Azure Firewall has no capacity to maintain source IP on outbound traffic?
Hello all, My use case: To have multiple static public IP addresses attached to Azure Firewall with SNAT rules configured so that the public IP isn't just randomly selected. We have multiple services that have whitelisting configured for specific public load balancer IPs and now we are trying to move them behind Azure Firewall. Since there is whitelisting on the destination, the public IP being randomly selected won't work. My resources: One instance of premium SKU Azure Firewall. Hub and spoke architecture. Route tables being used to force traffic through Firewall (routed to private IP of firewall) The research I have conducted: I have tried absolutely everything I can think of before coming to this forum and from what I can tell the 4 ways of outbound connectivity provided by Azure are: Default outbound connectivity. Against best practice to do this and won't work since its routing through a virtual appliance (firewall) Associate a NAT gateway to a subnet. This won't work since we have only one instance of Azure Firewall and the requirement for multiple public IPs to be used. Assign a public IP to a virtual machine. Not applicable, sitting in backend pool of a load balancer, single public IP to be used for multiple member servers. Using the frontend IP address(es) of a load balancer for outbound via outbound rules. Needs to go through the firewall, impossible unless we can somehow integrate the firewall between the load balancer and the backend pool? Expanding more on the load balancer scenario, I ran across this documentation in Microsoft Learn. This looks great to tackle the asymmetric routing issue, however, we are only interested in maintaining the source IP for outbound traffic, this would again just use the firewalls public IP for outbound traffic and again randomly select it. Consensus: It seems bizarre to me that Azure has no capacity for static SNAT configuration like most firewalls do. I would have thought a large amount of use cases would require this function. Am I missing something? Is there another workaround? Or is Azure just behind the 8ball with networking. Thanks heaps in advance for any help :) Much Appreciated, usernameone101
App Connectivity issue
I have come across an issue being reported by one of the user stating that he is unable to connect to an application on port 5672 hosted behind azure internal load balancer. on my observation from Azure portal post login i see that Azure front end load balancer is marking the front end port as unresponsive/down for service 5672, while the back end port 2009 on azure internal load balancer is seen up on the back end pool virtual F5 .port mapping done properly on azure Error as seen on Azure is “TCP probe out, unhealthy backend instances or unhealthy app listening on port” However when I check on the Virtual F5 the backend server is responding on port 5672 normally, the health checks look ok, thereby the vip is marked as up. is this abnormal behaviour on the application side against 5672 service or something more to check on the azure side which is resulting to TCP probe out error.. pls suggestAzure Firewall behind public load balancer configuration
Hi, I have a requirement to replace Sophos firewall with Azure Firewall Premium. The existing Sophos firewall is behind a public Azure load balancer (backend pool comprises the Sophos Firewall IPs). To set up a parallel configuration for Azure Firewall, I have configured a new public IP on the load balancer's frontend IP configuration. However, I do not see the Azure Firewall's public IP when trying to configure a backend pool. All the listed IPs belong to the same subnet as the load balancer's internal IP. As per the below article, one can configure firewalls behind an external load balancer. https://learn.microsoft.com/en-us/azure/architecture/example-scenario/firewalls/ I am trying to understand how to chain the public load balancer and Azure firewall such that I can access internal resources as is currently being done with the same public load balancer and Sophos firewall (NIC of Sophos is in the same subnet as internal NIC of this load balancer). Can someone please guide me? Thanks James
Issue with Azure VM Conditional Access for Office 365 and Dynamic Public IP Detection
Hi all, I have a VM in Azure where I need to allow an account with MFA to bypass the requirement on this specific server when using Office 365. I've tried to achieve this using Conditional Access by excluding locations, specifically the IP range of my Azure environment. Although I’ve disconnected any public IPs from this server, the Conditional Access policy still isn’t working as intended. The issue seems to be that it continues to detect a public IP, which changes frequently, making it impossible to exclude. What am I doing wrong?
Need help with Azure Load Balancer
Hello, I'd appreciate help with setting up Azure Load Balancer with one FreeBSD VM in the backend pool for authoritative DNS. I'm using dedicated VNET called VNET-PRIVATE-DMZ which is peered with Azure Local Network Gateway so I can access Azure resources via IPSec tunnel. The default gateway for VNET-PRIVATE-DMZ is the VPN gateway -- everything is working fine and I can access FreeBSD VM from on-premise. The FreeBSD box has NSD installed, it's up and running and I can query it from the on-premise network. The Network Security Group assigned to the interface has a rule allowing 53/TCP from any. $ ifconfig hn0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 options=7eef07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,NV,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,HWRXTSTMP,MEXTPG,TXTLS4,TXTLS6,VXLAN_HWCSUM,VXLAN_HWTSO> ether 00:22:48:ca:4d:69 inet 10.94.0.6 netmask 0xfffffe00 broadcast 10.94.1.255 media: Ethernet 100GBase-CR4 <full-duplex,rxpause,txpause> status: active nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> $ sockstat -4 | grep 53 nsd nsd 801 6 udp4 *:53 *:* nsd nsd 801 7 tcp4 *:53 *:* The Azure NLB has a public IP assigned in the Frontend configuration and the backend pool consists of my FreeBSD VM. There is one health probe configured over 53/TCP, and one load balancing rule for the same 53/TCP. The issue is that I can't seem to access 53/TCP over frontend public IP. I run tcpdump on FreeBSD box and I see nothing coming. It's almost like the Load Balancer doesn't know how to reach FreeBSD, but the health probe is all green. Any tips would be greatly appreciated.
Load Balancer in front of Application Gateway, port steering
Hi, I have both HTTP(S) and non-HTTP(S) traffic going into a VM. I would like to have a WAF for the HTTP(S) so I have created an Application Gateway and connected it with the VM which works well. However, I have non-HTTP(S) traffic as well going over different ports which I would like to go straight to VM. To split the traffic I have created a Load Balancer with the previously mentioned AppGw in its backend pool. I have configured the AppGw's private IP, listener for it, backend settings and backend pool with VM in it. Unfortunately, I am not able to connect to the VM using the Load Balancer public IP and HTTP. Is it possible to have an LB in front of the AppGw? If not, does anyone have an idea on how we split the traffic while still having an AppGw just for HTTP(S)? Thanks!Application Gateway Backend Port Routing
Scenario: Setup App Gateway to allow traffic from sever different alias urls (appa.gateway.com / appb.gateway.com / appc.gateway.com) these will all point to the private ip front end over 443. Thats easy enough to do. Based on those calls from each of the individual alias' then route the traffic to a different PORT on a backend which is all the same VM. Use case: Calls from appa.gateway.com should go to VM1 on port 44301 Calls from appb.gateway.com should go to VM1 on port 44302 Calls from appc.gateway.com should go to VM1 on port 44303 Is this possible using app gateway? It's not possible to have the same backend vm so I was thinking of having multiple NIC's on the same vm that each backend would point to? Caveat... this is dev so its just one vm on the backend, when we get to qa / prod there will be several, so thinking I will need a load balancer that the app gateway points to.
Not able to setup azure private endpoint url as webservice/backend for Azure API Management service
Hi all, I have integrated Private endpoint connected to private link service. Private link service is created by azure standard load balancer created by kubernetes load balancer service using below annotations . annotations: service.beta.kubernetes.io/azure-load-balancer-internal: "true" service.beta.kubernetes.io/azure-pls-create: "true" service.beta.kubernetes.io/azure-pls-name: myPLS service.beta.kubernetes.io/azure-pls-ip-configuration-subnet: YOUR SUBNET service.beta.kubernetes.io/azure-pls-ip-configuration-ip-address-count: "1" service.beta.kubernetes.io/azure-pls-ip-configuration-ip-address: SUBNET_IP service.beta.kubernetes.io/azure-pls-proxy-protocol: "false" service.beta.kubernetes.io/azure-pls-visibility: "*" # does not apply here because we will use Front Door later service.beta.kubernetes.io/azure-pls-auto-approval: "YOUR SUBSCRIPTION ID" i am getting expected response i.e response from kubernetes service from Private endpoint ip which confirms that private link and private endpoint integration is working fine. we now want to integrate above private endpoint service with azure api management service so we tried adding private endpoint url as web service url for api management service but api management service is returning 500 error { "statusCode": 500, "message": "Internal server error", "activityId": "76261291-7121-4814-b0e4-66b52284d76c" } I also tried api management service Troubleshoot & analysis page for exact error its showing below error: BackendConnectionFailure An attempt was made to access a socket in a way forbidden by its access permissions <private_endpoint_url>:80 Please help me what i am doing wrong in this implementation Our requirement is to have kubernetes private load balancer and integrate it with azure api management service. so user can access api only through api management service and only api management service should be able to access load balancer service. Thanks in advance
Unable to access AKS services via S2S VPN
Hi, we establish S2S VPN connection between our environment in Azure and on-premises with our customer. On Azure we create a new vnet with address space 10.10.0.0/16. That network has: - GatewaySubnet (10.10.0.0/27) - environmentSubnet (10.10.8.0/21 > 10.10.8.1-10.10.15.254) Then we have Azure Kubernetes cluster (2 nodes) and internal loadbalancer (with static IP) for services inside k8s cluster. So each service has its own IP address from subnet environmentSubnet (10.10.8.0/24). For example: - kubernetesService01: 10.10.15.5 (port 8080) - kubernetesService03: 10.10.15.6 (port 8080) - kubernetesService04: 10.10.15.7 (port 8080) We can access all on-prmeises services from Azure - through VPN tunnel. The problem is in the opposite direction. From the on-premises to the Azure they can ping all the Kubernetes endpoints of service, they can ping Kubernetes infrastructure (both scale-sets/nodes), testing VM (which is in the same network like Kubernetes cluster) etc. But they can't reach our services inside Kubernetes, for example kubernetesService01/kubernetesService02/kubernetesService03 by specific port. So if they run telnet/curl on 10.10.15.5:8080, they dont get any response. We also configured NSG for Virtual machine scale set with rule - allow everything from everywhere. We tested connection between testing VM (which is in the same subnet like Kubernetes services, with IP 10.10.8.105) and Kubernetes services and telnet/curl works fine. I suppose that this means that the connection between vnet and Kubernetes services works? Routing form the VM to the service and then to the Kubernete endpoint must work fine. But for the difference of the Kubernetes services, they can telnet testing VM (telnet 10.10.8.105 22) from on-premises through VPN tunnel. Any idea what we can check or how we can monitor the traffic coming from the VPN tunnel? How to find out why they can ping pods within Kubernetes but can't access Kubernetes services on specific ports? Thank you!
