Forum Widgets
Latest Discussions
Hub spoke design with NVA firewall
I have my Azure landing zone setup but it isn't working as i expected. So i have a vnet named vnet-lz-fw-001 with 2 subnets. External and Trusted. I then have a NVA Watchguard Firewall with an interface on each subnet. I then have 2 further vnets, vnet-lz-prod-001 and vnet-lz-id-001. Each of these vnets has peering to vnet-lz-fw-001 but no peering between each other. vnet-lz-prod-001 and vnet-lz-id-001 have user defined routes to point to each other via the trusted interface on the Watchguard NVA The Watchguard firewall has static routes to point to each subnet in the vnets via the Trusted interface gateway address. Virtual machines in both vnet-lz-prod-001 and vnet-lz-id-001 can ping each other, but when they do its not routing via the Watchguard firewall. Is this as expected behavior? Virtual machines in both vnet-lz-prod-001 and vnet-lz-id-001 can ping the trusted interface on the Watchguard Firewall okStorage not reachable from network using service endpoint.
Hello, Here is the situation. The storage (File share )had assigned networks to allow access. We refresh some changes in the NSG from the network using bicep code ( Outbound was permitted all- no change. Inbound - we updated a name of a rule). What happened: no more access to the storage. No more connection on SMB port. The port was reported as closed. We removed the storage configuration of allowed networks ( the status was still Green), we add it back and magically it started to work. Any hints of what could have went wrong? Thank you
Azure Web App - Connect to Azure Managed Instance SQL DB
Hi there, need ideas how to let a Azure Web App connect to a Azure SQL DB (managed by Azure Managed Instance). Web App has public network access but no private endpoint: SQL Managed Instance is added to Azure virtual network/subnet. So, Web App is facing to the internet only. SQL Server is connected to the internal network only. Web App cannot connect to sql instance. I tried to create a private endpoint on the managed instance to get it work. But without success. As I am not too deep into the networking part of Azure I hoped to get help how to approach this. I need to be able to connect the web app to the managed instance. Just creating a private endpoint on the Web App ressource shows a warning that this undermines security. So I am looking for a secure way how to achieve connection from Web App to SQL instance/database. Thanks in advance. Additional information: The sql instance and databases are reachable from in Azure running virtual machines that have network adapters in the virtual network where the sql server is running. It's only the web app that is not able to connect (most likely because of missing internal network connection). Microsoft.Data.SqlClient.SqlException (0x80131904): A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: TCP Provider, error: 0 - An attempt was made to access a socket in a way forbidden by its access permissions.) ---> System.ComponentModel.Win32Exception (10013): An attempt was made to access a socket in a way forbidden by its access permissions.Monitor Azure network components
Hi team, Hope you're doing well. Today, I need some advices to implement monitoring on network resources. For one of my clients, I'm in charge of deploying the dedicated infrastructure foundation for each project. This foundation is essentially composed of: A virtual network (VNET), One or more subnets (SNETs), A Route Table (RT) dedicated to a subnet, User Defined Routes (UDRs) associated with an RT, This infrastructure foundation is consumed by the project, so it's imperative that we have a dashboard view to assess the health of each component. To provide visual monitoring, I want to leverage Azure Monitor. I therefore want to create a Network dashboard, where I can see the status of resources at a glance. The problem is that the metrics currently offered by Azure Monitor for dashboard creation are quite limited, according to the official Microsoft documentation. Here is the list of official Microsoft links for Azure resources that offer metrics: VNEt and subnets - Virtual Networks: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/supported-metrics/microsoft-network-virtualnetworks-metrics I also checked on Network Insights, and unfortunately, the solution don't support the mentioned components. I know it's also possible to use workbooks to retrieve certain information. Are there any native Azure solutions that provide visual monitoring of these resources? Thank you for your help.
Please Continue Supporting Private Link for Azure Function origins in Azure Front Door Premium
We recently opened a support case because we are no longer able to enable private link using the Azure Font Door User Interface in the Azure Portal to Azure Function origins that reside in our ILB Application Service Environment (ASE) V3 within an Isolated V2 Azure App Service plan. We need this feature enabled again, but we received the following response regarding this issue. “We just received update on the issue from product level team, actually the private link is not supported for function app, it used to be worked by accident. So they started removing it now, they blocked it on portal, further they will be doing it for CLI/PowerShell as well. The previous function apps for which the private link is enabled and working fine will be disassociated at any time. Unfortunately, they suggested users to not go with private link for function apps anymore.” Private link to Azure Functions apps running an Isolated V2 Azure App Service plan is supported by Azure Front door; the feature should continue to be supported and subject to the Azure Front Door SLA. It is possible to create Private Links from Azure Front Door to Azure Functions origins that reside in our ILB ASE V3 within an Isolated V2 Azure App Service plan. We have created Private Links from Azure Font Door to our Production Azure Functions, and they have been connected since 2022. The Azure Front Door documentation references that the product supports Private Link for both Azure App Service and Azure Function origins. 1. We were previously able to enable private link from Azure Front Door, using the User Interface in the Azure Portal, to Azure functions origins that reside in our ILB Application Service Environment (ASE) V3 within an Isolated V2 Azure App Service plan. The Azure Front Door documentation contains language that supports that Azure Front Door supports Private link for Azure App Service and Azure Functions origins. Stated in the doc “Secure traffic to Azure Front Door origins.” “Private Link origins When you use the premium SKU of Front Door, you can use Private Link to send traffic to your origin. Learn more about Private Link origins. You should configure your origin to disallow traffic that doesn't come through Private Link. The way that you restrict traffic depends on the type of Private Link origin you use: Azure App Service and Azure Functions automatically disable access through public internet endpoints when you use Private Link. For more information, see Using Private Endpoints for Azure Web App.” https://learn.microsoft.com/en-us/azure/frontdoor/origin-security?tabs=app-service-functions&pivots=front-door-standard-premium#private-link-origins Stated in the doc “Connect Azure Front Door Premium to an App Service origin with Private Link using Azure CLI” “Private endpoints requires your App Service plan or function hosting plan to meet some requirements….” https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-enable-private-link-web-app-cli 2. Azure functions can run in an App Service plan and support for private endpoint and private link for Azure App Service and Azure Functions is generally available. https://learn.microsoft.com/en-us/azure/private-link/availability https://learn.microsoft.com/en-us/azure/app-service/overview-private-endpoint https://learn.microsoft.com/en-us/azure/azure-functions/functions-networking-options?tabs=azure-portal#private-endpoints 3. We are now unable to enable private link using the Azure Font Door User Interface in the Azure Portal to Azure functions origins that reside in our ILB ASE V3 within an Isolated V2 Azure App Service plan. We need this feature enabled again. 4. We are still able to enable private link to Azure function origins that reside in our ILB ASE V3 within an Isolated V2 Azure App Service plan with the Azure CLI. I recently discovered the Note was added to the azure-docs on April 25th, 2024, which is after we opened our support incident: https://github.com/MicrosoftDocs/azure-docs/commit/6d7d40b4a9c0b1e843aa81a121ecb83468043803 The reference to Functions not being a supported feature is false and I request that is removed.
WordPress App how to restrict access to specific pages on the site
Hello all, I have a WordPress App hosted on Azure and I am struggling with how I can secure specific pages from public access. For example: http://www.mysite.com/wp-admin http://www.mysite.com/info.php I'd like it so that only specific IP addresses or Microsoft user accounts can access some, such as admin pages and for some pages I'd like no access at all, to where it just blocks any sort of visit. I've viewed the documentation for Front Door and some networking restrictions but that seems to be just IP addresses and I'm confused about how I can set those rule for specific pages within the App. I know WordPress offer plugins which have this sort of functionality but I'd like to take advantage of Azure's security features rather than plugins from WordPress. Any help is very appreciated. Thank you
App Connectivity issue
I have come across an issue being reported by one of the user stating that he is unable to connect to an application on port 5672 hosted behind azure internal load balancer. on my observation from Azure portal post login i see that Azure front end load balancer is marking the front end port as unresponsive/down for service 5672, while the back end port 2009 on azure internal load balancer is seen up on the back end pool virtual F5 .port mapping done properly on azure Error as seen on Azure is “TCP probe out, unhealthy backend instances or unhealthy app listening on port” However when I check on the Virtual F5 the backend server is responding on port 5672 normally, the health checks look ok, thereby the vip is marked as up. is this abnormal behaviour on the application side against 5672 service or something more to check on the azure side which is resulting to TCP probe out error.. pls suggest
CloudNetDraw – Instantly generate Azure network diagrams
Hi everyone, I wanted to share a tool I’ve built that might help some of you who regularly document or review Azure network topologies. CloudNetDraw is a free tool that generates Azure network diagrams (HLD and MLD) directly from your environment. It supports both user login and service principals — or you can self-host it. What it does: Visualizes hub and spoke topology Shows all subnets with CIDRs Highlights NSG and UDR presence Exports editable Draw.io files Hosted version available, or deploy it yourself Open source on GitHub Try it here: https://www.cloudnetdraw.com GitHub repo: https://github.com/krhatland/cloudnet-draw Privacy & Security: CloudNetDraw does not collect any information about your network resources or environment. Drawings are generated in memory and deleted immediately after use. We do not store, access, or analyze your topology data. Would love to hear your thoughts or suggestions! Thanks, KristofferAz Virtual Network Manager Multi-Region Hub-Spoke Topology
I'm evaluating Network Manager for a customer with a fairly default topology scenario being multi-region hub-spoke with inter-region meshed hubs. However, I find the existing documentation unclear and the product not intuitive enough on how to achieve this. There is a matching graphic on this following learn article, but the accompanying text above rather mentions the global mesh option to connect spokes in different regions, not hubs... https://learn.microsoft.com/en-us/azure/architecture/networking/architecture/hub-spoke#automation-with-azure-virtual-network-manager My configuration approach so far is: Network groups containing all VNets of a region Hub & spoke connectivity configuration applied with group and selecting matching regional hub VNet Network group of hub VNets Mesh connectivity configuration with global mesh enabled applied to group However, when I look at the visualization, there seems to be no connection among the hubs. Is this the right way or did I miss/misinterpret something?
BGP Routing from and to VPN Gateway
Hello All, I am setting up a lab concerning vWAN connection to onprem via SDWAN and I have some issues getting the routing to work properly. I have a hub which symbolizes the on-premises hub with a VPN gateway (gw-onprem) and a VM (on-prem-hubvm) deployed. Attached to the onprem-hub is a) on-prem spoke with a VM (on-prem VM). b) two vnets that symbolize the sdwan. Both of which have a VPN gateway as well as one VM each deployed (gw-sd-1/2) The SDWan Gateways are connected via s2s to two different vWAN hubs in two different locations. The vWAN has a third Hub which is not directly connected to on-prem What I am trying to lab is what direction the traffic is tacking from the vWAN Hubs to the last on-premise VM. The traffic currently goes all the way through the s2s vpn connection, but it gets dropped afterwards. I am struggling to set-up the routing from the sd-gw's to the on-premises machine. The routing needs to work through BGP The goal of the Lab is to see which path to on-premises is preferred if the hub preference is AS Path (shortest BGP Path). BGP is enabled on all VPN Gateways The SD GWs are peered to the onprem Hub GW but no vnet peering. The on-premises Vnets are peered. Somehow the VPN Gateways are not learning the routes to on-premises. I tried pointing the way with UDRs but somehow it also isnt working I've tried setting up UDRs so that the traffic would be the following vWAN Hub -> sd GW > sd VM > GW-onprem (> on-prem-hubvm) > on-prem VM
