Issue with Azure VM Conditional Access for Office 365 and Dynamic Public IP Detection
Hi all, I have a VM in Azure where I need to allow an account with MFA to bypass the requirement on this specific server when using Office 365. I've tried to achieve this using Conditional Access by excluding locations, specifically the IP range of my Azure environment. Although I’ve disconnected any public IPs from this server, the Conditional Access policy still isn’t working as intended. The issue seems to be that it continues to detect a public IP, which changes frequently, making it impossible to exclude. What am I doing wrong?
WordPress App how to restrict access to specific pages on the site
Hello all, I have a WordPress App hosted on Azure and I am struggling with how I can secure specific pages from public access. For example: www.mysite.com/wp-admin www.mysite.com/info.php I'd like it so that only specific IP addresses or Microsoft user accounts can access some, such as admin pages and for some pages I'd like no access at all, to where it just blocks any sort of visit. I've viewed the documentation for Front Door and some networking restrictions but that seems to be just IP addresses and I'm confused about how I can set those rule for specific pages within the App. I know WordPress offer plugins which have this sort of functionality but I'd like to take advantage of Azure's security features rather than plugins from WordPress. Any help is very appreciated. Thank you
Azure DNS Private Resolver Query
HI All, Need help to understand more about Azure DNS Private Resolver. When Azure Private Resolver released my understanding was it is for Azure private endpoint DNS resolution from on premises to Azure Private DNS, as initially we had to create a VM in Azure and in on premises DNS we have to provide Azure DNS VM IP as a forwarder in the on premises DNS, after reading Azur Private DNS Resolver in details I now have an understanding that does not matter the on-premises environment needs it or not Private resolver should be created in the VNET and it will help to resolve DNS Queries, the exact simple question is do i have to provision it even if my on-prem environment does not need to resolve the Azure Private DNS for Private Endpoint? how about in HUB/Spoke scenario do i need to provision Azure Private DNS Resolver in a HUB VNET even my on premises environment does not need to resolve the Azure Private DNS for Private Endpoint? In a single subscription scenario where i do not have HUB/Spoke model i have one subscription i do not have On premises DNS resolution requirement, do I still need to provision Private Resolver? I believe not because linking to private DNS Zone will do the needful but not sure if something is changed. ThanksAzure VPN Connection
Greetings - I don't know if this is possible in Azure, but I figured I would try as all the classes I have taken don't have an answer. I am new to Azure networking so what I want to do may not be possible. I have created an Azure VPN to our client. We have a SQL server there we pull data from there for reporting. I am trying to create an endpoint in Azure Data Factory to connect automatically over that VPN to run the reports. I have tried private links and PL Service but it looks like it can only be done in internal networks and not the gateway that the VPN is on. Any help would be appreciated. Thank you.
Not able to setup azure private endpoint url as webservice/backend for Azure API Management service
Hi all, I have integrated Private endpoint connected to private link service. Private link service is created by azure standard load balancer created by kubernetes load balancer service using below annotations . annotations: service.beta.kubernetes.io/azure-load-balancer-internal: "true" service.beta.kubernetes.io/azure-pls-create: "true" service.beta.kubernetes.io/azure-pls-name: myPLS service.beta.kubernetes.io/azure-pls-ip-configuration-subnet: YOUR SUBNET service.beta.kubernetes.io/azure-pls-ip-configuration-ip-address-count: "1" service.beta.kubernetes.io/azure-pls-ip-configuration-ip-address: SUBNET_IP service.beta.kubernetes.io/azure-pls-proxy-protocol: "false" service.beta.kubernetes.io/azure-pls-visibility: "*" # does not apply here because we will use Front Door later service.beta.kubernetes.io/azure-pls-auto-approval: "YOUR SUBSCRIPTION ID" i am getting expected response i.e response from kubernetes service from Private endpoint ip which confirms that private link and private endpoint integration is working fine. we now want to integrate above private endpoint service with azure api management service so we tried adding private endpoint url as web service url for api management service but api management service is returning 500 error { "statusCode": 500, "message": "Internal server error", "activityId": "76261291-7121-4814-b0e4-66b52284d76c" } I also tried api management service Troubleshoot & analysis page for exact error its showing below error: BackendConnectionFailure An attempt was made to access a socket in a way forbidden by its access permissions <private_endpoint_url>:80 Please help me what i am doing wrong in this implementation Our requirement is to have kubernetes private load balancer and integrate it with azure api management service. so user can access api only through api management service and only api management service should be able to access load balancer service. Thanks in advanceAzure Private Link - Implementation
A few days ago, our last post dealt with the Azure Service Endpoint feature, which allows you not to expose your Azure resources to the Internet, for obvious security reasons. Today we are going to see another solution present in Azure, which makes it possible to further restrict the exposure of services, thanks to Azure Private Link. Unlike Azure Service Endpoint functionality, where the endpoint is a category of an Azure service, such as Storage, SQL Database, or Key Vault; Azure Private Link, offers an endpoint that points to a service deployed by the user: To return to Azure Private Link, this feature brings together several concepts: Private Endpoint : Which is your private endpoint with a network interface that uses a private IP address from your virtual network Private Link Resource : Which is the target service you want to consume via its private addressing. Private Link : This is the association between your private endpoint and your target service. Private Link Service : This is what maps a service that is in another VNET behind an Azure Load Balancer Standard. Use case 1: Our first use case is to consume a storage account, and more specifically a blob object, through the Azure private network (Microsoft Backbone) with Azure Private Link. To do this, we deployed the following Azure resources: Storage Account – SA (PaaS Service which will be taken as an example) Virtual Machine – VM Security Group – NSG Public IP address Network Interface – NIC Hard disk – Disk Virtual Network – VNET / Subnet 1. PaaS service exposed on the Internet For our first example, our storage account will have no limitation, and will therefore be exposed on the Internet: (This is obviously not to be reproduced for obvious security reasons, but it helps to better understand the Service Endpoint mechanism) . If we do a test from our machine, we access our file stored on the SA, without any problem: Let's look at our diagram which explains how our SA will be consumed, by our VM, and potentially by other services or external users: When our VM wishes to connect or consume an Azure service, by default, the network flow goes out on the Internet to then arrive on the service concerned, through its public endpoint (DNS), in our case https://saprivatedemo01. blob.core.windows.net/demo/file.txt Now let's see what it looks like with Azure Private Link. 2. Enable Azure Private Link Setting up Azure Private Link is not complicated, just follow a few steps: First step, by clicking on Private Endpoint at the SA level: Next, we define the basic information: Then we choose the resource we want to consume, in our case it is a blob file: It is at this stage that we will select the VNET and Subnet in which the network interface will be created, i.e. the private IP of our Private Endpoint: (We do not activate the Network option policy for private endpoints which allows the use of UDRs and NSGs in our example, and we choose a dynamic IP within the subnet). We finish by integrating our Private Endpoint into an Azure DNS private zone, which in this case will be privatelink.blob.core.windows.net : (Obviously you could use an existing Azure DNS private zone or your own DNS server). I can now retrieve the private endpoint saprivatedemo01.privatelink.blob.core.windows.net which I will be able to use instead of saprivatedemo01.blob.core.windows.net While we're at it, we're disabling public access on our SA so that it's no longer exposed on the Internet, which gives us the following configuration: Now let's test from our VM01 that it works correctly through the Azure DNS private zone: A new look at our diagram: We now see that the network flow of the VM no longer goes through the Internet, but directly via Private Endpoint And of course internet traffic is blocked since I disabled it. But how does it work in practice? As we have seen, when you create a Private Endpoint, you create a private IP within a subnet, and therefore within the VNET. But that's not all ! As we can see in the image below, a private DNS CNAME entry is created on the DNS server which manages the saprivatedemo01.blob.core.windows.net zone and which points to the Azure private DNS zone we have created namely privatelink.blob.core.windows.net Use case 2: In this second use case, we want to consume a web service hosted on a VM02 deployed in another VNET02 which has the same address as our first VNET01. Thus this configuration makes it impossible to set up a VNET Peering between the 2 VNETs because of the overlap (overlapping) of the IP addresses of the VNETs. This is where Private Link Service comes in. As we mentioned earlier, we will be able to consume our service, our VM02, through an Azure Load Balancer Standard. We therefore start by creating an internal LB, ie with a private address, namely LB01, in the VNET02 where our VM02 is stored . Let's fill in the basic information: We select the VNET02, letting Azure define its private IP address: Then we define the endpoint on which the traffic will be sent when we arrive on LB01, which will therefore be our VM02: The next step allows you to define a rule that will associate the endpoint with the listening port of LB01, as well as the port on which to send traffic to VM02. We also take the opportunity to create a probe that will check the integrity of the service on the VM02 side : The following configuration steps are not necessary, so you can click on review and create to create the LB. Here is the result after a few seconds: Now that we have created our LB01, let's move on to the next step which is the creation of our Private Link Service. In the search bar of the Azure portal, we search for Private Link, we arrive at the Private Link Center service. We just need to click on Create Private Link Service: Let's start by filling in the information: The next step is important because this is where we will select our LB01, as well as the associated configuration: Then we define, the accesses which allow to consume the Private Link Service: (We limit the access to our subscription, but it is obviously possible to limit only the use to a service, as with our VM01). We can then directly click on review and create to create our Private Link Service. Now that LB01 and the Private Link Service are created, let's move on to the last step, which is the creation of our Private Endpoint. There are two possibilities, the first, returning to the Private Link Center service, the second, going to the Private Link Service that we have just created. For my part, I choose the second option. At the level of my PrivateLinkService01, I will now create my Private Endpoint: On the Resource tab we have nothing to configure, but why? Simply because when creating the Private Link Service we had selected the Auto-approve option , and since we only have one Private Link Service within this subscription, it is selected by default: Then we select the VNET in which to deploy our Private Endpoint, so it's the same one where our VM01 is hosted , ie VNET01. We leave the IP allocation method to dynamic: To date, the DNS option is not supported for a Private Endpoint connected to a Private Link Service , so I will connect through its private IP. We can then directly click on review and create to create our Private Endpoint: I retrieve the IP of the newly created Private Endpoint: All that remains is to test access to my VM02 from my VM01 via the combination of the Private Link Service and the Private Endpoint, which is completely transparent to the user. Everything works as expected: A last look at our diagram shows that we are able to consume the service hosted on VM02 which has the same network addressing as our VM01 , thanks to our internal LB: At the time of writing these few lines, here is the list of Azure services that are currently supported: Azure API Management – General Availability Azure App Configuration – General Availability Azure Automation – General Availability Azure Backup – General Availability Azure Batch (batchAccount) – General Availability Azure Batch (nodeManagement) – Preview Azure Bot Service – General Availability Azure Cache for Redis – General Availability Azure Cognitive Services – General Availability Azure Container Registry – General Availability Azure Cosmos DB – General Availability Azure Data Factory – General Availability Azure Database for MariaDB – General Availability Azure Database for MySQL – General Availability Azure Database for PostgreSQL – Single server – General Availability Azure Digital Twins – Preview Azure Event Grid – General Availability Azure Event Hub – General Availability Azure File Sync – General Availability Azure Files – General Availability Azure HDInsight – General Availability Azure IoT Hub – General Availability Azure Key Vault – General Availability Azure Kubernetes Service – Kubernetes API – General Availability Azure Machine Learning – General Availability Azure Managed Disks – General Availability Azure Migrate – General Availability Azure Monitor (Log Analytics & Application Insights) – General Availability Azure Queue storage – General Availability Azure Relay – Preview Azure Search – General Availability Azure Service Bus – General Availability Azure SignalR – General Availability Azure SQL Database – General Availability Azure Static Web Apps - Preview Azure Synapse Analytics – General Availability Azure Table storage – General Availability Azure Web Apps – General Availability Microsoft Purview – General Availability The list of services can be viewed here: https://docs.microsoft.com/en-us/azure/private-link/availability To sum up, Private Link is an excellent solution for not exposing its PaaS services on the Internet. Today all the services are not yet supported, but the list evolves very regularly. Microsoft encourages the use of Private Link for obvious security reasons, but also to reduce latency by going through the Microsoft backbone, instead of using the Internet.Can only remote into azure vm from DC
Hi all, I have set up a site to site connection from on prem to azure and I can remote in via the main dc on prem but not any other server or ping from any other server to the azure. Why can I only remote into the azure VM from the server that has Routing and remote access? Any ideas on how I can fix this?Resolving private-link resource internal ip from VPN
Using a Point-To-Site VPN to connect my PC to an Azure VNET (e.g. 10.99.0.0/16), and then Private Link to publish my PaaS services as end-points into a subnet in this VNET (e.g. 10.99.2.0/24), I'm trying to understand how I resolve the internal IP of the PaaS resource from my PC. My configuration: VNET: 10.99.0.0/24 subnetVM: 10.99.1.0/24 subnetPaaS: 10.99.2.0/24 SubnetVPN: 10.99.99.0/24 VPN client adress pool: 172.20.20.0/24 If I create a VM in this VNET (e.g. 10.99.1.4), I get 168.63.129.16 as the DNS server and using: nslookup paasServicePublicDns or: nslookup paasServicePublicDns 168.63.129.16 will correctly give me the internal IP for the PaaS service (i.e. 10.99.2.4) But from my PC (connected via VPN to 10.99.99.0/24), using: nslookup paasServicePublicDns 168.63.129.16 will only give me the external/public IP for the PaaS service ok, the 168.63.129.16 adress might not be routed to the VPN VNET, so I also added this route to my PC: route add 168.63.129.16 MASK 255.255.255.255 172.20.20.4 (172.20.20.4 is my VPN endpoint on my PC) route print -4 | FIND "172.20.20.4": ---> Active Routes: Network Destination Netmask Gateway Interface Metric 10.99.0.0 255.255.0.0 On-link 172.20.20.4 43 10.99.255.255 255.255.255.255 On-link 172.20.20.4 281 168.63.129.16 255.255.255.255 On-link 172.20.20.4 26 172.20.20.0 255.255.255.0 On-link 172.20.20.4 43 172.20.20.4 255.255.255.255 On-link 172.20.20.4 281 172.20.20.255 255.255.255.255 On-link 172.20.20.4 281 224.0.0.0 240.0.0.0 On-link 172.20.20.4 281 255.255.255.255 255.255.255.255 On-link 172.20.20.4 281 <--- And to make sure the VPN connection has a DNS server defined I also added 168.63.129.16 as the DNS server for the VPN connection: ---> PPP adapter VNET-VPN: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : VNET-VPN Physical Address. . . . . . . . . : DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 172.20.20.4(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 168.63.129.16 NetBIOS over Tcpip. . . . . . . . : Enabled <--- But still I can't get and IP adress resolved. Any ideas why this is not working?
