Disabling TCP Timestamps on application gateways
Hello, We use Application Gatways for a number of apps. Our 3rd party vulnerability scanner discovered the AGW exposes the uptime of the system. Is there a way to disable this on the AGW? I found this post in UserVoice from 2017 where someone asked for the same option: https://feedback.azure.com/forums/217313-networking/suggestions/32683267-need-a-function-to-disable-the-timestamp-in-tcp-op. If it's not possible, it's not possible. I haven't found documentation on it, so my guess is there's currently no way to disable it. I get this is low risk, I just need to do a little more digging until I write this one off as a known issue / accepted risk. Thank youProvide an application gateway with PowerShell in Azure with a virtual machine scale set in the back
Hi Azure friends, I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments): #The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE Set-Location C:\Temp Clear-Host #So that you can carry out the configuration, you need the necessary cmdlets, these are contained in the module Az (is the higher-level module from a number of submodules) Install-Module -Name Az -Force -AllowClobber -Verbose #For this example I am using passwords in the script. This is usually not a good idea, but it's fine for the demo. #Log into Azure Connect-AzAccount #Select the correct subscription Get-AzSubscription -SubscriptionName "MSDN Platforms" | Select-AzSubscription Get-AzContext # Create a resource group New-AzResourceGroup -Name myResourceGroupAG -Location westeurope # Create network resources $backendSubnetConfig = New-AzVirtualNetworkSubnetConfig ` -Name myBackendSubnet ` -AddressPrefix 10.0.1.0/24 $agSubnetConfig = New-AzVirtualNetworkSubnetConfig ` -Name myAGSubnet ` -AddressPrefix 10.0.2.0/24 $vnet = New-AzVirtualNetwork ` -ResourceGroupName myResourceGroupAG ` -Location westeurope ` -Name myVNet ` -AddressPrefix 10.0.0.0/16 ` -Subnet $backendSubnetConfig, $agSubnetConfig $pip = New-AzPublicIpAddress ` -ResourceGroupName myResourceGroupAG ` -Location westeurope ` -Name myAGPublicIPAddress ` -AllocationMethod Dynamic # Create IP configurations and frontend port $vnet = Get-AzVirtualNetwork ` -ResourceGroupName myResourceGroupAG ` -Name myVNet $subnet=$vnet.Subnets[0] $gipconfig = New-AzApplicationGatewayIPConfiguration ` -Name myAGIPConfig ` -Subnet $subnet $fipconfig = New-AzApplicationGatewayFrontendIPConfig ` -Name myAGFrontendIPConfig ` -PublicIPAddress $pip $frontendport = New-AzApplicationGatewayFrontendPort ` -Name myFrontendPort ` -Port 80 # Create the backend pool and settings $defaultPool = New-AzApplicationGatewayBackendAddressPool ` -Name appGatewayBackendPool $poolSettings = New-AzApplicationGatewayBackendHttpSettings ` -Name myPoolSettings ` -Port 80 ` -Protocol Http ` -CookieBasedAffinity Enabled ` -RequestTimeout 120 # Create the default listener and rule $defaultlistener = New-AzApplicationGatewayHttpListener ` -Name mydefaultListener ` -Protocol Http ` -FrontendIPConfiguration $fipconfig ` -FrontendPort $frontendport $frontendRule = New-AzApplicationGatewayRequestRoutingRule ` -Name rule1 ` -RuleType Basic ` -HttpListener $defaultlistener ` -BackendAddressPool $defaultPool ` -BackendHttpSettings $poolSettings # Create the application gateway $sku = New-AzApplicationGatewaySku ` -Name WAF_Medium ` -Tier WAF ` -Capacity 2 $appgw = New-AzApplicationGateway ` -Name myAppGateway ` -ResourceGroupName myResourceGroupAG ` -Location westeurope ` -BackendAddressPools $defaultPool ` -BackendHttpSettingsCollection $poolSettings ` -FrontendIpConfigurations $fipconfig ` -GatewayIpConfigurations $gipconfig ` -FrontendPorts $frontendport ` -HttpListeners $defaultlistener ` -RequestRoutingRules $frontendRule ` -Sku $sku # Create a virtual machine scale set $vnet = Get-AzVirtualNetwork ` -ResourceGroupName myResourceGroupAG ` -Name myVNet $appgw = Get-AzApplicationGateway ` -ResourceGroupName myResourceGroupAG ` -Name myAppGateway $backendPool = Get-AzApplicationGatewayBackendAddressPool ` -Name appGatewayBackendPool ` -ApplicationGateway $appgw $ipConfig = New-AzVmssIpConfig ` -Name myVmssIPConfig ` -SubnetId $vnet.Subnets[1].Id ` -ApplicationGatewayBackendAddressPoolsId $backendPool.Id $vmssConfig = New-AzVmssConfig ` -Location westeurope ` -SkuCapacity 2 ` -SkuName Standard_DS2 ` -UpgradePolicyMode Automatic Set-AzVmssStorageProfile $vmssConfig ` -ImageReferencePublisher MicrosoftWindowsServer ` -ImageReferenceOffer WindowsServer ` -ImageReferenceSku 2016-Datacenter ` -ImageReferenceVersion latest -OsDiskCreateOption FromImage Set-AzVmssOsProfile $vmssConfig ` -AdminUsername azureuser ` -AdminPassword "Azure123456!" ` -ComputerNamePrefix myvmss Add-AzVmssNetworkInterfaceConfiguration ` -VirtualMachineScaleSet $vmssConfig ` -Name myVmssNetConfig ` -Primary $true ` -IPConfiguration $ipConfig New-AzVmss ` -ResourceGroupName myResourceGroupAG ` -Name myvmss ` -VirtualMachineScaleSet $vmssConfig # Install IIS $publicSettings = @{ "fileUris" = (,"https://raw.githubusercontent.com/davidmu1/samplescripts/master/appgatewayurl.ps1"); "commandToExecute" = "powershell -ExecutionPolicy Unrestricted -File appgatewayurl.ps1" } $vmss = Get-AzVmss -ResourceGroupName myResourceGroupAG -VMScaleSetName myvmss Add-AzVmssExtension -VirtualMachineScaleSet $vmss ` -Name "customScript" ` -Publisher "Microsoft.Compute" ` -Type "CustomScriptExtension" ` -TypeHandlerVersion 1.8 ` -Setting $publicSettings Update-AzVmss ` -ResourceGroupName myResourceGroupAG ` -Name myvmss ` -VirtualMachineScaleSet $vmss # Get the IP address Get-AzPublicIPAddress -ResourceGroupName myResourceGroupAG -Name myAGPublicIPAddress Start the browser and paste the IP address. Now you have used the PowerShell to create Azure Application Gateway with a virtual machine scale set in the backend! Congratulations! #Clean up (when you no longer need the resources) Remove-AzResourceGroup -Name myResourceGroupAG -Force I hope this article was useful. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler
Application Gateway Backend Port Routing
Scenario: Setup App Gateway to allow traffic from sever different alias urls (appa.gateway.com / appb.gateway.com / appc.gateway.com) these will all point to the private ip front end over 443. Thats easy enough to do. Based on those calls from each of the individual alias' then route the traffic to a different PORT on a backend which is all the same VM. Use case: Calls from appa.gateway.com should go to VM1 on port 44301 Calls from appb.gateway.com should go to VM1 on port 44302 Calls from appc.gateway.com should go to VM1 on port 44303 Is this possible using app gateway? It's not possible to have the same backend vm so I was thinking of having multiple NIC's on the same vm that each backend would point to? Caveat... this is dev so its just one vm on the backend, when we get to qa / prod there will be several, so thinking I will need a load balancer that the app gateway points to.Issue with Azure VM Conditional Access for Office 365 and Dynamic Public IP Detection
Hi all, I have a VM in Azure where I need to allow an account with MFA to bypass the requirement on this specific server when using Office 365. I've tried to achieve this using Conditional Access by excluding locations, specifically the IP range of my Azure environment. Although I’ve disconnected any public IPs from this server, the Conditional Access policy still isn’t working as intended. The issue seems to be that it continues to detect a public IP, which changes frequently, making it impossible to exclude. What am I doing wrong?
Issue with VirtualNetwork service tag when using UDR for routing via Azure Firewall
Hi Experts, When I add a UDR on my Spoke Subnets to use Azure Firewall for default outbound (0.0.0.0/0 -> Azure Firewall IP), the Virtual Network service tag on the NSG attached to the Spoke Subnets gets 0.0.0.0/0 value. When I remove the UDR default outbound route, the Virtual Network service tag gets the vNet and Peered vNet address space etc. Due to this, limiting network access at the NSG level on the Spoke Subnets is getting complex. For example, let's consider that I do not want to direct traffic to Azure Firewall for my S2S/P2S VPN traffic, and want to control which S2S IP Addresses can access my Spoke Subnet using NSG rule attached to my Spoke Subnet. This is getting complex as the Default DenyAllInbound is no longer applicable due to AllowVnetInbound allowing everything. In such scenarios, the network control at the NSG level gets auto-updates and gets allowed for all (0.0.0.0/0 - 0.0.0.0/0 - All Protocols), and the concept of having default DenyAllInbound as the last rule fails. This could be a security risk where the engineer has added a UDR for 0.0.0.0/0 to Subnets and all the NSGs would turn to Allow All (Everything). Related GitHub Discussion: https://github.com/MicrosoftDocs/azure-docs/issues/22178 FYI, I just found out a blog also reporting a similar challenge that I am facing: https://www.torivar.com/2019/01/16/azure-nsg-virtualnetwork-tag/Load Balancer in front of Application Gateway, port steering
Hi, I have both HTTP(S) and non-HTTP(S) traffic going into a VM. I would like to have a WAF for the HTTP(S) so I have created an Application Gateway and connected it with the VM which works well. However, I have non-HTTP(S) traffic as well going over different ports which I would like to go straight to VM. To split the traffic I have created a Load Balancer with the previously mentioned AppGw in its backend pool. I have configured the AppGw's private IP, listener for it, backend settings and backend pool with VM in it. Unfortunately, I am not able to connect to the VM using the Load Balancer public IP and HTTP. Is it possible to have an LB in front of the AppGw? If not, does anyone have an idea on how we split the traffic while still having an AppGw just for HTTP(S)? Thanks!Can only remote into azure vm from DC
Hi all, I have set up a site to site connection from on prem to azure and I can remote in via the main dc on prem but not any other server or ping from any other server to the azure. Why can I only remote into the azure VM from the server that has Routing and remote access? Any ideas on how I can fix this?
Networking out Private VNET in AZURE with a third party app such as payment gateway?
I need to do networking so that my VNET in Azure connects to third party applications such as payment gateways or messaging apps which are in Public internet. Please let me know the options and why we should prefer one over the other?
WordPress App how to restrict access to specific pages on the site
Hello all, I have a WordPress App hosted on Azure and I am struggling with how I can secure specific pages from public access. For example: www.mysite.com/wp-admin www.mysite.com/info.php I'd like it so that only specific IP addresses or Microsoft user accounts can access some, such as admin pages and for some pages I'd like no access at all, to where it just blocks any sort of visit. I've viewed the documentation for Front Door and some networking restrictions but that seems to be just IP addresses and I'm confused about how I can set those rule for specific pages within the App. I know WordPress offer plugins which have this sort of functionality but I'd like to take advantage of Azure's security features rather than plugins from WordPress. Any help is very appreciated. Thank you
