Azure Firewall behind public load balancer configuration
Hi, I have a requirement to replace Sophos firewall with Azure Firewall Premium. The existing Sophos firewall is behind a public Azure load balancer (backend pool comprises the Sophos Firewall IPs). To set up a parallel configuration for Azure Firewall, I have configured a new public IP on the load balancer's frontend IP configuration. However, I do not see the Azure Firewall's public IP when trying to configure a backend pool. All the listed IPs belong to the same subnet as the load balancer's internal IP. As per the below article, one can configure firewalls behind an external load balancer. https://learn.microsoft.com/en-us/azure/architecture/example-scenario/firewalls/ I am trying to understand how to chain the public load balancer and Azure firewall such that I can access internal resources as is currently being done with the same public load balancer and Sophos firewall (NIC of Sophos is in the same subnet as internal NIC of this load balancer). Can someone please guide me? Thanks James
Unable to access AKS services via S2S VPN
Hi, we establish S2S VPN connection between our environment in Azure and on-premises with our customer. On Azure we create a new vnet with address space 10.10.0.0/16. That network has: - GatewaySubnet (10.10.0.0/27) - environmentSubnet (10.10.8.0/21 > 10.10.8.1-10.10.15.254) Then we have Azure Kubernetes cluster (2 nodes) and internal loadbalancer (with static IP) for services inside k8s cluster. So each service has its own IP address from subnet environmentSubnet (10.10.8.0/24). For example: - kubernetesService01: 10.10.15.5 (port 8080) - kubernetesService03: 10.10.15.6 (port 8080) - kubernetesService04: 10.10.15.7 (port 8080) We can access all on-prmeises services from Azure - through VPN tunnel. The problem is in the opposite direction. From the on-premises to the Azure they can ping all the Kubernetes endpoints of service, they can ping Kubernetes infrastructure (both scale-sets/nodes), testing VM (which is in the same network like Kubernetes cluster) etc. But they can't reach our services inside Kubernetes, for example kubernetesService01/kubernetesService02/kubernetesService03 by specific port. So if they run telnet/curl on 10.10.15.5:8080, they dont get any response. We also configured NSG for Virtual machine scale set with rule - allow everything from everywhere. We tested connection between testing VM (which is in the same subnet like Kubernetes services, with IP 10.10.8.105) and Kubernetes services and telnet/curl works fine. I suppose that this means that the connection between vnet and Kubernetes services works? Routing form the VM to the service and then to the Kubernete endpoint must work fine. But for the difference of the Kubernetes services, they can telnet testing VM (telnet 10.10.8.105 22) from on-premises through VPN tunnel. Any idea what we can check or how we can monitor the traffic coming from the VPN tunnel? How to find out why they can ping pods within Kubernetes but can't access Kubernetes services on specific ports? Thank you!
Application Gateway Backend Port Routing
Scenario: Setup App Gateway to allow traffic from sever different alias urls (appa.gateway.com / appb.gateway.com / appc.gateway.com) these will all point to the private ip front end over 443. Thats easy enough to do. Based on those calls from each of the individual alias' then route the traffic to a different PORT on a backend which is all the same VM. Use case: Calls from appa.gateway.com should go to VM1 on port 44301 Calls from appb.gateway.com should go to VM1 on port 44302 Calls from appc.gateway.com should go to VM1 on port 44303 Is this possible using app gateway? It's not possible to have the same backend vm so I was thinking of having multiple NIC's on the same vm that each backend would point to? Caveat... this is dev so its just one vm on the backend, when we get to qa / prod there will be several, so thinking I will need a load balancer that the app gateway points to.Issue with Azure VM Conditional Access for Office 365 and Dynamic Public IP Detection
Hi all, I have a VM in Azure where I need to allow an account with MFA to bypass the requirement on this specific server when using Office 365. I've tried to achieve this using Conditional Access by excluding locations, specifically the IP range of my Azure environment. Although I’ve disconnected any public IPs from this server, the Conditional Access policy still isn’t working as intended. The issue seems to be that it continues to detect a public IP, which changes frequently, making it impossible to exclude. What am I doing wrong?
Load Balancer in front of Application Gateway, port steering
Hi, I have both HTTP(S) and non-HTTP(S) traffic going into a VM. I would like to have a WAF for the HTTP(S) so I have created an Application Gateway and connected it with the VM which works well. However, I have non-HTTP(S) traffic as well going over different ports which I would like to go straight to VM. To split the traffic I have created a Load Balancer with the previously mentioned AppGw in its backend pool. I have configured the AppGw's private IP, listener for it, backend settings and backend pool with VM in it. Unfortunately, I am not able to connect to the VM using the Load Balancer public IP and HTTP. Is it possible to have an LB in front of the AppGw? If not, does anyone have an idea on how we split the traffic while still having an AppGw just for HTTP(S)? Thanks!
Azure SDK python client to Azure iothub over HAproxy (SSL handshake failure)
I am trying to fix an IP address for Azure Iothub via Load Balencer and HAproxy as suggested in this solution: Connection architecture I have configured the HAproxy as suggested to pass the SSL handshake to the server: global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # An alternative list with additional directives can be obtained from # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend haproxy_iothub bind *:8883 bind *:443 bind *:5671 mode tcp default_backend iothub backend iothub mode tcp server iothub [Server URL]:8883 check server iothub [Server URL]:443 check server iothub [Server URL]:5671 check To simulate the device, I used Azure V2 SDK (azure-iot-device) and defined a proxy option and created a client from a connection string. proxy_opts = ProxyOptions(proxy_type=socks.HTTP, proxy_addr="Proxy_ IP", proxy_port=8883) device_client = IoTHubDeviceClient.create_from_connection_string("IOTHUB_DEVICE_CONNECTION_STRING", websockets=True, proxy_options=proxy_opts ) I was not able to reach the iothub, I tried debugging the library to get more information and it turned out that the blocking occurs due to a general proxy error ("connection closed unexpectedly") in _negotiate_HTTP. socks.HTTPError :504 : Gateway Time-out (in socks.py) HAproxy logging showes : Oct 18 08:48:37 vmss2xigg000000 haproxy[27470]: *..:59000 [18/Oct/2021:08:48:37.451] haproxy_iothub iothub/iothub1 1/1/38 0 -- 1/1/0/0/0 0/0 Any help much appreciated HA-Proxy version 1.8.8-1ubuntu0.11 Azure-iot-device Version 2.8.0
Need help with Azure Load Balancer
Hello, I'd appreciate help with setting up Azure Load Balancer with one FreeBSD VM in the backend pool for authoritative DNS. I'm using dedicated VNET called VNET-PRIVATE-DMZ which is peered with Azure Local Network Gateway so I can access Azure resources via IPSec tunnel. The default gateway for VNET-PRIVATE-DMZ is the VPN gateway -- everything is working fine and I can access FreeBSD VM from on-premise. The FreeBSD box has NSD installed, it's up and running and I can query it from the on-premise network. The Network Security Group assigned to the interface has a rule allowing 53/TCP from any. $ ifconfig hn0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 options=7eef07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,NV,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,HWRXTSTMP,MEXTPG,TXTLS4,TXTLS6,VXLAN_HWCSUM,VXLAN_HWTSO> ether 00:22:48:ca:4d:69 inet 10.94.0.6 netmask 0xfffffe00 broadcast 10.94.1.255 media: Ethernet 100GBase-CR4 <full-duplex,rxpause,txpause> status: active nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> $ sockstat -4 | grep 53 nsd nsd 801 6 udp4 *:53 *:* nsd nsd 801 7 tcp4 *:53 *:* The Azure NLB has a public IP assigned in the Frontend configuration and the backend pool consists of my FreeBSD VM. There is one health probe configured over 53/TCP, and one load balancing rule for the same 53/TCP. The issue is that I can't seem to access 53/TCP over frontend public IP. I run tcpdump on FreeBSD box and I see nothing coming. It's almost like the Load Balancer doesn't know how to reach FreeBSD, but the health probe is all green. Any tips would be greatly appreciated.Can only remote into azure vm from DC
Hi all, I have set up a site to site connection from on prem to azure and I can remote in via the main dc on prem but not any other server or ping from any other server to the azure. Why can I only remote into the azure VM from the server that has Routing and remote access? Any ideas on how I can fix this?
Not able to setup azure private endpoint url as webservice/backend for Azure API Management service
Hi all, I have integrated Private endpoint connected to private link service. Private link service is created by azure standard load balancer created by kubernetes load balancer service using below annotations . annotations: service.beta.kubernetes.io/azure-load-balancer-internal: "true" service.beta.kubernetes.io/azure-pls-create: "true" service.beta.kubernetes.io/azure-pls-name: myPLS service.beta.kubernetes.io/azure-pls-ip-configuration-subnet: YOUR SUBNET service.beta.kubernetes.io/azure-pls-ip-configuration-ip-address-count: "1" service.beta.kubernetes.io/azure-pls-ip-configuration-ip-address: SUBNET_IP service.beta.kubernetes.io/azure-pls-proxy-protocol: "false" service.beta.kubernetes.io/azure-pls-visibility: "*" # does not apply here because we will use Front Door later service.beta.kubernetes.io/azure-pls-auto-approval: "YOUR SUBSCRIPTION ID" i am getting expected response i.e response from kubernetes service from Private endpoint ip which confirms that private link and private endpoint integration is working fine. we now want to integrate above private endpoint service with azure api management service so we tried adding private endpoint url as web service url for api management service but api management service is returning 500 error { "statusCode": 500, "message": "Internal server error", "activityId": "76261291-7121-4814-b0e4-66b52284d76c" } I also tried api management service Troubleshoot & analysis page for exact error its showing below error: BackendConnectionFailure An attempt was made to access a socket in a way forbidden by its access permissions <private_endpoint_url>:80 Please help me what i am doing wrong in this implementation Our requirement is to have kubernetes private load balancer and integrate it with azure api management service. so user can access api only through api management service and only api management service should be able to access load balancer service. Thanks in advance