Hello guys.
So i am trying to apply some custom firewall rules for the application gateway. My goal is to allow only a set of IP's to a given path (maybe there is a better way to do this, if so please feel free to suggest).
I created the Application Gateway, everything works fine. Now i tried to create a WAF policy and associate the AppGW to it. I followed the Microsoft guide called "Associate a WAF policy with an existing Application Gateway" but no matter what it always throws the error: “Cannot attach Firewall policy X to the App GW Y since the former is not in sync with WebApplicationFirewallConfiguration.”.
What does this mean and why does it happen? Both the Application gateway and policy are in the same region and resource group. And the Application Gateway is also configured with WAF v2.
Best
We created a S2S VPN connection and we tested and it was working fine. But now it says not connected.
We setup this on Friday and it was working Friday 03-04-2020 around 08:00 PM IST and it was not working today morning 06-04-2020 02:20 PM IST it was not working and started working again 03:00 OM IST.
And again 06-04-2020 09:00PM IST it is not working again.
And i can see there is some Resource health issue , like below.
"The connection cannot establish due to security policy (IPsec/IKE) policy mismatch. If the IPSec/IKE policy is not properly set, the VPN connection cannot establish."
But my question is, if this is the case, it shouldn't connect in the first place, why this issue is intermittent.
Can someone please take a look at this
My Subscription ID is : 010e7cd6-0afc-4603-ab57-73a406b3fb4c
Thanks in well advance
Hello Team
Does Azure Vents support one way peering? Let us say There are two Vnets A and B. I want communication only from AtoB not the other way. I tried disabling "Allow virtual network access from B to A" it is blocking two way communication.
Thank you
Vijay
vemula
Hello,
I configured a VPN Point to Site in Azure. I can connect to my azure server using private ip address or fqdn but i cannot using server name .
I think that it might be because i don't have a suffix dns when i connect my vpn but i cannot find how can i configure it on azure virtual network ( just have the option to customize my dns server).
Is there a way to connect to my server using only server name ( instead of fqdn) ?
Thanks
Hi,
From Networking perspective, we know there are configurations at VNET, Subnet and NSG levels but can we have some sort of corporate firewall whose rules are automatically pushed and enforced in all VNETs ? Can creating policy would help ?
Appreciate your insightful response. Thank you.
I have deployed Bastion and it is working properly. I have setup RBAC permissions according to documentation so I understand the Reader role on the VM and the Nic and Bastion. My question is, do you still have to assign permissions in the OS of the VM for "Remote Access" like you would if they were RDPing into the server? I can't find it in the documentation but my testing seems to indicate that a user with the correct RBAC roles still cannot RDP unless they are an admin on the server or have been assigned permissions for "Remote Access". Just want to confirm that is the case.
Hello,
I have tried to find a definitive answer for this but so far have been unable to and so am looking to this community for direction.
Currently we have an On Prem setup where our remote users VPNs terminate.
We are also currently building up a presence in Azure IaaS. (The on Prem and IaaS are currenlty connected via Site to Site VPN)
As we are now planning the topology of our future network and so we are looking at whether or not it makes sense to move our VPN headend into the Cloud. The question I have been unable to answer is how a remote users traffic which teminates in Azure IaaS for
a Microsoft PaaS or SaaS service would be routed.
Would it stay internal to Microsoft's networks, and therefore not be liable for egress charges or would it exit IaaS and traverse the public net and then enter Microsoft again, and so be liable for egress charges?
I hope that I have been able to fully explain the query properly and any direction will be greatly appreciated.
Many thanks
Hello,
I created a virtuel network in Azure (172.32.8.0/21)
In this network, i created Azure kubernetes who is already in production.
The error I made the network is note private (172.32.8.0/21)
Is there a way to change a virtual network ?
Thank you
We have had issues with Azure Services, when the client is an embedded device, with a limited download speed of 4KB/sec.
We want to serve a 2.5MB file (firmware update) via a WebApp or via Blob Storage.
We see the issue, that the transfer is interrupted - even though the embedded device continously receives data via https GET request at a speed of approximately 4KB/sec.
A support ticket has been issued, and the result is, that Azure Architecture it not suitable for serving any "static" content to clients at low speed. It is stated, that it is per design - with reference to "https://en.wikipedia.org/wiki/Slowloris_(computer_security)" issues. I do not think 4KB/sec is "that" slow... But that is the fact. It has been proposed, that the serving part could return data in small chunks, so the timeout between the serving application and the "frontdoor" of Azure is not triggered. To me it seems strange, that Azure closes a "live" connection just because Azure has buffered the response content somewhere. As long as data is sent out from that buffer, the connection/buffer should remain intact.
I am looking for some inputs how to change the behaviour of Azure network/architecture.
Thanks,
Martin
Hi,
I tried to create a seperate network to allow my hyper-v nested machines to access the internet.
In doing this, the main network interface associated with my VM and it's public IP is now giving an APIPA and obviously nothing will connect via any protocol.
I have tried going into the serial console and powershell remove and re-add the interfaces..... no luck...... tried to re-deploy the entire VM....no luck..... can someone point me in the right direction to re-create the network adapter and get it back online
Hi
First post so go easy :-0
I have made the leap from a dedicated linux server hosting whm/cpanel on CentOS 7 to a VM on Azure with CentOS 7 and whm/cpanel installed.
I have my main domain of rawdigitalmedia.co.uk registered with a domain registrar. I have created the DNS Zone in Azure which has generated 4 name servers. These 4 Nameservers have been entered at my domain registrar as the Nameservers for teh domain so that all dns records are now being managed within Azure DNS Zone.
Im happy that my domain now points to azure and resolves at my vm's public IP address.
The issue is now I have migrated all my accounts from my dedicated server whm to my vm whm and with this has come all the old dns records. Within the new vm I have the cPanel default Nameservers set to ns1.rawdigitalmedia.co.uk and ns2.rawdigitalmedia.co.uk and within DNS zones in Azure I have created ns1 and ns2 A records for the domain rawdigitalmedia.co.uk.
So domain registered at domain registrar, Nameservers point to azure nameservers ....
DNS Zone in azure has ns1 and ns2 records for rawdigitalmedia.co.uk and these custom nameservers have been entered into the basic default config settings on the server for new accounts. All other domains that have respective cPanel accounts on the vm instance
have their nameservers set to ns1.rawdigitalmedia.co.uk and ns2.rawdigitalmedia.co.uk
The issue is that the web sites are now no longer accessible and nothing is resolving as it should.
Any ideas?
Thanks
Wayne
I'm doing a trade study to see how and where we should host our DNS for locally-hosted public sites; we are setting up a second data-centre and wish to use DNS failover in the event that our main site goes offline. I am new to Azure services, so I wondered if someone with experience could point me in the right direction.
The first 25 DNS domains are £0.373 per zone per month and lookups are£0.403 per million; OK that's nice and easy.
Basic health checks (external) are £0.403 per external endpoint/month, with an additional £1.491 for fast interval (which I assume just means it checks regularly enough for a quick fail-over.
But what is an endpoint - is it effectively each unique A record/IP address that we're checking and for which we're providing fail-over? For example, I have three servers and 14 subdomains (for those servers) - is that 14 endpoints?
I'm trying to get a rough idea of what it would cost to use Azure for this purpose.
I Can not make the MFA exception for NPS to work. I have spent several days with this and just cant make it work.
I followed this instruction:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn
When the client tries to login to the VPN the message is:
The remote connection was denied because
the user name and password combination
you provided is not recognized, or the
selected authentication protocol is not
permitted on the remote access server.
The client is setup to use EAP and EAP-MSCHAP-v2 so is the NPS
We have proper license in O365 to use MFA
On the RRAS server A following events can be seen:
CoId={7781E639-E300-4428-837D-3F22C4601F2A}: The user <first>.<last> has connected and failed to
authenticate on port VPN1-127. The line has been disconnected.
ON the NPS server B following events can be seen:
Information 2020-04-05 17:19:53 AuthZ 1 None:
NPS Extension for Azure MFA:
CID: ffa7cd35-bc83-48fa-b5c0-0ca4294dceda :Challenge requested in Authentication Ext for User <user> with
state 310c9d9d-8967-4897-bef3-84d129333cb4
Information 2020-04-05 17:19:52 AuthZ 1 None:
NPS Extension for Azure MFA:
NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in
AccessAccept State. Request received for User ettadmin with response state AccessChallenge, ignoring request.
Installations:
On server B:
I've installed NPS and also installed the MFA NPS extension successfully there.
Created the RADIUS-client and secret.
Output from "netsh nps show config":
Client configuration:
---------------------------------------------------------
Name = isis
Address = isis
State = Enabled
Shared secret = <hidden>
Require auth attrib = No
Vendor = RADIUS Standard
Connection request policy configuration:
---------------------------------------------------------
Name = Use Windows authentication for all users
State = Enabled
Processing order = 999999
Policy source = 0
Condition attributes:
Name
Id Value
---------------------------------------------------------
Condition0 0x1006 "0 00:00-24:00; 1 00:00-24:00; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"
Profile attributes:
Name
Id Value
---------------------------------------------------------
Auth-Provider-Type 0x1025 "0x1"
Connection request policy configuration:
---------------------------------------------------------
Name = Virtual Private Network (VPN) Connections
State = Enabled
Processing order = 1
Policy source = 2
Condition attributes:
Name
Id Value
---------------------------------------------------------
Condition0 0x3d "^5$"
Profile attributes:
Name
Id Value
---------------------------------------------------------
Auth-Provider-Type 0x1025 "0x1"
Event log configuration:
---------------------------------------------------------
Accepted authentication requests = Enabled
Rejected authentication requests = Enabled
File log configuration:
---------------------------------------------------------
Accounting = Enabled
Authentication = Enabled
Periodic accounting status = Enabled
Periodic authentication status = Enabled
Directory = C:\Windows\system32\LogFiles
Format = ODBC formatting
Delete old logs = Enabled
Frequency = Monthly logs
Max size = 10 MB
Ports configuration:
---------------------------------------------------------
Accounting ports = 1813,1646
Authentication ports = 1812,1645
Network policy configuration:
---------------------------------------------------------
Name = Connections to other access servers
State = Enabled
Processing order = 999999
Policy source = 0
Condition attributes:
Name
Id Value
---------------------------------------------------------
Condition0 0x1006 "0 00:00-24:00; 1 00:00-24:00; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"
Profile attributes:
Name
Id Value
---------------------------------------------------------
NP-Allow-Dial-in 0x100f "FALSE"
NP-Authentication-Type 0x1009 "0x3" "0x4" "0x9" "0xa"
Framed-Protocol 0x7 "0x1"
Service-Type 0x6 "0x2"
Network policy configuration:
---------------------------------------------------------
Name = Connections to Microsoft Routing and Remote Access server
State = Enabled
Processing order = 999998
Policy source = 0
Condition attributes:
Name
Id Value
---------------------------------------------------------
Condition0 0x1033 "^311$"
Profile attributes:
Name
Id Value
---------------------------------------------------------
NP-Allow-Dial-in 0x100f "FALSE"
NP-Allowed-EAP-Type 0x100a "1A000000000000000000000000000000" "0D000000000000000000000000000000"
NP-Authentication-Type 0x1009 "0x5" "0x4" "0xa" "0x3""0x9"
Framed-Protocol 0x7 "0x1"
Service-Type 0x6 "0x2"
MS-Filter 0x102f
===============================================================
IPFILTER_IPV4INFILTER Action: DENY
---------------------------------------------------------------
Address . . . . . : 0.0.0.0
Mask. . . . . . . : 0.0.0.0
Protocol. . . . . : 0
Source Port . . . : 0
Destination Port. : 0
---------------------------------------------------------------
MS-MPPE-Encryption-Policy 0xffffffa7 "0x2"
MS-MPPE-Encryption-Types 0xffffffa6 "0xe"
Network policy configuration:
---------------------------------------------------------
Name = Virtual Private Network (VPN) Connections
State = Enabled
Processing order = 1
Policy source = 2
Condition attributes:
Name
Id Value
---------------------------------------------------------
Condition0 0x3d "^5$"
Condition1 0x1023 "S-1-5-21-2711177585-3751323331-2606168925-1190"
Profile attributes:
Name
Id Value
---------------------------------------------------------
Ignore-User-Dialin-Properties 0x1005 "TRUE"
NP-Allow-Dial-in 0x100f "TRUE"
NP-Allowed-EAP-Type 0x100a "1A000000000000000000000000000000"
NP-Authentication-Type 0x1009 "0x5" "0x4" "0xa"
Framed-Protocol 0x7 "0x1"
Service-Type 0x6 "0x2"
MS-Link-Utilization-Threshold 0xffffffaa "0x32"
MS-Link-Drop-Time-Limit 0xffffffa9 "0x78"
MS-MPPE-Encryption-Policy 0xffffffa7 "0x2"
MS-MPPE-Encryption-Types 0xffffffa6 "0xe"
Server registration:
---------------------------------------------------------
Status = Registered
SQL log configuration:
---------------------------------------------------------
Connection =
Description =
Accounting = Enabled
Authentication = Enabled
Periodic accounting status = Enabled
Periodic authentication status = Enabled
Max sessions = 20
On Server A:
Added RRAS role
netsh ras show authtype:
Enabled Authentication Types:
Code Meaning
------------------------------------------
MSCHAPv2 Microsoft Challenge-Handshake Authentication Protocol version 2.
EAP Extensible Authentication Protocol.
Added RADIUS, set to B and with the same secret. Timeout set to 30 same
Any ideas of what can be wrong or how to debug this?
Regards, Lars