this it seems that the moment you associate the PIP to the NIC, the NSG drops the link with the NIC. Meaning, if you do not know this your machine will be on the internet without any NSG in front of it.
Anyone know if this is intended or is this an actual bug?
Is there a version of "AWS transit gateway" in Azure?
https://aws.amazon.com/transit-gateway/
AWS's version of virtual gatewas is like a virtual router in the cloud provided as a service for VPC to connect.
It is like a hub where spokes can connect to other VPCs in the cloud.
AWS transit gateway is a virtual gateway where multiple VPC can connect via a single virtual gateway so that traffic can be routed to other VPCs.
How would we do this in azure?,... what is the corresponding product?
This allows a connecting of separate VPCs to a single interface like in a hub and spoke design.
In other words, if we need multiple VNETs to communicate is there a azure product that acts like a virtual gateway to allow this? We do not want to directly configure a peering to each VPC but rather want a virtual gateway where the traffic can be routed to multiple VNETs. There would be no need to have a separate peering between each Vnet.
The below link shows a transit gateway however is there an actual virtual gateway because logically it appears as a transit vnet which is a hub which connected the other vnets. Will this allow all the vnets to communicate with each other from the single transit vnet?
https://azure.microsoft.com/en-us/blog/vnet-peering-and-vpn-gateways/
dsk
Hi there,
I have an Azure Linux VM with a Public IP address of 52.191.251.32 and a Private IP address of 10.0.0.4. There is a "default" subnet with an address space of 10.0.0.0/24.
I would like to configure Bastion to RDP within the browser. I have attempted to set up the AzureBastionSubnet with various IP address ranges, but have received the following two errors:
1) The specified address space overlaps with subnet 'default' which has a range of 10.0.0.0/24.
2) Your subnet is not contained within the address space for this virtual network: 10.0.0.0/24
I have read all documentation and FAQ available, and am not able to determine what IP address range is needed to configure the AzureBastionSubnet to enable Bastion RDP within the browser. Any assistance would be appreciated - let me know if there is other
information I might need to provide.
Looking for detailed steps on configuring an express route from on premise to the cloud as well as providing a way for vnets to communicate with other vnets/on premise?
Are there any prerequisite configurations that need to be done on premise? Do we need any special gateways configured in the Vnets? We will be using several vnets to include: 1) vnet 2- management apps- requires jump servers, 2) vnet 1 - path for traffic from on premise to other vnets, 3) vnet 3- production, 4) vnet 4 - development, 4) vnet 5 - test. All traffic with the exception of management traffic will all pass through vnet 2. Is there a type of virtual router (ie AWS has a virtual gateway which is a SaaS which acts like a router) so that traffic can communicate between vnets in the cloud while allowing for communication with on premise {vnet 1 (all cloud bound traffic except management traffic) and vnet 2 (management traffic like jump servers) would both need to communicate with on premise}?
It seems like there is no such azure offering for a virtual network interface that allow communication between vnets? I only noticed a hub vnet which communicates with the on premise via a express route gateway. This hub and spoke seems to only allow communication with the hub? Wanting to reduce or simplify the cloud peering configurations. (see diagram in the link) We were expecting to have vnet have peering connections to this virtual gateway (which would have to act like virtual router service) allowing for communication between the vnets in the cloud. Vnet 1 ( all traffic expect management) and Vnet 2 ( management) would be the entry point for traffic in the cloud.
XXXXXXXXXXXXXXXXXXXXXXXXXXX
https://github.com/microsoft/Common-Design-Principles-for-a-Hub-and-Spoke-VNET-Archiecture
noted under Hub and Spoke Architecturer in the above link (2nd bullet - Spoke Vnets) that they are not transitive. Please confirm my understanding because we need the spoke vnet to communicate with each other. Therefore would our requirement for transitive communication between spoke vnets using peering? ( this requires a lot of peering ) or do we need a virtual router allow communication between each spoke vnet? Communication with this router would not require a peering?
Hi Everyone,
We have our Landscape over 2 Azure regions viz. Region-01 and Region-02. We have setup Site to Site VPN Connectivity between our On-premise Gateway and Azure Gateway of Region-01. Have also setup VNet-to-VNet connectivity between VNet (Region-01) and VNet (Region-02). Now, I'm able to ping VMs in Region-01 from On-premise Network and also VMs in Region are able to ping VMs in Region-02, but VMs in Region-02 are not pinging from On-premise Network.
My query is - What setting / change in configuration we need to do, so that I'm able to ping my Region-02 VMs from On-premise Network.
Thanks
Kumar
I have an web app sitting within the same VNET as two VM's. The VM's are behind an internal load balancer that checks them for health. When the web app fires off an HTTP request, the load balancer routes it to one of the VM's.
However, I would like to replace the load balancer with something that works on the level of services rather than whole VM's. So instead of probing VM1 and VM2 for health, it would actually know about the Cat service and the Dog service, and probe those individual services for health, and then do the routing based on that.
I haven't looked much at Application Gateway or API Management. Would any of those two offerings be suitable to this scenario?
Here's a diagram of what I'm imagining:
It's not necessary for me that each logical service gets it´s own host name. If the webapp had to make requests to http://something/dog/bark, that would also work.
Thanks for any advice!
Hello,
Looking at https://azure.microsoft.com/en-us/pricing/details/vpn-gateway/, for legacy SKUs it only mentions the "Basic" SKU, rated at $0.04/hour, based on a 730 hours usage/month at 100Mbps.
I would like to know the cost for a Standard SKU, provision and usage (inbound-outbound data transfer), used for a Route-based VPN (no ExpressRoute).
The thing is that after adding one, since day one there has been an increase of the billing daily for that particular resource:
Day 1: $0.76. Day 2: $1.60. Day 3: $2.76
Regards
I have a Windows VM that has the following configuration:
1 x NIC which has 2 ip configurations associated
1 = 1 x private IP (static 10.0.0.6); 1 x public IP (static)
2 = 1 x private IP (static 10.0.0.8); 1 x public IP (static)
I can ping the internet fine from the 10.0.0.6 address (ping -S 10.0.0.6 google.com)
I cannot ping the Internet from the 10.0.0.8 address (ping -S 10.0.0.8 google.com)
According to the documentation you can only ping the internet from the primary address UNLESS the secondary has a public IP attached (which it does).
I have followed the procedure to set this up here: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-multiple-ip-addresses-portal.
I am ultimately trying to access the second IP from the Internet to host a second website.
The first public IP is associated to a website and works fine.
The second public IP is associated to a website and cannot be reached (can be accessed locally).
Ports 80,443 have been opened on the shared NSG
Any ideas?
Hi all,
Ok, this is the situation and I would like to know if this is intended behavior or not. I have a running machine that needs to communicate to the outside world for reasons. To minimise downtime I do the following
Deploy Public IP (PIP),
Deploy Network Security Group (NSG),
Associate NSG to existing NIC 'Some_Nic_nic0',
Associate PIP to existing NIC 'Some_Nic_nic0'.
This all seems to work just fine, no errors and the reason I do this is to prevent the machine for even a second to be on the open internet.
However, when you do this it seems that the moment you associate the PIP to the NIC, the NSG drops the link with the NIC. Meaning, if you do not know this your machine will be on the internet without any NSG in front of it.
Anyone know if this is intended or is this an actual bug?
Hi.
I cannot deploy a new or update an existing Azure Firewall when a Express Route gateway with a connection is present. If I delete the connection I can deploy or update (e.g. create a new network rule collection) the Azure Firewall.
The setup is quite simple:
HUB VNet
gateway subnet with the ER-gateway
FirewallSubnet
Has anyone experienced the same?
Best regards
Andreas
Hi,
I have Application gateway with public subnet and work loads(VM's) are in private subnet. These VM's are configured with JIra Service Desk application. Any one from out side Azure want to access these VM's REST integration what is the way to configure Application Gate way to cater the integration.
Regards,
Basu