Forum Widgets
Latest Discussions
Office-js addin with webapi in Api management. Failed to fetch
Hello. My application contains one office-js addin (typescript) project + one Webapi core (c#) project, both communicating through a fetch function when cors is enabled.It works together properly on my local computer. I published : - the webapi on azure api management (https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-rest-api). Test gaves a 200 OK. - the Office addin on azure. It works properly (as long the fetch function is not involved). However when used, fetch function raises errors (message = "failed to fetch").The issue may be about proper ssl certificates as described in : https://docs.microsoft.com/en-us/office/dev/add-ins/concepts/requirements-for-running-office-add-ins. Is it a possible solution ? I tried with self signed certificate with no success so far. Is there any tutorial explaining how to implement it ? Any help would be appreciated
Networking out Private VNET in AZURE with a third party app such as payment gateway?
I need to do networking so that my VNET in Azure connects to third party applications such as payment gateways or messaging apps which are in Public internet. Please let me know the options and why we should prefer one over the other?
Spoke-Hub-Hub Traffic with VPN Gateway BGP and Firewall Issue
Hello, I’m facing a situation where I’m trying to have Azure Firewall Inspection on the VPN Gateway VNET-VNET Connectivity. It seems to work if I go from SpokeA-HubAFirewall-HubAVPN—HubBVPN-SpokeB but if I try to go from SpokeA-HubAFirewall-HubAVPN-HubBVM or Inbound Resolver it fails to route correctly according to Connectivity Troubleshooter it stops at HubAVPN with Local Error: RouteMissing but then reaches destination health so makes me believe it’s getting there but not following the route I want it to take which might be causing routing issues. What Am I missing here? This connectivity was working before introducing the Azure Firewall for Inspection with the UDR. Is what I’m trying to accomplish not possible? I’ve tried different types of UDR rules on the Gateway Subnet, and this is my most recent configuration. The reason I’m trying to accomplish this is because I’m seeing a similar error in our Hub-Spoke Hybrid environment and I’m trying to replicate the issue. Current Configuration 2x Hubs with Spoke networks attached so example Hub-Spoke-A Configuration: Hub-A Contains following subnets and Resources VPN Gateway - GateWaySubnet Azure Firewall - AzureFirewallSubnet Inbound Private Resolver - PrivateResolverSubnet Virtual Machine – VM Subnet Gateway Subnet has an attached UDR with the following routes Propagation - True Prefix Destination – Hub-B Next Hop Type – Virtual Appliance Next Hope IP – Hub-A Firewall Prefix Destination – Spoke-B Next Hop Type – Virtual Appliance Next Hope IP – Hub-A Firewall Hub-Spoke-B Configuration: Hub-B Contains following subnets and Resources VPN Gateway - GateWaySubnet Azure Firewall - AzureFirewallSubnet Inbound Private Resolver - PrivateResolverSubnet Virtual Machine – VM Subnet Gateway Subnet has an attached UDR with the following Routes Propagation - True Prefix Destination – Hub-A Next Hop Type – Virtual Appliance Next Hope IP – Hub-B Firewall Prefix Destination – Spoke-A Next Hop Type – Virtual Appliance Next Hope IP – Hub-B Firewall Spoke Subnets has an attached UDR with the following Routes Propagation - True Prefix Destination – 0.0.0.0/0 Next Hop Type – Virtual Appliance Next Hope IP – HubA/HubB Firewall (Depending on what hub its peered to) VPN Gateways HA VNET-VNET with BGP Enabled. I can see that it knows the routes and like I said this was working prior introducing the UDRs for force traffic through the azure firewall.
Azure DDoS Protection Standard
Hi Team, Is it recommended to have Azure DDoS Protection Standard enabled for Virtual Network where Virtual network gateways are associated with that Virtual network? This VNG is establishing a VPN tunnel with Onprem VPN Devices. what is the security risk if I am using basic DDoS protection?
Application Security Group
We can associate a VM/NIC with an application security group (ASG) easily either through GUI or Powershell. If I have a SQL Server (PaaS) which is not a VM, how do I associate the SQL Server to application security group? There doesn't seem to be a GUI interface where I can associate it. I do see from Powershell command that the private endpoint or private NIC used on the SQL server has a property for application security group, but the normal set-aznetworkinterface doesn't work on private endpoint. Anyone knows a way to somehow associate it with a application security group? Thanks.
Load Balancer Session Persistence and Existing Connections Clear Information
Hi, Going on Azure documentation on session persistence for Load balancers and reading the following on client IP and protocol: 1) It is mentioned in this article that Client IP and protocol settings is used to solve an incompatibility issue between Azure Load balancer and the Remote Desktop Gateway. In the scenario mentioned that TCP and UDP are used with client ip address and protocol. If I understand correctly this setting should send UDP from same client to a different load balancer. So it does not solve this problem. 2) The behavior of existing connections through a load balancer. As per my understanding TCP connections will not be rebalanced to a new backend instance after a failure while UDP will actually be sent to another VM as it is connectionless. is this somehow related to the persistence settings ? Does Azure have any workaround for this behavior. For example GCP has this feature of rebalancing existing connections. Thanks.
What would be the expected behavior for an NSP?
I'm using a network security perimeter in Azure. In the perimeter there are two resources assigned: A storage Account and An Azure SQL Databse. I'm using the BULK INSERT dbo.YourTable FROM 'sample_data.csv' getting data from the storage account. The NSP is enforced for both resources, so the public connectivity is denied for resources outside the perimeter I have experienced this behavior: the azure SQL CANNOT access the storage account when I run the command. I resolved using: I need to add an outbound rule in the NSP to reach the storage fqdn I need to add an inbound rule in the NSP to allow the public IP of the SQL Azure When I do 1 and 2, azure SQL is able to pump data from the storage. IMHO this is not the expected behavior for two resources in the NSP. I expect that, as they are in the same NSP, they can communicate to each other. I have experienced a different behavior when using keyvault in the same NSP. I'm using the keyvault to get the keys for encryption for the same storage. For the key vault, i didn't have to create any rule to make it able to communicate to the storage, as they are in the same NSP. I know, Azure SQL is in preview for the NSP and the keyvault in GA, but I want to ask if the experienced behavior (the SQL CANNOT connect to the storage even if in the same NSP) is due to a unstable or unimplemented feature, or I'm missing something? What is the expected behavior? Thank you community!!Azure SDK python client to Azure iothub over HAproxy (SSL handshake failure)
I am trying to fix an IP address for Azure Iothub via Load Balencer and HAproxy as suggested in this https://medium.com/cloudzone/azure-iot-hub-how-to-expose-it-using-fixed-ip-and-create-a-more-secure-environment-along-the-way-988661a8f67a: https://i.stack.imgur.com/gyQ9j.png I have configured the HAproxy as suggested to pass the SSL handshake to the server: global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # An alternative list with additional directives can be obtained from # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend haproxy_iothub bind *:8883 bind *:443 bind *:5671 mode tcp default_backend iothub backend iothub mode tcp server iothub [Server URL]:8883 check server iothub [Server URL]:443 check server iothub [Server URL]:5671 check To simulate the device, I used Azure V2 SDK (azure-iot-device) and defined a proxy option and created a client from a connection string. proxy_opts = ProxyOptions(proxy_type=socks.HTTP, proxy_addr="Proxy_ IP", proxy_port=8883) device_client = IoTHubDeviceClient.create_from_connection_string("IOTHUB_DEVICE_CONNECTION_STRING", websockets=True, proxy_options=proxy_opts ) I was not able to reach the iothub, I tried debugging the library to get more information and it turned out that the blocking occurs due to a general proxy error ("connection closed unexpectedly") in _negotiate_HTTP. socks.HTTPError :504 : Gateway Time-out (in socks.py) HAproxy logging showes : Oct 18 08:48:37 vmss2xigg000000 haproxy[27470]: *..:59000 [18/Oct/2021:08:48:37.451] haproxy_iothub iothub/iothub1 1/1/38 0 -- 1/1/0/0/0 0/0 Any help much appreciated HA-Proxy version 1.8.8-1ubuntu0.11 Azure-iot-device Version 2.8.0Help needed for Azure Virtual Network Gateway and Azure SQL
Good morning all, Just like the rest of the globe, alot of our staff are now working from home which means we needed to give them access to the data they used daily. We created an Azure Virtual Desktop solution however, now need to work on getting a VPN working. We have got the Virtual Network Gateway setup and working for access to our Standard SQL VM's. NSGs are in place for DNS and the SQL ports however, when we turn our attention to Azure SQL, it gets a bit more complicated. I have created the Private Endpoints for each of the Azure SQL instances we require, this wasn't a problem. Our issue is that the main production database needs to be accessed by an external agent who will not have access to the VPN. 90% of the users who will connect to this database won't have a static IP so leaving 'Deny Public Network Access' unchecked isn't possible. Is there a way to have 'Deny Public Network Access' checked so our VPN users can use the Private Endpoint while still giving public access to a single external user? Previously, they have had the database firewall configured with their IP ranges so this is only appearing as an issue now with the impending denial of public access. Hope that makes sense.