The Front Door tutorial for geo-filtering (https://docs.microsoft.com/en-us/azure/frontdoor/front-door-tutorial-geo-filtering) shows how to block traffic from everywhere except the US. Is it possible to setup a Front Door rule that would block traffic
from outside north america (US, Canada, and Mexico) or would that require multiple rules? If I'm reading things correctly, I think this would take 4 rules: 3 to allow US, CA, and MX plus a 4th lower-priority rule to block everything else.
↧
Front Door geo filtering - allow North America
↧
Azure P2S connecting to remote VNET over Global Peering
Hi
I have a scenario where by I have two vnets in two different regions with global vnet peering enabled and functioning correctly as i can ping from a vm in vnet01 to a vm in vnet02,
Both vnets contain a VPN Gateway so I cant use “Allow gateway transit”
if i connect to the vpn gateway in vnet01 via a P2S VPN i can ping vnet01 VMs but not VMs in vnet02,
if i connect to the vpn gateway in vnet02 via a P2S vpn i can ping vnet02 VMs but not VMs in vnet01,
Ho do i allow P2S connections to connect to their home vnet and then route to remote peered vnets?
I have looked at this doc below but it doesnt match my scenario as i ahve a GW deployed in both VNETs and I need this as i ahve to ahve P2S and S2S VPNs in both VNETS 01 and 02
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#multipeered
Thanks in advance
I have a scenario where by I have two vnets in two different regions with global vnet peering enabled and functioning correctly as i can ping from a vm in vnet01 to a vm in vnet02,
Both vnets contain a VPN Gateway so I cant use “Allow gateway transit”
if i connect to the vpn gateway in vnet01 via a P2S VPN i can ping vnet01 VMs but not VMs in vnet02,
if i connect to the vpn gateway in vnet02 via a P2S vpn i can ping vnet02 VMs but not VMs in vnet01,
Ho do i allow P2S connections to connect to their home vnet and then route to remote peered vnets?
I have looked at this doc below but it doesnt match my scenario as i ahve a GW deployed in both VNETs and I need this as i ahve to ahve P2S and S2S VPNs in both VNETS 01 and 02
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#multipeered
Thanks in advance
Spudney
↧
↧
Exchnage Online EOP DLP not working with Hybrid
I have centralize mailflow selected in Hybrid configuration. I have found that my DLP and Exchange transport rules are not working or getting skipped for outbound email. Can you please help me with KB article or document which explains why DLP and ETR are not working after configuring CENTRALIZE Email flow in Hybrid Configuration.
↧
Wireshark-Like Packet Capture on Incoming Traffic to Azure Function
We have an Azure Function that is consumed by external third parties. One consumer is experiencing what we believe to be issues related to TLS 1.2 and supported Ciphers. If we drop the Azure Function "Minimum TLS Version" to 1.0 the communication is successful.
When TLS 1.2 is set on the Azure Function Wireshark captures on the consumer side are showing requests using TLS 1.2 are being rejected.
Is there a way to capture a Wireshark like packets coming into an Azure Function so we can inspect why a TLS 1.2 request is being rejected when TLS 1.2 is set as the "Minimum TLS Version" on the Azure Function?
Any guidance is much appreciated!
↧
Multiple Address Spaces in a VNET
I've been playing around with a learning environment in Azure. I'm trying to understand why or for what reason you would have multiple address spaces in a VNET. I understand it can help with scaling but I absolutely cannot find any documentation other
than how to add another address space. Does this not defeat the purpose of a subnet? With a physical network you would subnet accordingly. If you are able to just add another CIDR address space to your VNET, why would you need to subnet? I also do understand
Azure will automatically route subnets in different address spaces in the VNET, but I guess I'm just trying to understand the whole purpose of actually doing so. I'm sure I'm overthinking way too much, but if anyone has a basic explanation or documentation
I cannot find, I would appreciate the assistance!
↧
↧
MAC Address Changes for Virtual Server During a Failover with Clustering
Hello guys,
need your help here...
Environment is MS 2019 Datacenter. All VMs are on azure including the network configuration.
I have 2 node cluster with Node A and Node B. Each of the 2 nodes has 2 Network Interfaces. One is for the Production (LAN) network and one is for the cluster communication (HeartBeat) network.
Production network is: 192.168.0.0/24
Node A have IP: 192.168.0.7
Node B have IP: 192.168.0.8
HB network is: 192.168.1.0/24
Node A: 192.168.1.100
Node B: 192.168.1.101
The problem is when node A hold the roles and resources (for example: File role) you can ping the file role and cluster virtual name IPs without problem. But there is no ping from the passive node to File Server role or cluster name IPs. "Destination host unreachable". If I do a failover to node B then, you can't ping cluster name or role from node A. Ping to the cluster virtual name or any of the roles is possible only from the active node. It's not working from the passive node or different server in the same production subnet 192.168.0.0/24
Failover is working. DNS successfully resolve the names when I ping the cluster role and cluster name.
I search and found that the issue maybe is related to MAC Address Changes for Virtual Server During a Failover with Clustering.
But I don't know how to enable this gratuitous ARP requests on Azure network? Do you have any idea how to achieve this?
I would like to share also: arp -a
Node A:
Interface: 169.254.2.241 --- 0x3
Internet Address Physical Address Type
169.254.255.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
Interface: 192.168.1.100 --- 0x4
Internet Address Physical Address Type
192.168.1.101 12-34-56-78-9a-bc dynamic
192.168.1.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
255.255.255.255 ff-ff-ff-ff-ff-ff static
Interface: 192.168.0.7 --- 0x5
Internet Address Physical Address Type
192.168.0.1 12-34-56-78-9a-bc dynamic
192.168.0.4 12-34-56-78-9a-bc dynamic
192.168.0.5 12-34-56-78-9a-bc dynamic
192.168.0.6 12-34-56-78-9a-bc dynamic
192.168.0.8 12-34-56-78-9a-bc dynamic
192.168.0.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
255.255.255.255 ff-ff-ff-ff-ff-ff static
Node B
Interface: 192.168.0.8 --- 0x4
Internet Address Physical Address Type
192.168.0.1 12-34-56-78-9a-bc dynamic
192.168.0.4 12-34-56-78-9a-bc dynamic
192.168.0.5 12-34-56-78-9a-bc dynamic
192.168.0.6 12-34-56-78-9a-bc dynamic
192.168.0.7 12-34-56-78-9a-bc dynamic
192.168.0.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
255.255.255.255 ff-ff-ff-ff-ff-ff static
Interface: 169.254.1.63 --- 0x5
Internet Address Physical Address Type
169.254.255.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
Interface: 192.168.1.101 --- 0x6
Internet Address Physical Address Type
192.168.1.100 12-34-56-78-9a-bc dynamic
192.168.1.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
255.255.255.255 ff-ff-ff-ff-ff-ff static
I see that all network interfaces use the same and one MAC address? Is this the root cause of the issue?
Thank you.
↧
Azure point-to-site VPN assign static IP
I'm connecting a single server at Site 1 with my Azure virtual network (10.1.0.0/24) via a Point-To-Site VPN connection (192.168.11.0/30).
The problem is that each time the connection drops and is re-dialed, the client's IP changes. I need to connect to the single server from a server on my Azure network with the same IP.
Any ideas?
Thanks
↧
Network Security Group: How to restrict access to Web Service from internet
Can anyone please help here. I want to implement very simple way to restrict (deny) access from Internet to web service (because it is backend, and I want access it from front-end site). For this I want to use Network Security Group / Web Site Access Restrictions.
Here is what I did:
1) I created vnet (say vnet-1) with 2 subnets (subnet-frontend, subnet-backend)
2) I put backend Web Service app (which is docker/ubuntu based) in this subnet-backend and front end Web Service (same docker/ununtu) into sebnet-frontend
3) I added restrictions for backend service (portal Networking>Access Restrictions) to only accept requests from vnet-1/subnet-frontend.
Result is if I go to backend site, then I'm getting 403. This is good.
4) Now, I added NSG, with high priority records to deny inbound requests from Internet and from AzureLoadBalancer and associated it with vnet-1/subnet-backend.
5) Now, I went to backend Web Service (again portal Networking>Access Restrictions) and accepted requests from my internet IP addess.
Result: I can access backend site, i.e. NSG rules are ignored.
My questions here are:
a) Why is it, NSG (in the way I setup them) is not limiting access to my backend site here from my internet IP address?
b) Can I suppress this 403 Access Denied using vnet/subnet/NSG. I want it be as if this site does not exist at all for internet users?
Thank you very much in advance,
↧
Are there any Azure Expressroute Providers for Caribbean Region? (Jamaica and Trinidad & Tobago)
Are there any Azure Expressroute Providers for Caribbean Region? (Jamaica and Trinidad & Tobago)
↧
↧
Problems with MFA and VPN authentication
I Can not make the MFA exception for NPS to work. I have spent several days with this and just cant make it work.
I followed this instruction:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn
When the client tries to login to the VPN the message is:
The remote connection was denied because
the user name and password combination
you provided is not recognized, or the
selected authentication protocol is not
permitted on the remote access server.
The client is setup to use EAP and EAP-MSCHAP-v2 so is the NPS
We have proper license in O365 to use MFA
On the RRAS server A following events can be seen:
CoId={7781E639-E300-4428-837D-3F22C4601F2A}: The user <first>.<last> has connected and failed to
authenticate on port VPN1-127. The line has been disconnected.
ON the NPS server B following events can be seen:
Information 2020-04-05 17:19:53 AuthZ 1 None:
NPS Extension for Azure MFA:
CID: ffa7cd35-bc83-48fa-b5c0-0ca4294dceda :Challenge requested in Authentication Ext for User <user> with
state 310c9d9d-8967-4897-bef3-84d129333cb4
Information 2020-04-05 17:19:52 AuthZ 1 None:
NPS Extension for Azure MFA:
NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in
AccessAccept State. Request received for User ettadmin with response state AccessChallenge, ignoring request.
Installations:
On server B:
I've installed NPS and also installed the MFA NPS extension successfully there.
Created the RADIUS-client and secret.
Output from "netsh nps show config":
Client configuration:
---------------------------------------------------------
Name = isis
Address = isis
State = Enabled
Shared secret = <hidden>
Require auth attrib = No
Vendor = RADIUS Standard
Connection request policy configuration:
---------------------------------------------------------
Name = Use Windows authentication for all users
State = Enabled
Processing order = 999999
Policy source = 0
Condition attributes:
Name
Id Value
---------------------------------------------------------
Condition0 0x1006 "0 00:00-24:00; 1 00:00-24:00; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"
Profile attributes:
Name
Id Value
---------------------------------------------------------
Auth-Provider-Type 0x1025 "0x1"
Connection request policy configuration:
---------------------------------------------------------
Name = Virtual Private Network (VPN) Connections
State = Enabled
Processing order = 1
Policy source = 2
Condition attributes:
Name
Id Value
---------------------------------------------------------
Condition0 0x3d "^5$"
Profile attributes:
Name
Id Value
---------------------------------------------------------
Auth-Provider-Type 0x1025 "0x1"
Event log configuration:
---------------------------------------------------------
Accepted authentication requests = Enabled
Rejected authentication requests = Enabled
File log configuration:
---------------------------------------------------------
Accounting = Enabled
Authentication = Enabled
Periodic accounting status = Enabled
Periodic authentication status = Enabled
Directory = C:\Windows\system32\LogFiles
Format = ODBC formatting
Delete old logs = Enabled
Frequency = Monthly logs
Max size = 10 MB
Ports configuration:
---------------------------------------------------------
Accounting ports = 1813,1646
Authentication ports = 1812,1645
Network policy configuration:
---------------------------------------------------------
Name = Connections to other access servers
State = Enabled
Processing order = 999999
Policy source = 0
Condition attributes:
Name
Id Value
---------------------------------------------------------
Condition0 0x1006 "0 00:00-24:00; 1 00:00-24:00; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"
Profile attributes:
Name
Id Value
---------------------------------------------------------
NP-Allow-Dial-in 0x100f "FALSE"
NP-Authentication-Type 0x1009 "0x3" "0x4" "0x9" "0xa"
Framed-Protocol 0x7 "0x1"
Service-Type 0x6 "0x2"
Network policy configuration:
---------------------------------------------------------
Name = Connections to Microsoft Routing and Remote Access server
State = Enabled
Processing order = 999998
Policy source = 0
Condition attributes:
Name
Id Value
---------------------------------------------------------
Condition0 0x1033 "^311$"
Profile attributes:
Name
Id Value
---------------------------------------------------------
NP-Allow-Dial-in 0x100f "FALSE"
NP-Allowed-EAP-Type 0x100a "1A000000000000000000000000000000" "0D000000000000000000000000000000"
NP-Authentication-Type 0x1009 "0x5" "0x4" "0xa" "0x3""0x9"
Framed-Protocol 0x7 "0x1"
Service-Type 0x6 "0x2"
MS-Filter 0x102f
===============================================================
IPFILTER_IPV4INFILTER Action: DENY
---------------------------------------------------------------
Address . . . . . : 0.0.0.0
Mask. . . . . . . : 0.0.0.0
Protocol. . . . . : 0
Source Port . . . : 0
Destination Port. : 0
---------------------------------------------------------------
MS-MPPE-Encryption-Policy 0xffffffa7 "0x2"
MS-MPPE-Encryption-Types 0xffffffa6 "0xe"
Network policy configuration:
---------------------------------------------------------
Name = Virtual Private Network (VPN) Connections
State = Enabled
Processing order = 1
Policy source = 2
Condition attributes:
Name
Id Value
---------------------------------------------------------
Condition0 0x3d "^5$"
Condition1 0x1023 "S-1-5-21-2711177585-3751323331-2606168925-1190"
Profile attributes:
Name
Id Value
---------------------------------------------------------
Ignore-User-Dialin-Properties 0x1005 "TRUE"
NP-Allow-Dial-in 0x100f "TRUE"
NP-Allowed-EAP-Type 0x100a "1A000000000000000000000000000000"
NP-Authentication-Type 0x1009 "0x5" "0x4" "0xa"
Framed-Protocol 0x7 "0x1"
Service-Type 0x6 "0x2"
MS-Link-Utilization-Threshold 0xffffffaa "0x32"
MS-Link-Drop-Time-Limit 0xffffffa9 "0x78"
MS-MPPE-Encryption-Policy 0xffffffa7 "0x2"
MS-MPPE-Encryption-Types 0xffffffa6 "0xe"
Server registration:
---------------------------------------------------------
Status = Registered
SQL log configuration:
---------------------------------------------------------
Connection =
Description =
Accounting = Enabled
Authentication = Enabled
Periodic accounting status = Enabled
Periodic authentication status = Enabled
Max sessions = 20
On Server A:
Added RRAS role
netsh ras show authtype:
Enabled Authentication Types:
Code Meaning
------------------------------------------
MSCHAPv2 Microsoft Challenge-Handshake Authentication Protocol version 2.
EAP Extensible Authentication Protocol.
Added RADIUS, set to B and with the same secret. Timeout set to 30 same
Any ideas of what can be wrong or how to debug this?
Regards, Lars
↧
Undeletable DenyAllInbound/DenyAllOutbound Rule has appeared on all new NSG's for my VM
Hi,
I provisioned a new Virtual Machine on my Azure Trial account about a week ago, which worked fine over RDP.
Then 48 Hrs later a "DenyAllInbound" and "DenyAllOutbound" rule mysteriously appeared on the VM firewall. Now if I delete and replace the Network Security Group, the new NSG has the same, undeletable rule.
I now have a VNet in place, with point-to-site connectivity to from my local PC via the Azure Windows VPN client, but still no access to my VM.
Any ideas how I remedy?
Thanks
↧
VPN connection status was "Not connected"
We created a S2S VPN connection and we tested and it was working fine. But now it says not connected.
We setup this on Friday and it was working Friday 03-04-2020 around 08:00 PM IST and it was not working today morning 06-04-2020 02:20 PM IST it was not working and started working again 03:00 OM IST.
And again 06-04-2020 09:00PM IST it is not working again.
And i can see there is some Resource health issue , like below.
"The connection cannot establish due to security policy (IPsec/IKE) policy mismatch. If the IPSec/IKE policy is not properly set, the VPN connection cannot establish."
But my question is, if this is the case, it shouldn't connect in the first place, why this issue is intermittent.
Can someone please take a look at this
My Subscription ID is : 010e7cd6-0afc-4603-ab57-73a406b3fb4c
Thanks in well advance
↧
ExpressRoute - Can diagnostic logs be streamed to an Event Hub?
The documentation seems unclear to me thus far and I don't have the circumstance to deploy a test Circuit currently.
Wondering if the following logs can be streamed to an Event Hub?
Express Route Circuit
* PeeringRouteLog
* Availability
↧
↧
Azure Firewall DNAT
Hi,
I have a firewall instance, I have configured DNAT to NAT incoming port 80 to an internal webserver.
When checking the logs on the webserver I can't see the real client IP , I see that source IP is a random IP from the Azure Firewall Subnet.
My understanding is that DNAT should not change source IP. A m I wrong?
↧
Designing Azure Environment
Greetings,
We are looking for having our environment on cloud (Azure) but part of it not all of the infrastructure.
We have a site that hosts applications and data, and we are looking for having virtual machines for everyone to remote access from anywhere.
On the Virtual machine, users should be able to access our on-premises data and infrastructure through a VPN Tunnel.
Users also should be able to access internet through this virtual machine with applying some URL Filtering policies on their internet access.
What tools we should be purchasing and how much would that cost for around 200 users on Medium Specs VMs
↧
VM, not able to RDP from Mac. Error code: 0x204
Hi,
Please help, i'm not able to RDP from my Mac to the VM created. I have tried connecting via parallels, Microsoft Remote Desktop 10 on both Mac and iPhone but no luck.
I just receive the same error message Error code: 0x204
From networking I have already enabled ports on my VM and made the firewall adjustments on my mac.
Please help!
Chris
↧
The connection of the virtual machine located in the virtual network V1 with the virtual network V2 from where the tunnel to the local network is built
Hello guys!
------------------
I've the virtual machine with the network interface test626 (10.0.0.0 /24).
The IF test626 refers to Web-net - virtual network (10.0.0.0 /24).
------------------
I've the VPN tunnel site to site with:
The AzureVirtualtoPetmol - virtual network (10.1.0.0 /16) and subnets (10.1.0.0 /24 and GateWay subnet 10.1.255.0 /27)
This virtual network connected to the Virtual network gateway - VNet1GW and has the connection - toPetmol
The connection toPetmol has : virtual network gateway and local network gateway
I've the problem to establish the connection from the VM (10.0.0.4) to the virtual network AzureVirtualtoPetmol and local network. When I ping the 10.1.0.0 I don't get any packets.
↧
↧
Socket Programming
I just created a ubuntnu VM and then tried to run a server.py code when i try to connect to server.py from client.py located and other computer, it's not working server.py doesn't gets the data send through client.py
↧
Vnet Peering Oneway.
Hello Team
Does Azure Vents support one way peering? Let us say There are two Vnets A and B. I want communication only from AtoB not the other way. I tried disabling "Allow virtual network access from B to A" it is blocking two way communication.
Thank you
Vijay
vemula
↧
Azure Front Door custom host https
Hi,
I have a few dotnet core web applications running outside of azure (other service provider) within docker containers. My question is that is it possible to add a custom domain mapping to those containers with https support in Azure Front Door Service? I'm trying to do this for few days now without any success. I mapped the domain to Front Door, the http connection is working but when I try the https I get this error: Our services aren't available right now. It does not reach my host at all. I tried with Azure Managed SSL and with my own certificate too.
Thank you for your help!
Best Regards,
Gery
Startup.cs
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
});
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseWebAssemblyDebugging();
}
else
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseBlazorFrameworkFiles();
app.UseStaticFiles();
app.UseRouting();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
endpoints.MapFallbackToFile("index.html");
});
}Dockerfile
FROM mcr.microsoft.com/dotnet/core/aspnet:3.1-buster-slim AS base WORKDIR /app EXPOSE 80 EXPOSE 443 FROM mcr.microsoft.com/dotnet/core/sdk:3.1-buster AS build WORKDIR /src COPY ["FrontDoorTest3/Server/FrontDoorTest3.Server.csproj", "FrontDoorTest3/Server/"] COPY ["FrontDoorTest3/Shared/FrontDoorTest3.Shared.csproj", "FrontDoorTest3/Shared/"] COPY ["FrontDoorTest3/Client/FrontDoorTest3.Client.csproj", "FrontDoorTest3/Client/"] RUN dotnet restore "FrontDoorTest3/Server/FrontDoorTest3.Server.csproj" COPY . . WORKDIR "/src/FrontDoorTest3/Server" RUN dotnet build "FrontDoorTest3.Server.csproj" -c Release -o /app/build FROM build AS publish RUN dotnet publish "FrontDoorTest3.Server.csproj" -c Release -o /app/publish FROM base AS final WORKDIR /app COPY --from=publish /app/publish . ENTRYPOINT ["dotnet", "FrontDoorTest3.Server.dll"]
docker-compose.yml
version: "3"
services:
web:
image: <azure-container-registry>/frontdoortest3server:latest
ports:
- "8500:80"
environment:
- ASPNETCORE_ENVIRONMENT=Production
- ASPNETCORE_URLS=http://+:80I also tried with an nginx proxy routing the traffic to the web app container, only the http worked.
↧