Public IPs on Azure

Bronze Contributor

Hi,

I have been trying to read documentation, but most likely I have used wrong search terms. But does anybody knows if the following kind of setup is possible on Azure?

 

Azure and Public IPs.png

 

The main idea behind this question is, if I have servers and willing to have centralized FW control for the traffic coming in or out to/from these VMs, is this an option? Or if I assign the public IP to the VM, that can go out directly and skipping the centralized FW?

 

All documents what I have see are speak about assigning the Public IP to the VMs, or having NATing, but with that we hit to the problem when port ranges extends widely.

5 Replies
I may not understand completely what you are trying to do but why would you have public IP addresses on your VM? I have something similar but none of the VMs in the vnets are private and all the https traffic goes through the FW. what I don’t see here that I have is a DNS forwarder in the private zone. Depending on what’s on your VMs you may not want to expose them straight on the Internet?

@Petri X 

 

I may be wrong but it seems to me that the idea here is to setup a traditional style DMZ network, where the endpoints (the VMs in this case) have a public IP but there is a firewall in front to do IPS/IDS and block/allow ports where required.

As far as I know the scenario in the picture is not possible. There is no scenario, afaik, where you could have a public prefix  and have a firewall in front and use that to route traffic to the subnet (DMZ) behind it, as you could in a traditional network.

 

That said, it all depends on what your needs are:

 

  1. A public IP address is already not 'directly' attached to your virtual machine (as in, your vm is not aware of it). The concept is already a DNAT kind of scenario. If that is acceptable you can add the public IP to the firewall and DNAT the needed ports to the VM, allowing for the Az Firewall to to more advanced things like IDS/IPS
  2. If you want the Public IP assigned to your VM (again, not really directly assigned to the VM), but you don't really need IDS/IPS you could just set ACLs using the Network Security Group and use NSG flow logs and Network Watcher Traffic Analysis to map / report on traffic

If either scenario is not what you are trying to accomplish, you may need to explain a little further ;)

It is well guessed from @_AndreG :) I indeed thought to setup kind of traditional DMZ solution on the Azure. And thanks to @jmoriss7 as well for your reply.

 

No, we are not willing to give public IPs to the servers :) We tried to use the NATing with selected FW instances, but did not work as that requires external load balancer, and that is having limitations for the NATs.

 

Because of that I started to think if if I could associate the pIP to the host then. So the question was following the traditional DMZ solution where host have the public IP. Then FW takes care of the traffic filtering.

 

I have also tried to see how I could control the associated public IPs on the hosts, but that I have not been able to seen. But thanks to reminding the NSGs, I believe I need to take a look deeply that. Even so, we have aim to use already known FW instances (not Azure FW).

 

Load balancer would not working, as these are like a webRTC hosts and requires direct connections.

 

 

 

 

@Petri X I am still a little confused as to what is not working when using Azure FW DNAT. You could assign an Azure Prefix to the Azure firewall and use DNAT to forward traffic from a specific public IP to a specific host server. An example could be like described here: Azure Firewall NAT Behaviors - Microsoft Community Hub

 

If you do not want to use Azure Firewall but a third party NVA it gets, I think, a bit more complicated. In that scenario you would definitely need to use a (standard) load balancer and the rules get a bit complicated from there. You can assign multiple public ips to the LB, but you'd need  to either create load balancing rules to different (backend) ports on the NVA (and DNAT from there again) or have an NVA solution with multiple NICs. That does not scale very well depending on your needs.

 

Using a standard load balancer directly to a (group of) server(s) is an option, but that does have a minimum of 4 minutes idle timout.

 

Using public ips directly on the server is also an option but afaik you cannot do much with regards to IDS/IPS. You can use flow logs and Network Watcher traffic analysis to create some insights and potentially DDoS protection on the public ips.

 

I have no experience with webRTC so I cant be more specific :(

@Petri X 

 

How's your current setup, is there any landing zone for shared service such as Edge?