Hi,
When you move an intranet website from on premise to cloud, how will user authentication work?
Current user behavior is
1. Users log on to there pc.
2. Go to intranet website without any authentication.
If you move the intranet to the cloud, can users still do the same as the above?
Is there a way to authenticate the users on windows log on?
thanks for your help.
For some of my applications in Azure they are authenticating to my Azure AD using user accounts and they are being caught by my conditional access policy which is enforcing MFA due to being off-prem.
I was wondering would it be best practice to assign the resource in azure a public IP and then add that to the MFA trusted IPs? So then when the application attempts to authenticate from that IP it is not caught by the MFA policy
I have a few questions:
1) Is the public IP address assigned to a resource consistent i.e. can you confirm that the IP never changes and is solely allocated to that resource? Also that it is not behind a proxy which also serves other tenants?
2) Is this the best way around the solution and most secure?
3) Would app passwords be a better solution
I'd appreciate any help, thank you!
Hello,
I'm looking for a way to add one security rule to multiple Network Security Groups using an ARM Template. I tried to use the Take function, but the deployment fails. I would appreciate if someone could take a look and advise on that. I'm only working with ARM templates for about a week and I still have a lot to learn.
{"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion": "1.0.0.0","parameters": {"NSG-AppDMZ": {"defaultValue": "nsg-app-AppDmz-001","type": "string"
},"NSG-AppDMZLotus": {"defaultValue": "nsg-app-AppDmzLotus-001","type": "string"
},"numberOfProps": {"type": "int","maxValue": 13,"defaultValue": 13,"metadata": {"description": "Number of properties to deploy"
}
}
},"variables": {"name": "allow-cmk-icmp-in-999","Properties":[
{"description": "Test","protocol": "ICMP","sourcePortRange": "*","destinationPortRange": "*","sourceAddressPrefix": "192.168.11.50","destinationAddressPrefix": "*","access": "Allow","priority": 999,"direction": "Inbound","sourcePortRanges": [],"destinationPortRanges": [],"sourceAddressPrefixes": [],"destinationAddressPrefixes": []
}
]
},"resources": [
{"type": "Microsoft.Network/networkSecurityGroups/securityRules","apiVersion": "2019-11-01","name": "[parameters('NSG-AppDMZ')]/[variables('name')]","location": "germanywestcentral","properties": "[take(variables('Properties'),parameters('numberOfProps'))]"
},
{"type": "Microsoft.Network/networkSecurityGroups/securityRules","apiVersion": "2019-11-01","name": "[parameters('NSG-AppDMZLotus')]/[variables('name')]","location": "germanywestcentral","properties": "[take(variables('Properties'),parameters('numberOfProps'))]"
}
]
}One problem I have is with the name when I'm trying to combine a name from the parameter and a name from the variable:
"name": "[parameters('NSG-NSG-AppDMZ')]/[variables('name']]",At this point it fails at the validation
Deployment template language expression evaluation failed: 'Unable to parse language expression 'parameters('NSG-AppDMZ')]/[variables('name')': expected token 'EndOfData' and actual 'RightSquareBracket'.'. Please see https://aka.ms/arm-template-expressions for usage details. (Code: InvalidTemplate)
So I would appreciate if someone could point me to the proper way of doign this.
but even when I write the name explicitly:
"name": "nsg-app-AppDmz-001/allow-cmk-icmp-in-999",
I get a failed deployment.
{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage
details.","details":[{"code":"BadRequest","message":"{\r\n \"error\": {\r\n \"code\": \"InvalidRequestFormat\",\r\n \"message\": \"Cannot parse the request.\",\r\n
\"details\": [\r\n {\r\n \"code\": \"InvalidJson\",\r\n \"message\": \"Cannot deserialize the current JSON array (e.g. [1,2,3]) into type 'Microsoft.WindowsAzure.Networking.Nrp.Frontend.Contract.Csm.Public.SecurityRuleProperties'
because the type requires a JSON object (e.g. {\\\"name\\\":\\\"value\\\"}) to deserialize correctly.\\r\\nTo fix this error either change the JSON to a JSON object (e.g. {\\\"name\\\":\\\"value\\\"}) or change the deserialized
type to an array or a type that implements a collection interface (e.g. ICollection, IList) like List<T> that can be deserialized from a JSON array. JsonArrayAttribute can also be added to the type to force it to deserialize from a JSON array.\\r\\nPath
'properties', line 1, position 47.\"\r\n }\r\n ]\r\n }\r\n}"},{"code":"BadRequest","message":"{\r\n \"error\": {\r\n \"code\": \"InvalidRequestFormat\",\r\n \"message\": \"Cannot
parse the request.\",\r\n \"details\": [\r\n {\r\n \"code\": \"InvalidJson\",\r\n \"message\": \"Cannot deserialize the current JSON array (e.g. [1,2,3]) into type 'Microsoft.WindowsAzure.Networking.Nrp.Frontend.Contract.Csm.Public.SecurityRuleProperties'
because the type requires a JSON object (e.g. {\\\"name\\\":\\\"value\\\"}) to deserialize correctly.\\r\\nTo fix this error either change the JSON to a JSON object (e.g. {\\\"name\\\":\\\"value\\\"}) or change the deserialized
type to an array or a type that implements a collection interface (e.g. ICollection, IList) like List<T> that can be deserialized from a JSON array. JsonArrayAttribute can also be added to the type to force it to deserialize from a JSON array.\\r\\nPath
'properties', line 1, position 47.\"\r\n }\r\n ]\r\n }\r\n}"}]}
Kind regards,
Wojciech
Hi to All,
I'm going mad on that. I've created a point to site gateway vpn. I've created certificate root certificate, installed, installed the cliens side on my windows 10 and is all working. I can get an ip addess of my 192.168.40.x subnet that i've configured in internal lan of the VPN Gateway. Perfect
Now the issue. Virtual machines are on subnet 10.0.0.x the vpn network is on 10.0.1.x. Where I've to change for being able to access server on 10.0.0.x? I've shown quite 10 tutorial, in no one of them theres and explaination about how to link virtual machines or single virtual machine to vpn private subnet. I seems that like a kind of magic, when you're linked to vpn with client you can open an rdp connection to your server. BUT MY SERVER IS ON A DIFFERENT SUBNET\SEGMENT!
I've lost quite a day, surely I'm loosing something.
I've seen now some tutorial that tells that is not possible to assign virtual machines to different virtual networks, you've to delete them and recreate maintaining discs. I think it's a joke?
Need a shuffle.
Thank you.
Hi,
I'm using a Blueprint to deploy an NSG and i'd like to enable diagnostic settings on creation. Trouble is, it looks like the blueprint is expecting the diagnostic setting to exist, so it can append the log types instead of creating an entirely new diagnostic setting, at least, this is what the error thrown when the blueprint is assigned suggests:
No HTTP resource was found that matches the request URI 'https://uksouth.network.azure.com:30066/e7b2f0dc-f08d-48ee-9bd9-bef034130152/132271074871408129/subscriptions/<sub_id>/resourcegroups/blueprint-vnet/providers/Microsoft.Network/networksecuritygroups/NG-UKS-DEV-P-002/providers/microsoft.insights/diagnosticSetting/nsg-diagnostics?api-version=2019-12-01'.
Syntactically it looks correct, based on the documentation (https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings-template) but examples are a little light. Has anyone in the community been able to create the diagnostic settings at creation time using ARM, or is the consensus to do this post-deployment using powershell (or similar)?
Hello Expert,
I'm designing a hub and spoke network architecture within Azure and I wanted to ask how I can incorporate private endpoint into architecture..
So I for instance if I have 3 subscriptions (hub, prod and dev) can I set up an private link architecture in the Hub that will be used by the prod and dev subscriptions?
Hi,
I'm using a Blueprint to deploy an NSG and i'd like to enable diagnostic settings on creation. Trouble is, it looks like the blueprint is expecting the diagnostic setting to exist, so it can append the log types instead of creating an entirely new diagnostic setting, at least, this is what the error thrown when the blueprint is assigned suggests:
No HTTP resource was found that matches the request URI 'https://uksouth.network.azure.com:30066/e7b2f0dc-f08d-48ee-9bd9-bef034130152/132271074871408129/subscriptions/<sub_id>/resourcegroups/blueprint-vnet/providers/Microsoft.Network/networksecuritygroups/NG-UKS-DEV-P-002/providers/microsoft.insights/diagnosticSetting/nsg-diagnostics?api-version=2019-12-01'.
Syntactically it looks correct, based on the documentation (https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings-template) but examples are a little light. Has anyone in the community been able to create the diagnostic settings at creation time using ARM, or is the consensus to do this post-deployment using powershell (or similar)?
Hi
I created and deleted an Integration Service Environments, at point of creating it forced me to create 4x subnets and now I'm unable to delete the subnets.
Here's the message:
When I click on the use by link I get:
Any idea how I can delete these subnets?
Many Thanks
I am trying to create a Virtual Machine, as part of the same, when I try to select a disk size, irrespective of the region I select, none of the disk are enabled, I tried all regions. I currently have a free subscription.
I am facing the same problem when I am trying to create SQL database
Any suggestions please
Hello,
My NIC is not attached to any VM, but I can not remove it. It is connected to VNET and NSG, but I can't also remove the relation.
I'm also unable to remove it via Powershell cmdlet.
Any idea how to solve it?
Hello,
I am having issues giving my developers the right to view networking and other pertinent information about the VM that they are working on. I have attempted to make a security group and have assigned them the roles of Network Contributor, which did not work,
I then proceeded to give them full Owner roles, which did nothing as well. Any information on how to simply let them read information about their VMs would give me bliss. Thanks in advance for your assistance.
Hi,
Anyone had issues removing an unallocated public IP in azure. Seems to think it is still bound to a NIC even though GUI and Poweshell say otherwise.
Error below, as you can see it is not associated with any NIC, however still cannot remove it.
Hello,
I had configured a P2S VPN last year using a self signed certificate. It was working fine till yesterday, however started failing since morning.
It appears that the self signed certificate expired and I no longer can access cloud servers via P2S.
Can someone advice whats the best way to mitigate this with minimal disruption?
I want to keep the public and private keys( of client certificate generated out of it) same , since I have shared it with customer as well .
Please help.
Regards
Thahif
السلام عليكم
أريد شراء مساحه 1جيجا في منطقه Virtual machines
ولكني لم استطع يوجد مساحات كبيره مثل 8 و 4 جيجا ولكن لا اريد هذه السعه
ويوجد بسعة 1جيجا ولكن لا استطيع النقر عليها لا أعلم لماذا
وشكرا
I want to buy 1 gigabyte rdp space in my region Virtual machinesIHi,
Please help, i'm not able to RDP from my Mac to the VM created. I have tried connecting via parallels, Microsoft Remote Desktop 10 on both Mac and iPhone but no luck.
I just receive the same error message Error code: 0x204
From networking I have already enabled ports on my VM and made the firewall adjustments on my mac.
Please help!
Chris
Hi there,
I've been tasked with setting up a new environment in an existing Azure Tenant that currently has their on premises traffic routing to Azure using Express Route (ER). The Azure Virtual Gateway (VGW) terminates the ER on premises traffic at the Old-Hub1 VNet.
Task1, to create a new Hub and Spoke VNet topology and deploy Azure Firewall in the new Hub and all traffic from the spokes are to use the Azure Firewall as the next hop. I have done this successfully!
Task2, to route on premises Express Route (ER) traffic from the VGW to take its next hop to the Azure Firewall in the new Hub VNet in order to reach any of the new spoke VNets and visa versa to allow Azure firewall traffic to be able to route back on premises
via the VGW.
My thoughts are that as long as the VGW subnet is associated with a configured UDR to force the Express Route (On premises) traffic to use the Azure Firewall in the Azure Firewall in the HUB VNet as the next hop to get to the new VNet environment this would work as the Azure firewall will know how to get to these VNets?
And to get from the Spoke (via the Hub Azure Firewall) to on premises , I would need to associate a UDR for the new Azure Firewall Hub VNet) to use the VGW as the next hop in order to get back on premises.
Please assume that the peering between the Azure Firewall Hub VNet and the VGW are in place, and the VGW has the gateway transit settings configured, and the Azure Firewall Hub VNet has the Remote Gateways setting configured and that the UDRs settings to allow gateway route propagation will be disabled.
My question is around the concern that the VGW and Firewall are in different VNets? Typically I am use to seeing these resources in the same VNet but different subnets. And my second question of concern is that the UDR will configured NOT to advertise this route, so that will mean that the Express Routes Routing Table will not pick this up using BGP.
Any help on the 2 above questions of concerns would be appreciated. Thank you.
Hi there,
I currently have 2 hub and spoke set ups (one for the production environment and one of the DR environments). Both Hubs have Azure Firewalls in them and all traffic from the Prod spokes route via the Prod Hub Azure Firewall and visa versa for the DR environment where the DR spokes route via the DR Hub Azure Firewall. UDRs on the spoke environments are configured to use the Azure firewall as the next hop.
In order to route from the Prod Spoke to the DR spoke environment, I have currently set up the below
A NEW UDR to route 0.0.0.0/0 to the internet and a 2nd route to route DR network traffic (from Prod) via the DR Hub Azure Firewall Subnet as the next hop and associated this to the Prod Hub Firewall Subnet.
And Visa Versa for the DR environment a NEW UDR to route 0.0.0.0/0 to the internet and added a 2nd route to route from DR to Prod via the Prod Azure Firewall as the next hop and associated this to the DR Hub Azure Firewall Subnet.
I have to now make sure that if any VMs in Azure need to reach the internet that they need to be forced to route to the internet via on premises firewalls. Currently in place is the clients older Express Route circuit which terminates at their existing Azure Virtual Network Gateway on a different VNet. I am not sure if it would be a simple case of editing the existing spoke UDR route for 0.0.0.0/0 next hop firewall, and change this to make the next hop to use the Virtual Network Gateway?
any help on this would be fantastic. Thank you