Quantcast
Channel: Azure Networking (DNS, Traffic Manager, VPN, VNET) forum
Viewing all 6513 articles
Browse latest View live

Want to use Azure API gateway for the workloads running in AWS. We have our webservices running in AWS , IS there a way to use test apis in Azure api gateway using our custom DNS which is hosted in AWS

$
0
0

Want to use Azure API gateway  for the workloads running in AWS. We have our webservices running in AWS , IS there a way to use test apis in Azure api gateway using our custom DNS which is hosted in AWS

Help is greatly appreciated


Do we need a second public IP for a Traffic Manager Endpoint?

$
0
0

Hello

We have an AD site in Azure. This is in addition to our main AD site in our office in London, andis a replacement for our (now decommissioned) physical DR AD site somewhere else in London.

We have a site-to-site VPN set up between our HQ building and Azure. It all seems to be working very nicely.

We've added an ADFS server and an ADFS WAP server in the Azure AD site, again, as replacements for the ADFS and ADFS WAP servers that were in our DR site.

In Azure we have a Traffic Manager profile for ADFS. This had two Endpoints in it, one for HQ, the other for the decommissioned DR site. Following the decommissioning of the DR site the matching Endpoint was deleted.

So, we need a new Endpoint that refers to our Azure site.

(Phew!)

My question is, for the DNS A record that used to point to our old DR site,can I use the IP address we're using for our site-to-site VPN gateway, or do I need to add a new/additional IP address in Azure?

Thanks in advance.

JJ

Unable to access the application running on port 8000

$
0
0

I have application running on port 8000,  from the box I am able to access curl http://127.0.0.1:8000

Then I tried to access with this boxes public ip, but not working 

http://104.42.229.43:8000/

Azure firewall and routing tables

$
0
0

The documentation examples i have seen show how to get a resources, such as a vnet, to route via an Azure firewall by use of a route table. My question regards how the firewall itself knows how to route return traffic. Does it pick up implicit/system routes? Or does the firewall needs its own explicit route table to know how to reach various destinations?

Is it possible to view the effective routes applicable to the firewall? Including system routes? Under 'route table' - 'support & troubleshooting' - 'effective routes' it wants a 'network interface' field. But since there is none, no effective routes are listed.

VNET to VNET between regions stuck on Connecting status.

$
0
0

I set up a brand new resource group to test something and cannot progress past the basics.I have set up the following...

1 x East AU VNET (10.210.0.0/16 - 10.210.1.0/24)

1 x East US VNET (10.220.0.0/16 - 10.220.1.0/24)

1 x East AU VNG (vngw1 plan) + Pub IP

1 x East US VNG (vngw1 plan) + Pub IP

I then created a connection between two VNGs with a PSK.  It sat on connecting for 20-30 mins after creation.  I checked it 3 hours later and it said connected.  I left it and went to bed.

I come in this morning to find it sitting on Connecting again.

Is ther something I have done wrong?

As a side question - does the VNET to VNET connection traverse the public internet or the MS backhaul?

VPN Gateway Hours

$
0
0

Hi, i'm pricing a migration to Azure and on the VPN Gaeway settings there is an option for Gateway Hours. Am I correct in assuming this is the number of hours per month that the VPN will be in use?

TIA, Delboy

Block All Traffic from certain countries

$
0
0

We are currently using Azure Global Traffic manger (GTM), WAF_v2 and Web apps. We have a requirement to block all traffic from certain countries. please let us know what options do we have?

Cheers.

Is it possible to log the entire HTTP request in the Azure Front Door logs?

$
0
0

I've deployed Azure Front Door with a WAF Policy.  I also configured Diagnostics Settings to send both the FrontdoorAccessLog and FrontdoorWebApplicationFirewallLog logs to a Log Analytics workspace.  And I can query and see fields including requestUri_s, httpMethod_s, and requestBytes_s.  But, I'd like to see the entire HTTP request to determine why a particular WAF rule is getting triggered.  Is it possible to log the entire HTTP request?


Azure Firewall deployment/update fails with existing Express Route Gateway Connection

$
0
0

Hi.

I cannot deploy a new or update an existing Azure Firewall when a Express Route gateway with a connection is present. If I delete the connection I can deploy or update (e.g. create a new network rule collection) the Azure Firewall.

The setup is quite simple:

HUB VNet
  gateway subnet with the ER-gateway
  FirewallSubnet 

Has anyone experienced the same?

Best regards
Andreas

Issue setting up 2nd Internet Peering session to Microsoft AS8075

$
0
0

I am trying to setup a 2nd internet peering session to Microsoft AS8075 from BCX AS7020 at NAPAfrica Johannesburg

The primary peering session was setup quite a while ago and not through the Azure Portal.

I do not have an Azure subscription and have created a free trial account to request the 2nd peering session. This is also my first time trying this through the Azure portal.

I have followed get the error below and I am no sure what I am doing wrong.

{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"BadRequest","message":"{\r\n \"code\": \"BadArgument\",\r\n \"message\": \"\"\r\n}"}]}

Best practice for handling HAProxy Failover

$
0
0
What is currently the best practice way of handling failover for HAproxy behind the Azure Load balancer?

We currently have a two-node setup of HAProxy using keepalived on the nodes to detect and failover virtual IP addresses. Are there any solutions in i.e. Azure Load Balancer that can handle floating IP and handle the failover outside of the actual HAProxy nodes?

Routing from Point to site VPN over Express Route

$
0
0

Hi.

Should this also work with an express route to OnPremise Site 1?

Multiple VNets connected using S2S and a branch office

My assumption from all information I found is, that the only way to route traffic from a Point 2 Site VPN over an express route is Azure Virtual WAN. Is that correct? 

Best regards
Andreas


No Azure-provided DNS on P2S VPN client

$
0
0

I added a private DNS zone and linked it to my vnet. My VM is auto-registered, and I can resolve its full private DNS name form the machine itself.

I cannot resolve it from the VPN client, though. I re-downloaded and re-installed the VPN client. ipconfig /all shows the following:

PPP adapter XXX_vnet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : XXX_vnet
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 172.16.25.7(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Enabled

Why there is no DNS Server? If I try resolve with nslookup -debug, there is no Azure DNS server coming up.

Thanks,

Sergey

Share a single public IP for outgoing traffic from various resources in a vnet?

$
0
0

We have a bunch of services in a vnet (consisting of several subnets), including app services, stand alone virtual machines and scale sets. All of these needs outgoing internet access, but most of them accept no incoming traffic. Is it possible to configure this setup so that they all "share" a single public IP for this outgoing traffic? An IP that we can "control" ourselves (ie it is an ARM resource that we can see in the portal).

When I google on this problem, all I seem to find is solutions about machines behind a single load balancer (or application gateway), and the traffic being both incoming and outgoing. Instead we want something more like the network is built up in a normal office, having a bunch of various computers and servers, most of which are not reachable from the internet, but almost all of them having outgoing internet access, and when they reach they internet they all "go though" the same public IP.

Is there a way to achieve this in Azure? And can it be done by someone who has no real networking skills? Maybe there are some guides that describe how to do this? And a complete ARM template example would be great too.

Also, all our VMs are Linux servers.


Can not create a open port 25 in endpoint session

$
0
0

I would like to open a port 25 in endpoint session but it does not allow. Does you know how to create a open port 25 for Windows VM server in Azure dashboard?

Thank you.

Brian



ExpressRoute Direct - number of circuits/VLANs/peerings allowed

$
0
0
I read somewhere that you can create up to 10 circuits on an ExpressRoute Direct.  Does each circuit support two VLANs/two Peerings (one for Azure Private, one for Microsoft Public) like it does in the customer shared ExpressRoute port model?
Is the standard number of vnets per ExpressRoute circuit (created within ExpressRoute Direct) still 10?  

Also is the number of ExpressRoute circuits (created within ExpressRoute Direct) that can be linked to the same vnet still 4 (e.g. if I created 10 circuits inside of ExpressRoute Direct, only four of those circuits could be linked to the same vnet)?

Can't redeploy Network Security Group for Databricks VNet injection

$
0
0

Hi there,

I'm using this "all-in-one" Datbricks/VNet/NSG template found here: https://github.com/Azure/azure-quickstart-templates/tree/master/101-databricks-all-in-one-template-for-vnet-injection/. It deploys fine the very first time, but subsequent deployments fail with a "Network Intent Policy" conflict.

Here's the full error:

{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details.","details":[{"code":"BadRequest","message":"{\r\n \"error\": {\r\n \"code\": \"ConflictWithNetworkIntentPolicy\",\r\n \"message\": \"Found conflicts with NetworkIntentPolicy. Details: Network Security Group cannot have resources which conflict with its subnets' network intent policies.\\r\\nNetwork Security Group: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkSecurityGroups/databricks-nsg conflicts with Network Intent Policy: adb-uksouth-<id>\\r\\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: databricks-worker-to-webapp, Id: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkIntentPolicies/adb-uksouth-<id>/securityRules/databricks-worker-to-webapp, Access: Allow, Direction: Outbound, Protocol: tcp, SourceAddressPrefix: VirtualNetwork, SourcePortRange: *, DestinationAddressPrefix: 51.140.204.4/32, DestinationPortRange: 443\\r\\n ----\\r\\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: databricks-worker-to-sql, Id: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkIntentPolicies/adb-uksouth-<id>/securityRules/databricks-worker-to-sql, Access: Allow, Direction: Outbound, Protocol: tcp, SourceAddressPrefix: VirtualNetwork, SourcePortRange: *, DestinationAddressPrefix: Sql, DestinationPortRange: 3306\\r\\n ----\\r\\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: databricks-worker-to-storage, Id: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkIntentPolicies/adb-uksouth-<id>/securityRules/databricks-worker-to-storage, Access: Allow, Direction: Outbound, Protocol: tcp, SourceAddressPrefix: VirtualNetwork, SourcePortRange: *, DestinationAddressPrefix: Storage, DestinationPortRange: 443\\r\\n ----\\r\\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: databricks-worker-to-eventhub, Id: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkIntentPolicies/adb-uksouth-<id>/securityRules/databricks-worker-to-eventhub, Access: Allow, Direction: Outbound, Protocol: tcp, SourceAddressPrefix: VirtualNetwork, SourcePortRange: *, DestinationAddressPrefix: EventHub, DestinationPortRange: 9093\\r\\n ----\\r\\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: databricks-control-plane-ssh, Id: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkIntentPolicies/adb-uksouth-<id>/securityRules/databricks-control-plane-ssh, Access: Allow, Direction: Inbound, Protocol: tcp, SourceAddressPrefix: 51.140.203.27/32, SourcePortRange: *, DestinationAddressPrefix: VirtualNetwork, DestinationPortRange: 22\\r\\n ----\\r\\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: databricks-control-plane-worker-proxy, Id: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkIntentPolicies/adb-uksouth-<id>/securityRules/databricks-control-plane-worker-proxy, Access: Allow, Direction: Inbound, Protocol: tcp, SourceAddressPrefix: 51.140.203.27/32, SourcePortRange: *, DestinationAddressPrefix: VirtualNetwork, DestinationPortRange: 5557\\r\\n ----\\r\\n---- ----\\r\\nNetwork Security Group: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkSecurityGroups/databricks-nsg conflicts with Network Intent Policy: adb-uksouth-<id>\\r\\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: databricks-worker-to-webapp, Id: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkIntentPolicies/adb-uksouth-<id>/securityRules/databricks-worker-to-webapp, Access: Allow, Direction: Outbound, Protocol: tcp, SourceAddressPrefix: VirtualNetwork, SourcePortRange: *, DestinationAddressPrefix: 51.140.204.4/32, DestinationPortRange: 443\\r\\n ----\\r\\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: databricks-worker-to-sql, Id: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkIntentPolicies/adb-uksouth-<id>/securityRules/databricks-worker-to-sql, Access: Allow, Direction: Outbound, Protocol: tcp, SourceAddressPrefix: VirtualNetwork, SourcePortRange: *, DestinationAddressPrefix: Sql, DestinationPortRange: 3306\\r\\n ----\\r\\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: databricks-worker-to-storage, Id: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkIntentPolicies/adb-uksouth-<id>/securityRules/databricks-worker-to-storage, Access: Allow, Direction: Outbound, Protocol: tcp, SourceAddressPrefix: VirtualNetwork, SourcePortRange: *, DestinationAddressPrefix: Storage, DestinationPortRange: 443\\r\\n ----\\r\\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: databricks-worker-to-eventhub, Id: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkIntentPolicies/adb-uksouth-<id>/securityRules/databricks-worker-to-eventhub, Access: Allow, Direction: Outbound, Protocol: tcp, SourceAddressPrefix: VirtualNetwork, SourcePortRange: *, DestinationAddressPrefix: EventHub, DestinationPortRange: 9093\\r\\n ----\\r\\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: databricks-control-plane-ssh, Id: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkIntentPolicies/adb-uksouth-<id>/securityRules/databricks-control-plane-ssh, Access: Allow, Direction: Inbound, Protocol: tcp, SourceAddressPrefix: 51.140.203.27/32, SourcePortRange: *, DestinationAddressPrefix: VirtualNetwork, DestinationPortRange: 22\\r\\n ----\\r\\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: databricks-control-plane-worker-proxy, Id: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkIntentPolicies/adb-uksouth-<id>/securityRules/databricks-control-plane-worker-proxy, Access: Allow, Direction: Inbound, Protocol: tcp, SourceAddressPrefix: 51.140.203.27/32, SourcePortRange: *, DestinationAddressPrefix: VirtualNetwork, DestinationPortRange: 5557\\r\\n ----\\r\\n---- ----\",\r\n \"details\": []\r\n }\r\n}"}]}

Databricks VNet injection recently became GA, and we had to delegate our subnets to Microsoft.Databricks/workspaces on existing environments. I don't know whether this error is related teething problems, but this deployment used the updated ARM template above. Those security rules mentioned in the error seem to be the "old" security rules one had to define on the Databricks NSG.

Can anyone help?

Thanks,

Ed

Cannot Delete subnets inside of Virtual Network

$
0
0

Deleting the Vnet gives the error 

Failed to delete virtual network '(vnet_name)'. Error: Subnet (subnet_name) is in use by (Resource_group)/providers/Microsoft.Network/virtualNetworks/(vnet_name)/subnets/(subnet_name)/serviceAssociationLinks/AppServiceLink'>(vnet_name)/(subnet_name)/AppServiceLink and cannot be deleted. In order to delete the subnet, delete all the resources within the subnet. See aka.ms/deletesubnet.

Deleting the Subnet inside of the Vnet gives 

Failed to delete subnet '(subnet_name)'. Error: Subnet (subnet_name) is in use by (resource_group)/providers/Microsoft.Network/virtualNetworks/(Vnet_name)/subnets/(subnet_name)/serviceAssociationLinks/AppServiceLink'>(vnet_name)/(subnet_name)/AppServiceLink and cannot be deleted. In order to delete the subnet, delete all the resources within the subnet. See aka.ms/deletesubnet.

Nothing else exists within my subscription except for the subnet and the Vnet. The template for the Vnet shows this 

        {
            "type""Microsoft.Network/virtualNetworks/subnets",
            "apiVersion""2019-09-01",
            "name""[concat(parameters('virtualNetworks_vnet_name'), '/subnet')]",
            "dependsOn": [
                "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_vnet_name'))]"
            ],
            "properties": {
                "addressPrefix""(address Prefix)",
                "serviceEndpoints": [],
                "delegations": [
                    {
                        "name""(name)",
                        "properties": {
                            "serviceName""Microsoft.Web/serverFarms"
                        }
                    }
                ],
                "privateEndpointNetworkPolicies""Enabled",
                "privateLinkServiceNetworkPolicies""Enabled"
            }
        },

for the definition of the subnets. What do I need to do to be able to delete the subnets and Vnets?

No ARP reply from gateway

$
0
0

We are having 8 Veritas Database sync cluster. And each cluster are has 2 node of vm. And each vm are has 3 NIC (eth0, eth1, eth2).
The eth0, eth1, eth2 are on a different subnet. 

[ Overview ]

An Active DBMS is DB1, the DB1 has secondary VIP on eth0 and WAS VM try CRUD to eth0's VIP

nic1, nic2 is used to Heartbeat and data sync.

If there is no Heartbeat from each vm on same cluster, the vm, who has not received heartbeats, judges that the other vm is dead and report to cluster manager

The Cluster manager select random vm and gave a kernal crash to selected vm. If the active vm(db1) were selected secondary ip (vip) is move to standby vm's eth0

[ Phenomenon ]

The rebooting of VM is normal. But what's strange thing is 4 clusters have been rebooting at the same time so I captured packet using tcpdump and I found the problem.

Before the db1 trying to send a heartbeat to db2, the db1 request ARP to gateway (12:34:56:78:9a:bc mac) and receive db2's mac address. But suddenly, the gateway does not respond.

[ Question ]

I have been opening support case and received answer four cluster's db1 are on the same host node. But support engineer said "it's a host problem. Please check your OS" -> (I though it is weird because this thing have happening on four cluster. I redeployed one cluster and this thing have not been happening) and another engineer said "It could be a host problem, I will check them with backend team" -> but no reply for a week

What should I do for next step?









Tracking packet in servicebus relay through WCF trace Ids

$
0
0
We are witnessing an issue in one of our customer environment (configured under proxy) where in few data packets is not reaching caller environment using service bus relay. In the WCF trace logs we see packet being sent out of source machine but not being acknowledged at receiver end.

Is there a way to see whether packet actually reach service bus relay based on correlationId or activityId present in WCF logs  along with timestamp and service bus dns or do we need any additional logging to achieve this?

Any reason why we might see this behavior, packet being shown as sent in wcf trace but not reached the consumer?

Network team from Customer side claims they have whitelisted  *.servicebus.windows.net DNS and we see this happening only for few packets in regular pattern.

We analyzed whether size of packet cause the issue at proxy end but we have received packets of higher size than the one which is blocked.

Let me know if you need any more details.

Thanks in advance!

Viewing all 6513 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>