Want to use Azure API gateway  for the workloads running in AWS. We have our webservices running in AWS , IS there a way to use test apis in Azure api gateway using our custom DNS which is hosted in AWS

Help is greatly appreciated

Hello

We have an AD site in Azure. This is in addition to our main AD site in our office in London, andis a replacement for our (now decommissioned) physical DR AD site somewhere else in London.

We have a site-to-site VPN set up between our HQ building and Azure. It all seems to be working very nicely.

We've added an ADFS server and an ADFS WAP server in the Azure AD site, again, as replacements for the ADFS and ADFS WAP servers that were in our DR site.

In Azure we have a Traffic Manager profile for ADFS. This had two Endpoints in it, one for HQ, the other for the decommissioned DR site. Following the decommissioning of the DR site the matching Endpoint was deleted.

So, we need a new Endpoint that refers to our Azure site.

(Phew!)

My question is, for the DNS A record that used to point to our old DR site,can I use the IP address we're using for our site-to-site VPN gateway, or do I need to add a new/additional IP address in Azure?

Thanks in advance.

JJ

I have application running on port 8000,  from the box I am able to access curl http://127.0.0.1:8000

Then I tried to access with this boxes public ip, but not working 

http://104.42.229.43:8000/

The documentation examples i have seen show how to get a resources, such as a vnet, to route via an Azure firewall by use of a route table. My question regards how the firewall itself knows how to route return traffic. Does it pick up implicit/system routes? Or does the firewall needs its own explicit route table to know how to reach various destinations?

Is it possible to view the effective routes applicable to the firewall? Including system routes? Under 'route table' - 'support & troubleshooting' - 'effective routes' it wants a 'network interface' field. But since there is none, no effective routes are listed.

I set up a brand new resource group to test something and cannot progress past the basics.I have set up the following...

1 x East AU VNET (10.210.0.0/16 - 10.210.1.0/24)

1 x East US VNET (10.220.0.0/16 - 10.220.1.0/24)

1 x East AU VNG (vngw1 plan) + Pub IP

1 x East US VNG (vngw1 plan) + Pub IP

I then created a connection between two VNGs with a PSK.  It sat on connecting for 20-30 mins after creation.  I checked it 3 hours later and it said connected.  I left it and went to bed.

I come in this morning to find it sitting on Connecting again.

Is ther something I have done wrong?

As a side question - does the VNET to VNET connection traverse the public internet or the MS backhaul?

Hi, i'm pricing a migration to Azure and on the VPN Gaeway settings there is an option for Gateway Hours. Am I correct in assuming this is the number of hours per month that the VPN will be in use?

TIA, Delboy

We are currently using Azure Global Traffic manger (GTM), WAF_v2 and Web apps. We have a requirement to block all traffic from certain countries. please let us know what options do we have?

Cheers.

I've deployed Azure Front Door with a WAF Policy.  I also configured Diagnostics Settings to send both the FrontdoorAccessLog and FrontdoorWebApplicationFirewallLog logs to a Log Analytics workspace.  And I can query and see fields including requestUri_s, httpMethod_s, and requestBytes_s.  But, I'd like to see the entire HTTP request to determine why a particular WAF rule is getting triggered.  Is it possible to log the entire HTTP request?

Hi.

I cannot deploy a new or update an existing Azure Firewall when a Express Route gateway with a connection is present. If I delete the connection I can deploy or update (e.g. create a new network rule collection) the Azure Firewall.

The setup is quite simple:

HUB VNet
  gateway subnet with the ER-gateway
  FirewallSubnet 

Has anyone experienced the same?

Best regards
Andreas

I am trying to setup a 2nd internet peering session to Microsoft AS8075 from BCX AS7020 at NAPAfrica Johannesburg

The primary peering session was setup quite a while ago and not through the Azure Portal.

I do not have an Azure subscription and have created a free trial account to request the 2nd peering session. This is also my first time trying this through the Azure portal.

I have followed get the error below and I am no sure what I am doing wrong.

{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"BadRequest","message":"{\r\n \"code\": \"BadArgument\",\r\n \"message\": \"\"\r\n}"}]}

Hi.

Should this also work with an express route to OnPremise Site 1?

Multiple VNets connected using S2S and a branch office

My assumption from all information I found is, that the only way to route traffic from a Point 2 Site VPN over an express route is Azure Virtual WAN. Is that correct? 

Best regards
Andreas

I added a private DNS zone and linked it to my vnet. My VM is auto-registered, and I can resolve its full private DNS name form the machine itself.

I cannot resolve it from the VPN client, though. I re-downloaded and re-installed the VPN client. ipconfig /all shows the following:

PPP adapter XXX_vnet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : XXX_vnet
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 172.16.25.7(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Enabled

Why there is no DNS Server? If I try resolve with nslookup -debug, there is no Azure DNS server coming up.

Thanks,

Sergey

We have a bunch of services in a vnet (consisting of several subnets), including app services, stand alone virtual machines and scale sets. All of these needs outgoing internet access, but most of them accept no incoming traffic. Is it possible to configure this setup so that they all "share" a single public IP for this outgoing traffic? An IP that we can "control" ourselves (ie it is an ARM resource that we can see in the portal).

When I google on this problem, all I seem to find is solutions about machines behind a single load balancer (or application gateway), and the traffic being both incoming and outgoing. Instead we want something more like the network is built up in a normal office, having a bunch of various computers and servers, most of which are not reachable from the internet, but almost all of them having outgoing internet access, and when they reach they internet they all "go though" the same public IP.

Is there a way to achieve this in Azure? And can it be done by someone who has no real networking skills? Maybe there are some guides that describe how to do this? And a complete ARM template example would be great too.

Also, all our VMs are Linux servers.

I would like to open a port 25 in endpoint session but it does not allow. Does you know how to create a open port 25 for Windows VM server in Azure dashboard?

Thank you.

Brian

Hi there,

I'm using this "all-in-one" Datbricks/VNet/NSG template found here: https://github.com/Azure/azure-quickstart-templates/tree/master/101-databricks-all-in-one-template-for-vnet-injection/. It deploys fine the very first time, but subsequent deployments fail with a "Network Intent Policy" conflict.

Here's the full error:

{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details.","details":[{"code":"BadRequest","message":"{\r\n \"error\": {\r\n \"code\": \"ConflictWithNetworkIntentPolicy\",\r\n \"message\": \"Found conflicts with NetworkIntentPolicy. Details: Network Security Group cannot have resources which conflict with its subnets' network intent policies.\\r\\nNetwork Security Group: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkSecurityGroups/databricks-nsg conflicts with Network Intent Policy: adb-uksouth-<id>\\r\\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: databricks-worker-to-webapp, Id: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkIntentPolicies/adb-uksouth-<id>/securityRules/databricks-worker-to-webapp, Access: Allow, Direction: Outbound, Protocol: tcp, SourceAddressPrefix: VirtualNetwork, SourcePortRange: *, DestinationAddressPrefix: 51.140.204.4/32, DestinationPortRange: 443\\r\\n ----\\r\\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: databricks-worker-to-sql, Id: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkIntentPolicies/adb-uksouth-<id>/securityRules/databricks-worker-to-sql, Access: Allow, Direction: Outbound, Protocol: tcp, SourceAddressPrefix: VirtualNetwork, SourcePortRange: *, DestinationAddressPrefix: Sql, DestinationPortRange: 3306\\r\\n ----\\r\\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: databricks-worker-to-storage, Id: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkIntentPolicies/adb-uksouth-<id>/securityRules/databricks-worker-to-storage, Access: Allow, Direction: Outbound, Protocol: tcp, SourceAddressPrefix: VirtualNetwork, SourcePortRange: *, DestinationAddressPrefix: Storage, DestinationPortRange: 443\\r\\n ----\\r\\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: databricks-worker-to-eventhub, Id: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkIntentPolicies/adb-uksouth-<id>/securityRules/databricks-worker-to-eventhub, Access: Allow, Direction: Outbound, Protocol: tcp, SourceAddressPrefix: VirtualNetwork, SourcePortRange: *, DestinationAddressPrefix: EventHub, DestinationPortRange: 9093\\r\\n ----\\r\\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: databricks-control-plane-ssh, Id: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkIntentPolicies/adb-uksouth-<id>/securityRules/databricks-control-plane-ssh, Access: Allow, Direction: Inbound, Protocol: tcp, SourceAddressPrefix: 51.140.203.27/32, SourcePortRange: *, DestinationAddressPrefix: VirtualNetwork, DestinationPortRange: 22\\r\\n ----\\r\\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: databricks-control-plane-worker-proxy, Id: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkIntentPolicies/adb-uksouth-<id>/securityRules/databricks-control-plane-worker-proxy, Access: Allow, Direction: Inbound, Protocol: tcp, SourceAddressPrefix: 51.140.203.27/32, SourcePortRange: *, DestinationAddressPrefix: VirtualNetwork, DestinationPortRange: 5557\\r\\n ----\\r\\n---- ----\\r\\nNetwork Security Group: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkSecurityGroups/databricks-nsg conflicts with Network Intent Policy: adb-uksouth-<id>\\r\\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: databricks-worker-to-webapp, Id: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkIntentPolicies/adb-uksouth-<id>/securityRules/databricks-worker-to-webapp, Access: Allow, Direction: Outbound, Protocol: tcp, SourceAddressPrefix: VirtualNetwork, SourcePortRange: *, DestinationAddressPrefix: 51.140.204.4/32, DestinationPortRange: 443\\r\\n ----\\r\\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: databricks-worker-to-sql, Id: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkIntentPolicies/adb-uksouth-<id>/securityRules/databricks-worker-to-sql, Access: Allow, Direction: Outbound, Protocol: tcp, SourceAddressPrefix: VirtualNetwork, SourcePortRange: *, DestinationAddressPrefix: Sql, DestinationPortRange: 3306\\r\\n ----\\r\\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: databricks-worker-to-storage, Id: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkIntentPolicies/adb-uksouth-<id>/securityRules/databricks-worker-to-storage, Access: Allow, Direction: Outbound, Protocol: tcp, SourceAddressPrefix: VirtualNetwork, SourcePortRange: *, DestinationAddressPrefix: Storage, DestinationPortRange: 443\\r\\n ----\\r\\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: databricks-worker-to-eventhub, Id: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkIntentPolicies/adb-uksouth-<id>/securityRules/databricks-worker-to-eventhub, Access: Allow, Direction: Outbound, Protocol: tcp, SourceAddressPrefix: VirtualNetwork, SourcePortRange: *, DestinationAddressPrefix: EventHub, DestinationPortRange: 9093\\r\\n ----\\r\\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: databricks-control-plane-ssh, Id: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkIntentPolicies/adb-uksouth-<id>/securityRules/databricks-control-plane-ssh, Access: Allow, Direction: Inbound, Protocol: tcp, SourceAddressPrefix: 51.140.203.27/32, SourcePortRange: *, DestinationAddressPrefix: VirtualNetwork, DestinationPortRange: 22\\r\\n ----\\r\\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: databricks-control-plane-worker-proxy, Id: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/networkIntentPolicies/adb-uksouth-<id>/securityRules/databricks-control-plane-worker-proxy, Access: Allow, Direction: Inbound, Protocol: tcp, SourceAddressPrefix: 51.140.203.27/32, SourcePortRange: *, DestinationAddressPrefix: VirtualNetwork, DestinationPortRange: 5557\\r\\n ----\\r\\n---- ----\",\r\n \"details\": []\r\n }\r\n}"}]}

Databricks VNet injection recently became GA, and we had to delegate our subnets to Microsoft.Databricks/workspaces on existing environments. I don't know whether this error is related teething problems, but this deployment used the updated ARM template above. Those security rules mentioned in the error seem to be the "old" security rules one had to define on the Databricks NSG.

Can anyone help?

Thanks,

Ed

Deleting the Vnet gives the error 

Failed to delete virtual network '(vnet_name)'. Error: Subnet (subnet_name) is in use by (Resource_group)/providers/Microsoft.Network/virtualNetworks/(vnet_name)/subnets/(subnet_name)/serviceAssociationLinks/AppServiceLink'>(vnet_name)/(subnet_name)/AppServiceLink and cannot be deleted. In order to delete the subnet, delete all the resources within the subnet. See aka.ms/deletesubnet.

Deleting the Subnet inside of the Vnet gives 

Failed to delete subnet '(subnet_name)'. Error: Subnet (subnet_name) is in use by (resource_group)/providers/Microsoft.Network/virtualNetworks/(Vnet_name)/subnets/(subnet_name)/serviceAssociationLinks/AppServiceLink'>(vnet_name)/(subnet_name)/AppServiceLink and cannot be deleted. In order to delete the subnet, delete all the resources within the subnet. See aka.ms/deletesubnet.

Nothing else exists within my subscription except for the subnet and the Vnet. The template for the Vnet shows this 

for the definition of the subnets. What do I need to do to be able to delete the subnets and Vnets?

We are having 8 Veritas Database sync cluster. And each cluster are has 2 node of vm. And each vm are has 3 NIC (eth0, eth1, eth2).
The eth0, eth1, eth2 are on a different subnet. 

[ Overview ]

An Active DBMS is DB1, the DB1 has secondary VIP on eth0 and WAS VM try CRUD to eth0's VIP

nic1, nic2 is used to Heartbeat and data sync.

If there is no Heartbeat from each vm on same cluster, the vm, who has not received heartbeats, judges that the other vm is dead and report to cluster manager

The Cluster manager select random vm and gave a kernal crash to selected vm. If the active vm(db1) were selected secondary ip (vip) is move to standby vm's eth0

[ Phenomenon ]

The rebooting of VM is normal. But what's strange thing is 4 clusters have been rebooting at the same time so I captured packet using tcpdump and I found the problem.

Before the db1 trying to send a heartbeat to db2, the db1 request ARP to gateway (12:34:56:78:9a:bc mac) and receive db2's mac address. But suddenly, the gateway does not respond.

[ Question ]

I have been opening support case and received answer four cluster's db1 are on the same host node. But support engineer said "it's a host problem. Please check your OS" -> (I though it is weird because this thing have happening on four cluster. I redeployed one cluster and this thing have not been happening) and another engineer said "It could be a host problem, I will check them with backend team" -> but no reply for a week

What should I do for next step?