Domain (www.caliberqms.in) has been taken from Godaddy.
Created a VM in Azure with Windows with IIS and SQL environment. Configured our web application in IIS.
Static IP (Azure VM): 40.78.133.94
DNS settings done in Godaddy and IIS settings done in VM.
We are able to access Web Application in the VM and also through public IP from outside of VM ie through internet. But unable to access application through domain name from internet.
↧
Unable to access Web Application hosted in IIS through domain name
↧
connectivity between Azure and AWS?
If we have separate azure cloud ( this would be separate subscriptions ) within the same region. I am assuming the recommendation would be to connect the disparate azure clouds can be done using a cisco 1000v router would we need to have a express
route between these azure clouds? Note - the azure clouds would be in the same region. One of the clouds will be the primary with an express route to a colo at equinix. There is a requirement to connect the azure clouds together.
Or should we peer the separate azure cloud together instead of using the cisco 1000v router? The primary cloud has 4-5 vnets and the other clouds can have an equal number of vnets hence thinking a cisco 100v router would be best. Also if we were going to peer between different clouds would we use a express route between them (the azure clouds are within the same region)? Or does this connection between the separate azure clouds occur across the Azure network backbone and not require any additional cost other than the cost of peering?
If we want to connect a azure cloud and a aws cloud for the purpose of allowing systems to communicate with each other. For example, the azure cloud has a system A while the AWS cloud has a system B. We need both systems to communicate with each other. If we want to have a direct pipe between the clouds how should we do this? Do you have detailed steps on how to implement this?,... would we peer or would we use a cisco 1000v?
Would we need an express route to connect the AWS cloud to the Azure cloud?
Also wondering if it might be better to connect the clouds cloud converge at the colocation site equinix. Note- the colo site is an extension of on-premise to a network/security infrastructure before going to the cloud,... on- premise communication will travel through the colo site before entering the cloud. Azure>colocation site>A
Or should we peer the separate azure cloud together instead of using the cisco 1000v router? The primary cloud has 4-5 vnets and the other clouds can have an equal number of vnets hence thinking a cisco 100v router would be best. Also if we were going to peer between different clouds would we use a express route between them (the azure clouds are within the same region)? Or does this connection between the separate azure clouds occur across the Azure network backbone and not require any additional cost other than the cost of peering?
If we want to connect a azure cloud and a aws cloud for the purpose of allowing systems to communicate with each other. For example, the azure cloud has a system A while the AWS cloud has a system B. We need both systems to communicate with each other. If we want to have a direct pipe between the clouds how should we do this? Do you have detailed steps on how to implement this?,... would we peer or would we use a cisco 1000v?
Would we need an express route to connect the AWS cloud to the Azure cloud?
Also wondering if it might be better to connect the clouds cloud converge at the colocation site equinix. Note- the colo site is an extension of on-premise to a network/security infrastructure before going to the cloud,... on- premise communication will travel through the colo site before entering the cloud. Azure>colocation site>A
dsk
↧
↧
Azure WAF performance question (high CPU)
We have a waf v1. I’ve noticed it is running at 100% cpu for large periods of the day and we have had complaints about performance.
From what I can see I have a couple of options to help with this situation, but not sure which one will help the most.
1. We increase the number of instances perhaps up to four, currently we have two.
2. Or we increase the sku from medium to large.
3 We increase instances to 4 and change to large.
During the period of 100% cpu we are seeing Total Requests around 3k and Throughput at around 3mb/s.
I'm not sure whether the cpu problem would be helped most by increasing number of instances or changing sku.
Any advice appreciated.
↧
IPSEC VPN Troubleshooting
Goos Morning.
I have a couple of IPSEC VPN with azure VirtualNetworkGateway at a side, and an on-premise Fortigate device on the other side.
They are working now, but they didn't come up immediately.
On the Fortigate I have some debugging tool, such as the embedded sniffer, my favorite ("diag sniffer packet..." command).
I couldn't find anything at the Azure side, I simply could double (triple) check the VPN parameters.
Is there anything similar on Azure that allows me to see the traffic real time on a console?
More general, which is the best troubleshooting approach in this case?
The Azure portal would be fine as a tool, but powershell would be great.
Thank you for your kind help
Happy new year!
Happy new year!
↧
Registry DNS name is already in use
Hi,
I am facing below error while creating the Azure container registry , Deleted all the resource groups and created the fresh one still facing same error
Error: The registry DNS name sandyacr.azurecr.io is already in use. You can check if the name is already claimed using following API: https://docs.microsoft.com/en-us/rest/api/containerregistry/registries/checknameavailability
↧
↧
Azure Private DNS not resolving names from 2 vnets
I'm new with Azure, I've downloaded a template that contains 3 servers(SCCM Infrastructure + DNS server with a contoso.com domain)
I've created a separate Vnet and put a separate device there, I have configured peering so I can ping from machines in Vnet1, machines in Vnet2.
According to information I've read, I should be able to resolve machine names cross Vnets with a private DNS Zones. I've created one, it contains setting for auto registration for both sides, from Vnet1 and Vnet2 and yet I still can't resolve names cross Vnet.
I wanted to do some exercises in my trial Azure subscription and this is only task I can't get through;/ my goal is to make DNS resolve names cross Vnets + add the new created device from Vnet2 to Contoso domain in Vnet1 - Any hint here?
Thanks!
↧
availability set addition in azure load balancer backend pools
Hello Team,
I have created a basic Azure LB and when I am going to created backend pools to add my "Availability Set" then availability set option is missing in Associated to ... please assist.
↧
availability set addition in azure load balancer backend pools
Hello Team,
how to add availability set in azure load balancer .... i can see there are only three options (unassociated, virtual machine and virtual machine scale set) in backend pools
not able to see availability set
↧
Secure Api manager with VNET peering
We established vnet peering with to different tenant to access our api manger. What are the ways we can secure the API manager and only allow connection access via vnet-peering. I get to know in "basic tier" we can't use api-manager virtual network.
Our end goal here is to secure api-manager access from outside world and only enable the access within the vnets.
↧
↧
Unable to delete a resource group and i am getting billed for deleted resource Group resources.
Hi,
I am not able to delete a resource group because i have moved few resources from one resource VnetGWconncTest group to another resource groupazanktest-rg. The moving of resources took lot of time and movement failed .Later i deleted resource groupazanktest-rg and want to delete resource group VnetGWconncTest but the now i am getting below error :-
Error :-
Delete resource group VnetGWconncTest failed
Failed to delete resource group VnetGWconncTest: Deletion of resource group 'VnetGWconncTest' failed as '10' resources could not be deleted. The provisioning state of the resource group will be rolled back. The tracking Id is '310c4f5b-02fa-4572-b6fd-4ccb19280392'. Please check audit logs for more details. (Code: ResourceGroupDeletionBlocked) Public IP address /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/publicIPAddresses/westjapanGW-ip can not be deleted since it is still allocated to resource /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/virtualNetworkGateways/WestJapan-gw/ipConfigurations/default. In order to delete the public IP, disassociate/detach the Public IP address from the resource. To learn how to do this, see aka.ms/deletepublicip. (Code: PublicIPAddressCannotBeDeleted, Target: /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/publicIPAddresses/westjapanGW-ip) Resource /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/connections/westjapan-to-eastus was involved in a move operation which is either currently ongoing or failed. NRP does not allow operations on such resources. If a move operation is ongoing, wait for it to complete. Else please contact support to get the resource unblocked. (Code: MoveOperationInProgressOrFailed, Target: /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/connections/westjapan-to-eastus) Network security group /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/networkSecurityGroups/tiscohost2-nsg cannot be deleted because it is in use by the following resources: /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/networkInterfaces/tiscohost2197. In order to delete the Network security group, remove the association with the resource(s). To learn how to do this, see aka.ms/deletensg. (Code: InUseNetworkSecurityGroupCannotBeDeleted, Target: /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/networkSecurityGroups/tiscohost2-nsg) Resource /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/networkInterfaces/tiscohost2197 was involved in a move operation which is either currently ongoing or failed. NRP does not allow operations on such resources. If a move operation is ongoing, wait for it to complete. Else please contact support to get the resource unblocked. (Code: MoveOperationInProgressOrFailed, Target: /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/networkInterfaces/tiscohost2197) Resource /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/networkInterfaces/tiscohost2965 was involved in a move operation which is either currently ongoing or failed. NRP does not allow operations on such resources. If a move operation is ongoing, wait for it to complete. Else please contact support to get the resource unblocked. (Code: MoveOperationInProgressOrFailed, Target: /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/networkInterfaces/tiscohost2965) Public IP address /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/publicIPAddresses/tiscohost22-ip can not be deleted since it is still allocated to resource /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/networkInterfaces/tiscohost2965/ipConfigurations/ipconfig1. In order to delete the public IP, disassociate/detach the Public IP address from the resource. To learn how to do this, see aka.ms/deletepublicip. (Code: PublicIPAddressCannotBeDeleted, Target: /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/publicIPAddresses/tiscohost22-ip) Public IP address /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/publicIPAddresses/tiscohost2-ip can not be deleted since it is still allocated to resource /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/networkInterfaces/tiscohost2197/ipConfigurations/ipconfig1. In order to delete the public IP, disassociate/detach the Public IP address from the resource. To learn how to do this, see aka.ms/deletepublicip. (Code: PublicIPAddressCannotBeDeleted, Target: /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/publicIPAddresses/tiscohost2-ip) Network security group /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/networkSecurityGroups/tiscohost2nsg317 cannot be deleted because it is in use by the following resources: /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/networkInterfaces/tiscohost2965. In order to delete the Network security group, remove the association with the resource(s). To learn how to do this, see aka.ms/deletensg. (Code: InUseNetworkSecurityGroupCannotBeDeleted, Target: /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/networkSecurityGroups/tiscohost2nsg317) Subnet tisco-vnet2-westJapan-sn1 is in use by /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/networkInterfaces/tiscohost2197/ipConfigurations/ipconfig1 and cannot be deleted. In order to delete the subnet, delete all the resources within the subnet. See aka.ms/deletesubnet. (Code: InUseSubnetCannotBeDeleted, Target: /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/virtualNetworks/tisco-vnet2-westJapan) Gateway /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/virtualNetworkGateways/WestJapan-gw cannot be deleted as it is part of connection /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/connections/westjapan-to-eastus. (Code: VirtualNetworkGatewayCannotBeDeleted, Target: /subscriptions/612097c9-6f43-4f94-b020-b082c61e2cf7/resourceGroups/VnetGWconncTest/providers/Microsoft.Network/virtualNetworkGateways/WestJapan-gw)
However i am getting billed for the deleted azanktest-rg resource group resources .Please provide solution for this .
↧
Unable to get Secondary IP working on Azure VM (CentOS)
Okay, so I've had a CentOS VM working just fine for a few months, and several websites being served on the same IP. However, now I need to create a site with its' own unique IP, while the other sites continue to be served from the primary IP.
So, I've snagged a secondary IP, which is attached to the NIC and in turn to the VM. My Apache config is fine, so far as I can tell.
I also followed the instructions on the document entitled: "Assign multiple IP addresses to virtual machines using the Azure portal" (sorry, it won't allow me to post a link) ... which basically involved creating a file (ifcfg-eth0:0), adding some info', and then restarting the network interface.
However, nothing seems to make any difference (including rebooting). I cannot reach the website via the secondary IP, or even ping/tracert the IP.
Any assistance would be gratefully received. I'm sure there's probably some small step I'm missing here.
Thank you in advance!
So, I've snagged a secondary IP, which is attached to the NIC and in turn to the VM. My Apache config is fine, so far as I can tell.
I also followed the instructions on the document entitled: "Assign multiple IP addresses to virtual machines using the Azure portal" (sorry, it won't allow me to post a link) ... which basically involved creating a file (ifcfg-eth0:0), adding some info', and then restarting the network interface.
However, nothing seems to make any difference (including rebooting). I cannot reach the website via the secondary IP, or even ping/tracert the IP.
Any assistance would be gratefully received. I'm sure there's probably some small step I'm missing here.
Thank you in advance!
↧
Azure ASAv config assistance
Hi.
I'm not sure if this is the right place to post this but I wanted some assistance in setting up an ASAv on our Azure network.
Just to describe it a little we currently have Cisco Meraki MX’s at each location which is connected Via Site-to-Site VPN to a Meraki vMX at Azure. This is how all our sites connect to Azure. What we are trying to achieve is to create an ASAv within Azure which would be used for all our remote users to remote VPN using AnyConnect. We would need the remoted user to be able to access the core resources at Azure and also have communication to our global sites.
My thoughts/questions are:
Where do we create the ASAv resource? Would this need to be created into its own resource group and then peered to the core?
Are there any implications on having 2 firewalls in the resource group?
How would the routing be configured on the ASAv to achieve communication?
I’ve only really just started Azure configurations so this could be a simple setup but just looking for help and looking at best practices on this too.
Thanks
I'm not sure if this is the right place to post this but I wanted some assistance in setting up an ASAv on our Azure network.
Just to describe it a little we currently have Cisco Meraki MX’s at each location which is connected Via Site-to-Site VPN to a Meraki vMX at Azure. This is how all our sites connect to Azure. What we are trying to achieve is to create an ASAv within Azure which would be used for all our remote users to remote VPN using AnyConnect. We would need the remoted user to be able to access the core resources at Azure and also have communication to our global sites.
My thoughts/questions are:
Where do we create the ASAv resource? Would this need to be created into its own resource group and then peered to the core?
Are there any implications on having 2 firewalls in the resource group?
How would the routing be configured on the ASAv to achieve communication?
I’ve only really just started Azure configurations so this could be a simple setup but just looking for help and looking at best practices on this too.
Thanks
↧
Can't establish Point-to-Site OpenVPN connection to Azure (keeps resetting)
Can't figure out what's happening. Looks like Azure gateway keeps resetting the connection but no idea why. Can't find any logs in Azure to check either.
Config file downloaded from Azure, so it should be correct. Certs seem to be working fine as well as authentication passes. But when it comes to establishing the tunnel link, the connection is reset.
OpenVPN client log:
Mon Jan 28 16:43:31 2019 MANAGEMENT: >STATE:1548693811,RESOLVE,,,,,, Mon Jan 28 16:43:31 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]51.xxx.xxx.xxx:443 Mon Jan 28 16:43:31 2019 Socket Buffers: R=[65536->65536] S=[65536->65536] Mon Jan 28 16:43:31 2019 Attempting to establish TCP connection with [AF_INET]51.xxx.xxx.xxx:443 [nonblock] Mon Jan 28 16:43:31 2019 MANAGEMENT: >STATE:1548693811,TCP_CONNECT,,,,,, Mon Jan 28 16:43:32 2019 TCP connection established with [AF_INET]51.xxx.xxx.xxx:443 Mon Jan 28 16:43:32 2019 TCP_CLIENT link local: (not bound) Mon Jan 28 16:43:32 2019 TCP_CLIENT link remote: [AF_INET]51.xxx.xxx.xxx:443 Mon Jan 28 16:43:32 2019 MANAGEMENT: >STATE:1548693812,WAIT,,,,,, Mon Jan 28 16:43:32 2019 MANAGEMENT: >STATE:1548693812,AUTH,,,,,, Mon Jan 28 16:43:32 2019 TLS: Initial packet from [AF_INET]51.xxx.xxx.xxx:443, sid=21add8ff 47fc7a94 Mon Jan 28 16:43:33 2019 VERIFY OK: depth=2, C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA Mon Jan 28 16:43:33 2019 VERIFY OK: depth=1, C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA Mon Jan 28 16:43:33 2019 VERIFY KU OK Mon Jan 28 16:43:33 2019 Validating certificate extended key usage Mon Jan 28 16:43:33 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Mon Jan 28 16:43:33 2019 VERIFY EKU OK Mon Jan 28 16:43:33 2019 VERIFY X509NAME OK: C=US, ST=Washington, L=Red Mond, O=Microsoft Corporation, CN=aaa.vpn.azure.com Mon Jan 28 16:43:33 2019 VERIFY OK: depth=0, C=US, ST=Washington, L=Red Mond, O=Microsoft Corporation, CN=aaa.vpn.azure.com Mon Jan 28 16:43:56 2019 Connection reset, restarting [0] Mon Jan 28 16:43:56 2019 SIGUSR1[soft,connection-reset] received, process restarting Mon Jan 28 16:43:56 2019 MANAGEMENT: >STATE:1548693836,RECONNECTING,connection-reset,,,,, Mon Jan 28 16:43:56 2019 Restart pause, 5 second(s) Mon Jan 28 16:44:01 2019 MANAGEMENT: >STATE:1548693841,RESOLVE,,,,,,
↧
↧
VM init Failed - NetworkingInternalOperationError
Hi everybody,
After 1 year using my vm every week day, I tried to start today and I got this message: NetworkingInternalOperationError
It seem the NIC was removed, I am trying to add a new Network interface, but its not possible (the loading circle never ends)
I'm stuck!
Whats the best solution?
I tried to create a new VM but I was not able to select my HDD (need to be in the same region as my old one to select existing HDD?)
Thanks!
↧
Vnet Peering Options
Hello experts,
I have a VNet called Hub-Vnet which has an ER Gateway (Connected to an On-Premise Network) and an NVA. I have two Spoke VNets, which will be connected to the Hub-VNET and traffic between the spokes and hub will be directed to the via UDRs.
My question is while configuring the Vnet, do I need to select the option:
Use remote gateways "from the spoke to hub" and "Allow gateway transit" from hub to spoke>
↧
Can't access Network Security Group - time out error - Stuck!
My router just restarted so I have a new IP address. I need to change my NSG rules to allow this new IP, however, trying to access the NSG section in the Azure Portal or via Azure Powershell is timing out. Is this an Azure wide problem?
Via the web portal, the error it displays is:
The request timed out. Diagnostic information: timestamp '20200129T213220Z', subscription id '',
tracking id '5e631c02-12f3-4517-be37-e87596b1a43b', request correlation id '5e631c02-12f3-4517-be37-e87596b1a43b'.
(Code: ServerTimeout)
Also occasionally a "Requests are Being Throttled" notification comes up in Azure portal. Besides trying to view this NSG, I'm not making any "requests" that I'm aware of, so guessing it is a bogus error related to this timeout that is likely an Azure backend issue or temporary outage. It just sucks because I can't do my work without changing these rules and I have clients waiting!
Via Azure Powershell:
Get-AzNetworkSecurityGroupGet-AzNetworkSecurityGroup :
A retryable error occurred.StatusCode: 429ReasonPhrase:ErrorCode:
RetryableErrorErrorMessage: A retryable error occurred.Additional details:
Code: GatewayError
Message: Error occurred in resource provider infrastructure services.OperationID :
25eb29b9-6bcf-4ccf-8db2-d9cc9dce35b5At line:1 char:1+
Get-AzNetworkSecurityGroup+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:)
[Get-AzNetworkSecurityGroup], NetworkCloudException + FullyQualifiedErrorId :
Microsoft.Azure.Commands.Network.GetAzureNetworkSecurityGroupCommand
Chad
↧
Performance based routing not working as expected
Hello,
I'm trying to dig into an issue which I'm experiencing at work. I'll try to explain what I'm working with as best as possible.
We have a number of App Services all set up the same way:
2 regions, West US 2 and West Central US. In front of the App Services we have a traffic manager configured for performance based routing.
That is the extent of what I have control over. We do have a multi-region API Management instance set up in both of these regions as well which route to the App Service traffic managers (this is outside of my control). From my understanding, the API Management
when running in multiple regions is also configured to route based on performance.
The issue I'm seeing is that although traffic is getting to the API Management in both regions as expected, the App Service traffic managers are always ever routing to West US 2, so our App Services never get traffic in West Central US.
Based on my understanding of the way performance based routing to work, I would expect the traffic from the West Central US APIM to be routed to the West Central US App Services.
Has anyone else dealt with this kind of set up or experienced this issue?
↧
↧
Load Balancer stuck in updating state
Hi,
I created a load balancer with one Backend Pool (1 VM) and a HTTP health probe on port 80. But just after these steps, it went into updating state and does not come out of it. I can see some activities getting automatically created but none from my side. Whenever I make some change, it remains in updating state for a long time, sometimes 20-25 mins. I have only seen this with Load balancer and not with other services. Can we resolve this somehow or is it the time it will take anyhow?
Regards,
Vijay
↧
VM AZURE VPN PPTP
Hello I am a new azure user, recently I created a VM and I cannot connect VPN PPTP does not close connection, can someone help me?
↧
Egress Azure Internet Traffic Inspection by Palo Alto NVA hosted in Azure and then On Prem Firewall and functioning of PaaS Services
My customer is planning to implement two sets of firewalls , total 4 VMs of Palo Alto NVA
These 2 sets of NVAs of Palo Alto would be present in the Hub VNET in two different subnets.
There are like 2 spoke VNETS that has VNET peering with the Hub and traffic is routed via the Hub, means transitive peering is enabled via Hub to the On Prem via Express Route.
They will also use few PaaS Services like Web Apps and SQL PaaS etc.
So my question is , is it mandatory to enable outbound Internet from Azure for these PaaS Services to work properly ?
What if UDRs are created in the NVA and no egress internet traffic is allowed from Azure directly for example and everything has to be inspected by the Palo Alto NVA and then to the On Prem firewall and then outbound to Internet, will that break Azure PaaS Services and create a problem for their effective functioning ?
Security team doesn't want any outbound Internet Traffic directly from Azure without being inspected by Azure Palo Alto NVA and On Prem Firewall.
These 2 sets of NVAs of Palo Alto would be present in the Hub VNET in two different subnets.
There are like 2 spoke VNETS that has VNET peering with the Hub and traffic is routed via the Hub, means transitive peering is enabled via Hub to the On Prem via Express Route.
They will also use few PaaS Services like Web Apps and SQL PaaS etc.
So my question is , is it mandatory to enable outbound Internet from Azure for these PaaS Services to work properly ?
What if UDRs are created in the NVA and no egress internet traffic is allowed from Azure directly for example and everything has to be inspected by the Palo Alto NVA and then to the On Prem firewall and then outbound to Internet, will that break Azure PaaS Services and create a problem for their effective functioning ?
Security team doesn't want any outbound Internet Traffic directly from Azure without being inspected by Azure Palo Alto NVA and On Prem Firewall.
Pallab Chakraborty
↧