Quantcast
Channel: Azure Networking (DNS, Traffic Manager, VPN, VNET) forum
Viewing all 6513 articles
Browse latest View live

A question about Azure Load Balancer

April 16, 2020, 3:56 am
$
0
0

Can someone please help me with the following questions

1) If I have an Azure Load Balancer can I use this to load balance only on-premise traffic, and not have the load balancer with any public facing IP addresses?

What I want to do is the following,

I have an on-premise Active Directory forest (usual stuff), I want my on-premise clients to point to a load balancer (virtual IP, VIP) for DNS and LDAP traffic. Meaning when a client wants to do a DNS lookup or query active directory via LDAP or LDAPS they are pointed to the load balancer address (Azure load balancer) which then directs the traffic to an on-premise DC in the pool of DCs configured on the load balancer). The traffic should always be sent over the private network e.g. Express Route and never over the public internet.

Is the above possible, or is it a bad use case for Azure load balancer?

Any advise most welcome :)

Thanks

CXMelga

Search

Can't access Advanced Management portal to transfer domain

April 16, 2020, 7:36 am
$
0
0

Hi, I set up a personal website on Azure several years ago, as well as purchasing a domain for the site through the App Service Domain resource. I am trying to transfer the domain, and based on the instruction I could find online it seems I need to do this through the Advanced Management Portal under the Domain Management tab. When I try to click the link to the portal, it just opens a new tab that seems to try to load a new page, but sends me back to the normal Azure Portal homepage. 

Is there an easier way to transfer my domain, or am I missing something about how to do this properly? I am fairly new to this, so any advice would be greatly appreciated!

Temporarily disable all but one node in a WAF backendpool?

April 16, 2020, 8:42 am
$
0
0

From time to time, need to test IIS web app config changes on a single server before rolling out the change to all other nodes / web servers in the WAF backend pool.  So that I can easily test in isolation, is there a simple way to temporarily disable load balancing for all nodes but the one node i am testing config changes on?

Tier = WAF (not standard)

Azure Web Application Firewall causing website slowness

November 1, 2019, 4:56 am
$
0
0

Hi, 

We have configured WAF to run the websites hosted on the Azure VMs. The HTTP & HTTPS responses via WAF IP have high latencies compared to when browsing directly to the VM's public IP.

Do we need to tweak some parameter on Azure portal for WAF or increase the SKU of WAF. 

Regards,

Gaurav N.

Specifying existing Virtual Network when creating VM

April 16, 2020, 9:00 am
$
0
0

Hi,

It's a couple of years since I created environments in Azure and just setting myself one up now. One thing I've noticed is that when I go to create a Virtual Machine - Windows Server Datacentre 2016/2019 it doesn't allow me to specify my virtual network and goes to create a new one for me.

Any way around this? looking back at my documentation and screenshots from creation last time I was just able to specify my virtual network when I was creating the VM.

Any help welcome. Many thanks.

Change Scale Set private ip subnet

April 17, 2020, 12:52 am
$
0
0
We are trying to establish a site to site vpn to SMPP srerver with SMS service provider, there is a conflict in our private subnet and there subnet, is there any way to change our private subnet inside scale set? or doing nating to another ip?

NSG not applying properly

April 17, 2020, 3:08 am
$
0
0
Hi,

I have created a NSG which blocks all inbound and outbound traffic, and have attached the only network interface of an Azure Virtual Machine (Windows 10) to it. The rules are *effective*, according to the Azure Portal.

The two rules of the NSG are :

   
$rule1 = New-AzNetworkSecurityRuleConfig -Name InboundDisallow -Access Deny -DestinationAddressPrefix * -DestinationPortRange * -Direction Inbound -Priority 100 -Protocol * -SourceAddressPrefix * -SourcePortRange *
$rule2 = New-AzNetworkSecurityRuleConfig -Name OutboundDisallow -Access Deny -DestinationAddressPrefix * -DestinationPortRange * -Direction Outbound -Priority 100 -Protocol * -SourceAddressPrefix * -SourcePortRange *


RDP is blocked, and I can not ping the machine, which is excepted.

However, I can still run PowerShell scripts on the machine, using Run Command (from the Portal or Powershell), which should not be possible (https://docs.microsoft.com/en-us/azure/virtual-machines/windows/run-command#restrictions) as it requires to authorize AzureCloud Outbound on port 443.

I have also tried to detach the network interface and attach the subnet to the NSG, and I can still use this command. I have also tried rebooting the virtual machine, deleting and creating again the VM and the NSG, same results.

Would you have any idea why it does not work ?

Thanks in advance,
Regards



VPN Traffic to Storage Private Endpoint

April 17, 2020, 12:45 pm
$
0
0
I am not sure if this works or not but I think it should.  I have an Azure P2S VPN setup using AAD auth.  I have an Azure File Share setup to use AAD auth it also has a private endpoint enabled.  When I connect to VPN I would like to be able to use UNC path to connect to the Azure File Share.  If I put a record in my HOST file with the file.core.windows.net and the IP for the private endpoint it will connect.  But without the host file record it will not connect.  I have setup the DNS conditional forwarder for the the core.windows.net and forwarding it to the Azure private DNS server as I've seen described.  I have used Wireshark to watch the packets and I can see it seems to be sending the DNS query to the DNS server with the conditional forwarder yet nothing happens.  The DNS is the AADDS managed DNS server and supposedly you can use conditional forwarder on them but it doesn't seem to work.  Anyone tried this before?
Search

Virtual network adding supernet as prefix for the peers VNET address space , is it expected or it is bug ?

April 18, 2020, 10:16 am
$
0
0
I have three VNET 
ProdVnet010  - South India -172.16.0.0/16
ProdVnet020  - South India -172.17.0.0/16
DevVNet01    - Central India- 10.10.0.0/16

ProdVnet010 peers to ProdVnet020
ProdVnet010 peers to DevVNet01

ProdVnet010 also have VPN Gateway and P2S Connection 

all three VNET have one VM and NGS for the all VM NIC have default rules and No NSG applied at Subnet
I had question about VM in ProdVnet010 can ssh, ping etc. to VM in ProdVnet020 ?

So I used verify IP flow and understood default security rule "AllowVnetInBound" is allowing this connection and now I another doubt why default “AllowVnetInBound” is allowing  communication between peer VNET , my understanding was that this rule is for allowing communication within VNET.

So next i looked for the effective rule for NSG and i found these three-address spaces (1.1.1.0/28, 168.63.129.16/32 , 172.16.0.0/15   ) are listed as address prefix for the source and destination Virtual network for rule AllowVnetInBound which makes me clear why this rule "AllowVnetInBound" is allowing as 172.16.0.0/15 is supernet for the 172.16.0.0/16 and 172.17.0.0/16..and rules assuming them in same VNET..

1.1.1.0/28     -- this is address pool e P2S connection
168.63.129.16/32   -- this is Microsoft / azure reserved IP for allowing communication 
172.16.0.0/15   -- I am not sure from where this address space is got added ? 
So now my next question is how 172.16.0.0/15 added as Virtual network prefix under NGS effective  rule ?
[enter image description here][1]


 

Error 0xb07 when trying to conenct to VMS

February 3, 2020, 10:01 am
$
0
0

After starting my new VMS, downloading RDP file to connect and logging in I get error "0xb07" stating 

"We couldn't connect to the remote PC because your account has been disabled. Contact your network administrator for assistance. Error code: 0xb07"

I have tried redeploying and that did not work. I am the only person using this machine on my home laptop and network.

DNS problem with Azure and OpenVPN

April 19, 2020, 5:28 pm
$
0
0

Dear colleagues, I have a problem with the company related to DNS. Due to the need for quarantine we had to put our almost 150 employees working remotely. Until today we only had our e-mail service (O365) in the cloud all the rest of our infrastructure is local (on premises).

As we are already a Microsoft customer on some Azure products, build a topology for accessing our services on premises using Azure VPN. Basically I have an S2S IPSec VPN that connects our infrastructure on premises to our tenant at Microsoft. And we also have a P2S VPN gateway for connecting our employees who are at home. The connection between Azure and our on premises infrastructure is made by a PFSense on the local side and an IPSec Gatewey on the Azure side, using the IPSec protocol. On the client side, we have stations with Windows 7 and Windows 10 using the OpenVPN Client connecting to an OpenVPN on Azure Gateway.

The point is that everything works when we try to reach a server in our infrastructure on premises by IP. But when we try to reach a server by name, there is no DNS resolution. I have already placed our DNS in Azure settings to be published on client connections and I have already placed the IP of our local DNS server (on premises) in the .ovpn file. We have not yet tested the configuration of directing all customer traffic through the VPN tunnel. That I believe will be a solution ... but not elegant, because if the customer wants to surf the internet, when the VPN is active, his traffic will be through Azure, going to the on premises, and then going to the internet.

A point of attention that we have not been able to investigate further is that some customers have IP addresses (assigned by the equipment of their internet provider) that are within the range of our IP addresses on premises. For example, one of our customers has a local address 192.168.0.0/24, which clearly conflicts with our address on premises 192.168.0.0/22. However, these clients are able to reach our servers by IP, but not by name.

The figure below illustrates this topology.

Live long and prosper,
Marcelo Magalhães
Rio de Janeiro - BrasilTopology

Marcelo Magalhães - R.J.

unable to delete public IP address

April 20, 2020, 12:24 am
$
0
0

I have been trying to delete a public IP address on my subscription for quite a while now, and I keep getting error messages. I have no other services other than a resource group (for mailjet) and mailjet. I have deleted my VM, disks, VNET, gateway, ethernet cards, and the other IP addresses. 

I cannot create a support ticket because I have the free service, and do not pay a monthly fee.

I am getting this error:

Failed to delete public IP address 'q9x2-ip'. Error: The access token is from the wrong issuer 'https://sts.windows.net/[REDACTED]/'. It must match the tenant 'https://sts.windows.net/[REDACTED]/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/[REDACTED}' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later.

Configure Network Access restrictions for Azure Web apps and Application Gateway

April 20, 2020, 2:48 am
$
0
0

I have a Web app on which I have enabled Network Access restrictions to block Everything and allow Connections only from Certain IP's . The Webapps URL is also redirected to another Custom Domain through An Application Gateway and I have also allowed / Whitelisted Applicatio Gatways Public IP in the Webapp Allowed List . 

The network Access restrictions are working fine if i access azurewebsites native URL , but when traffic is coming redirected from the Application gateway , Irrespective of the source , since i have whitelisted App Gateway PIP , the App is working irrespective of the source . 

Apart  from Putting NSG's on Application Gateway is there some other way to restrict Traffic that is coming from Application Gateway ?  

And is there some setting by which when Application gateway redirects traffic to the web app ? can some how some changes be made to make the source IP of the request as the original source / client IP instead of Application Gateway's PIP ? 



The IPSec Tunnel is connected but no ping

April 20, 2020, 9:29 am
$
0
0
I have a VPN site to site IPSec tunnel with a Fortinet Fortigate - connected and receiving data. But the ping for local IPs from the Azure VM or from the Fortinet side is timing out. We are using the default routes and everything on Azure is in same VNet.

Azure VM with F4s-v2 crashes randomly

April 20, 2020, 10:33 am
$
0
0

Hello, 

I set up a VM with Standard-D4 first, which ran nicely but later changed to Fsv2 as I needed more computing power. I set up MatLab as described in the matlab documentation (I can't post links here..)

However, shortly after booting and logging in via remote desktop, the remote desktop just closes the connection without any errors and I can't reconnect. As I said, it worked earlier this day on Standard-D4. I suppose the VM might have crashed or something. Any ideas why and how to fix? If the Fsv2 just isn't working for what I'm doing, what else can you recommend? I need very good single core performance.

Any help is appreciated!

Search

DNS not resolving to efty

April 20, 2020, 1:12 pm
$
0
0

Hi 

I'm trying to resolve the dns of www.cloneable.com to efty and we are using azure dns but its been 4 days but the dns has not resolved it redirect us to one of our server webpage. I have followed the support guide and checked the dns propagation in commad prompt <o:p></o:p>

Also if I'm trying to use the techtronics.com dns and pointing it to efty its working fine but the redirects are not working and they are reporting us to our company official website<o:p></o:p>

I need help to fix this problem<o:p></o:p>

Thanks<o:p></o:p>


Azure MFA IP Whitelisting

April 8, 2020, 4:15 pm
$
0
0

For some of my applications in Azure they are authenticating to my Azure AD using user accounts and they are being caught by my conditional access policy which is enforcing MFA due to being off-prem.

I was wondering would it be best practice to assign the resource in azure a public IP and then add that to the MFA trusted IPs? So then when the application attempts to authenticate from that IP it is not caught by the MFA policy

I have a few questions:

1) Is the public IP address assigned to a resource consistent i.e. can you confirm that the IP never changes and is solely allocated to that resource? Also that it is not behind a proxy which also serves other tenants?

2) Is this the best way around the solution and most secure?

3) Would app passwords be a better solution

I'd appreciate any help, thank you!

What do I need to change on my ASP.Net website to make sure it can handle cookie-based affinity?

April 17, 2020, 9:51 am
$
0
0
I was reviewing this post docs.microsoft.com/en-us/azure/application-gateway/how-to-troubleshoot-application-gateway-session-affinity-issues trying to find the answer as to why we're seeing issues while working with an Application Gateway and 3 VM's, and I want to cross off the list the point that says "The application cannot handle cookie-based affinity"; how do I know or what do I need to change on my website to make sure it can handle cookie-based affinity?

Cannot attach Firewall Policy to App GW

April 13, 2020, 4:11 am
$
0
0

Hello guys.

So i am trying to apply some custom firewall rules for the application gateway. My goal is to allow only a set of IP's to a given path (maybe there is a better way to do this, if so please feel free to suggest).

I created the Application Gateway, everything works fine. Now i tried to create a WAF policy and associate the AppGW to it. I followed the Microsoft guide called "Associate a WAF policy with an existing Application Gateway" but no matter what it always throws the error: “Cannot attach Firewall policy X to the App GW Y since the former is not in sync with WebApplicationFirewallConfiguration.”.

What does this mean and why does it happen? Both the Application gateway and policy are in the same region and resource group. And the Application Gateway is also configured with WAF v2.

Best

VM, not able to RDP from Mac. Error code: 0x204

April 6, 2020, 9:18 pm
$
0
0

Hi, 

Please help, i'm not able to RDP from my Mac to the VM created. I have tried connecting via parallels, Microsoft Remote Desktop 10 on both Mac and iPhone but no luck. 

I just receive the same error message Error code: 0x204

From networking I have already enabled ports on my VM and made the firewall adjustments on my mac.

Please help!

Chris

Viewing all 6513 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>