Forum Widgets
Latest Discussions
Azure SDK python client to Azure iothub over HAproxy (SSL handshake failure)
I am trying to fix an IP address for Azure Iothub via Load Balencer and HAproxy as suggested in this https://medium.com/cloudzone/azure-iot-hub-how-to-expose-it-using-fixed-ip-and-create-a-more-secure-environment-along-the-way-988661a8f67a: https://i.stack.imgur.com/gyQ9j.png I have configured the HAproxy as suggested to pass the SSL handshake to the server: global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # An alternative list with additional directives can be obtained from # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend haproxy_iothub bind *:8883 bind *:443 bind *:5671 mode tcp default_backend iothub backend iothub mode tcp server iothub [Server URL]:8883 check server iothub [Server URL]:443 check server iothub [Server URL]:5671 check To simulate the device, I used Azure V2 SDK (azure-iot-device) and defined a proxy option and created a client from a connection string. proxy_opts = ProxyOptions(proxy_type=socks.HTTP, proxy_addr="Proxy_ IP", proxy_port=8883) device_client = IoTHubDeviceClient.create_from_connection_string("IOTHUB_DEVICE_CONNECTION_STRING", websockets=True, proxy_options=proxy_opts ) I was not able to reach the iothub, I tried debugging the library to get more information and it turned out that the blocking occurs due to a general proxy error ("connection closed unexpectedly") in _negotiate_HTTP. socks.HTTPError :504 : Gateway Time-out (in socks.py) HAproxy logging showes : Oct 18 08:48:37 vmss2xigg000000 haproxy[27470]: *..:59000 [18/Oct/2021:08:48:37.451] haproxy_iothub iothub/iothub1 1/1/38 0 -- 1/1/0/0/0 0/0 Any help much appreciated HA-Proxy version 1.8.8-1ubuntu0.11 Azure-iot-device Version 2.8.0
Help needed for Azure Virtual Network Gateway and Azure SQL
Good morning all, Just like the rest of the globe, alot of our staff are now working from home which means we needed to give them access to the data they used daily. We created an Azure Virtual Desktop solution however, now need to work on getting a VPN working. We have got the Virtual Network Gateway setup and working for access to our Standard SQL VM's. NSGs are in place for DNS and the SQL ports however, when we turn our attention to Azure SQL, it gets a bit more complicated. I have created the Private Endpoints for each of the Azure SQL instances we require, this wasn't a problem. Our issue is that the main production database needs to be accessed by an external agent who will not have access to the VPN. 90% of the users who will connect to this database won't have a static IP so leaving 'Deny Public Network Access' unchecked isn't possible. Is there a way to have 'Deny Public Network Access' checked so our VPN users can use the Private Endpoint while still giving public access to a single external user? Previously, they have had the database firewall configured with their IP ranges so this is only appearing as an issue now with the impending denial of public access. Hope that makes sense.
routing table
Hello, I have a virtual network with 192.168.0.0/24. In the virtual network is a firewall with 192.168.0.5. Now I want to route any outgoing traffic on the virtual network through the firewall. If I create a rule 0.0.0.0/0 to 192.168.0.5 - The internal devices can not reach each other. What is the best way to set the routing rules here? Greetings and thanks Stefan
Azure Secure Virtual Hub VNET-Branch Routing
Hey trying to get connectivity going from our VNET to Branch over the S2S VPN I've setup and from what I can tell when doing a tracert to an branch private ip address it seems to stop at the Azure Firewall IP Address and I've even created an any/any rule on the firewall policy but no go so far. Is there something that I'm Missing? Here is my topology.. Secure Virtual Hub 1x VNET Spoke 1x VPN Site Both associated to the default route table which has a route for 0.0.0.0/0 next hop firewall Both Propagating to the None route table. I have created a DNAT rule to allow RDP which I'm assuming thats how I'm getting into the virtual machine via rdp but once I'm in I cannot route to anything back.
OPNSense nested in a Proxmox VM, trying to spoof VM NIC to transparently relay to host NIC
I am trying to set up OPNSense VM inside a Proxmox, which is running in a Azure VM with nesting enabled. I have my reasons to do it, so please spare me the "why not go native" questions. Since azure VMs don't support vIOMMU (note the "v" in vIOMMU stands for virtualized IOMMU, for L2 instances), I cannot pass the interface further from Proxmox to OPNSense, so I need to get by using bridges. The host configuration is: – eth0 – vmbr0 with eth0 assigned to it The configuration is: iface eth0 inet manual auto vmbr0 iface vmbr0 inet manual bridge-ports eth0 bridge-stp off bridge-fd 0 The guest configuration is: – VirtIO NIC attached to vmbr0, with MAC overridden using same address as the eth0 – Firewall: NO – MAC Filter: NO Running dhclient on eth0 or vmbr0 correctly discovers and assigns an IP address. Now, I am trying to get the OPNSense in a VM to get that IP address instead and to relay its traffic via the vmbr0 transparently outside of the host. I have done something very similar previously between OpenWRT running in a VM and another VM, using OpenWRT's "trivial relay" (kmod-trelay, see https://forum.openwrt.org/t/howto-kmod-trelay/49610/2, also https://github.com/openwrt/openwrt/commit/c3bba7f8c61ee98265bcffef8ee86e22aa89bbe9), and despite that this particular case is much simpler, I can't get the VM to communicate with the ISP properly. I tried simply by spoofing the eth0's MAC address by setting the OPNSense VM's interface to it, but that's not enough. I also checked the traffic on both ends using tcpdump, and, interestingly, vmbr0 does see the DHCP requests coming from the VM, and the ISP does respond, but that response never reaches the VM, nor the tap interface corresponding to the VM that Proxmox assigned to the bridge. What am I missing here?
Asav on azure
I need help creating a vpn from my Azure ASAV. As it stands right now the trace Capture on my Asav from my Azure Vm to the Remote site Asa private network says my Azure VMs aren't pushing traffic to the ASav. my question when each Azure vm has a public ip how can one then route the traffic tru the Asav. Anyone that has deployed asav on azure shld pls assist.Access to the delegated container subnet from the rest of the network
Hi All, We have an on-premise network: ONPREM-VLAN which is connected to an Azure VLAN: AZUREVLAN1 using Site to Site VPN connection. This AZUREVLAN1 is in subscription-1. We have another subscription: subscription-2 which has two more VLANs: AZUREVLAN2 and AZUREVLAN3. AZUREVLAN2 is one Azure region (same as AZUREVLAN1 i.e. Australia Southeast) and AZUREVLAN3 is in another Azure region (i.e. In Australia East). We have enabled Vnet peering between all the three VLANs. We have also established routing from our on-premise network: ONPREM-VLAN to all the three Azure VLANs. However, when we created a delegated container subnet in AZUREVLAN3 it is only accessible from other subnets within AZUREVLAN3. it is not accessible from any other VLANs (AZUREVLAN2, AZUREVLAN1 and ONPREM-VLAN) in the network. Here is the screenshot of that delegated container subnet: Is there a way i can enable routing from the rest of the network to this delegated subnet?
