Home

Connectivity issue with Classic VM

%3CLINGO-SUB%20id%3D%22lingo-sub-135931%22%20slang%3D%22en-US%22%3EConnectivity%20issue%20with%20Classic%20VM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-135931%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20classic%20VM%20instance%20running%20in%20Azure%20(CentOS%207).%20I%20have%20an%20endpoint%20rule%20that%20allows%20to%20connect%20through%2022%20port%20from%20my%20address.%20Firewalld%20is%20disabled%2C%20iptables%20are%20not%20installed%20at%20all.%20However%2C%20I%20can't%20access%20the%20VM%20through%2022%20port%2C%20even%20after%20explicitly%20adding%20my%20ip%20address%20(instead%20of%20whole%20subnet%20ip-address%20belongs)%20to%20a%20whitelist.%20I've%20tried%20to%20trace%20route%20of%20the%20packages%20and%20here's%20what%20I%20got%3A%3C%2FP%3E%0A%3CPRE%3E%20%207%20%20%20%20%20%20%20%20%203%20ms%20%20%20%20%20%20%20%20195.50.15.74%20%20%20%20TimeExceeded%0A%20%208%20%20%20%20%20%20%20%2018%20ms%20%20%20%20%20%20%20%2085.26.163.180%20%20%20TimeExceeded%0A%20%209%20%20%20%20%20%20%20%2019%20ms%20%20%20%20%20%20%20%20msa-24z-1.ntwk.msn.net%20%5B195.208.208.137%5D%20%20%20%20%20%20%20%20TimeExceeded%0A%2010%20%20%20%20%20%20%20%2061%20ms%20%20%20%20%20%20%20%20ae8-0.ams-96c-1a.ntwk.msn.net%20%5B104.44.227.249%5D%20%20TimeExceeded%0A%2011%20%20%20%20%20%20%20149%20ms%20%20%20%20%20%20%20%20be-61-0.ibr01.ams.ntwk.msn.net%20%5B104.44.9.140%5D%20%20%20TimeExceeded%0A%2012%20%20%20%20%20%20%20143%20ms%20%20%20%20%20%20%20%20be-7-0.ibr01.amb.ntwk.msn.net%20%5B104.44.5.32%5D%20%20%20%20%20TimeExceeded%0A%2013%20%20%20%20%20%20%20144%20ms%20%20%20%20%20%20%20%20be-5-0.ibr01.lts.ntwk.msn.net%20%5B104.44.4.233%5D%20%20%20%20TimeExceeded%0A%2014%20%20%20%20%20%20%20144%20ms%20%20%20%20%20%20%20%20be-2-0.ibr01.lon30.ntwk.msn.net%20%5B104.44.5.38%5D%20%20%20TimeExceeded%0A%2015%20%20%20%20%20%20%20142%20ms%20%20%20%20%20%20%20%20be-11-0.ibr01.nyc30.ntwk.msn.net%20%5B104.44.5.104%5D%20TimeExceeded%0A%2016%20%20%20%20%20%20%20143%20ms%20%20%20%20%20%20%20%20be-7-0.ibr01.was02.ntwk.msn.net%20%5B104.44.4.35%5D%20%20%20TimeExceeded%0A%2017%20%20%20%20%20%20%20145%20ms%20%20%20%20%20%20%20%20be-6-0.ibr01.bl7.ntwk.msn.net%20%5B104.44.5.85%5D%20%20%20%20%20TimeExceeded%0A%2018%20%20%20%20%20%20%20142%20ms%20%20%20%20%20%20%20%20ae101-0.icr01.bl20.ntwk.msn.net%20%5B104.44.10.119%5D%20TimeExceeded%0A%2019%20%20%20%20%20%202002%20ms%20%20%20%20%20%20%20%20timed%20out%0A%2019%20%20%20%20%20%202001%20ms%20%20%20%20%20%20%20%20timed%20out%0A%2019%20%20%20%20%20%202001%20ms%20%20%20%20%20%20%20%20timed%20out%0A%2020%20%20%20%20%20%202002%20ms%20%20%20%20%20%20%20%20timed%20out%0A%2020%20%20%20%20%20%202002%20ms%20%20%20%20%20%20%20%20timed%20out%0A%2020%20%20%20%20%20%202001%20ms%20%20%20%20%20%20%20%20timed%20out%0A%2021%20%20%20%20%20%202001%20ms%20%20%20%20%20%20%20%20timed%20out%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3BEndpoint%20rules%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20756px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F25475iFECC8F8CD24ED148%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22endpoint_rules.jpg%22%20title%3D%22endpoint_rules.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EI%20can%20connect%20to%20that%20VM%20using%20another%20Azure%20VM%20which%20is%20whitelisted%20in%20%22Endpoints%22.%20Is%20this%20some%20sort%20of%20network%20issue%3F%20I%20can%20easily%20telnet%20that%20port%20from%20another%20VM%20and%20can't%20do%20that%20from%20my%20working%20PC.%20Other%20Azure%20VMs%20are%20accessible%20without%20any%20problems.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-135931%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-136277%22%20slang%3D%22en-US%22%3ERe%3A%20Connectivity%20issue%20with%20Classic%20VM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-136277%22%20slang%3D%22en-US%22%3EAre%20you%20sure%20the%20your%20Public%20IP%20is%20a%20static.%20can%20you%20put%200.0.0.0%2F0%20instead%20and%20check%20the%20RDP%20is%20allowed%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-136268%22%20slang%3D%22en-US%22%3ERe%3A%20Connectivity%20issue%20with%20Classic%20VM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-136268%22%20slang%3D%22en-US%22%3E%3CP%3EI%20don't%20have%20any%20NSG%20assigned%20to%20that%20VM.%20There%20are%20only%20endpoint%20rules.%3C%2FP%3E%0A%3CP%3E1st%20rule%20covers%20a%20subnet%20my%20ip-address%20belongs%20to.%20The%20last%20rule%20includes%20only%20my%20ip-address.%3C%2FP%3E%0A%3CP%3EI%20also%20have%20a%20rule%20for%20another%20server's%20address%20and%20from%20that%20server%20port%20is%20open%20but%20if%20I%20add%20my%20computer's%20ip%2C%20VM%20is%20not%20accessible%20through%20the%20same%20port.%20It%20really%20seems%20like%20firewall%20exceptions%20work%20only%20for%20some%20ip%20addresses.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-136231%22%20slang%3D%22en-US%22%3ERe%3A%20Connectivity%20issue%20with%20Classic%20VM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-136231%22%20slang%3D%22en-US%22%3E%3CP%3EDid%20you%20check%20the%20NSGs%20you%20have%20to%20allow%20the%20port%2022%20for%20inbound%20port%20from%20anywhere%20or%20specific%20IP%3C%2FP%3E%3C%2FLINGO-BODY%3E
Valeriy Zabawski
New Contributor

I have a classic VM instance running in Azure (CentOS 7). I have an endpoint rule that allows to connect through 22 port from my address. Firewalld is disabled, iptables are not installed at all. However, I can't access the VM through 22 port, even after explicitly adding my ip address (instead of whole subnet ip-address belongs) to a whitelist. I've tried to trace route of the packages and here's what I got:

  7         3 ms        195.50.15.74    TimeExceeded
  8        18 ms        85.26.163.180   TimeExceeded
  9        19 ms        msa-24z-1.ntwk.msn.net [195.208.208.137]        TimeExceeded
 10        61 ms        ae8-0.ams-96c-1a.ntwk.msn.net [104.44.227.249]  TimeExceeded
 11       149 ms        be-61-0.ibr01.ams.ntwk.msn.net [104.44.9.140]   TimeExceeded
 12       143 ms        be-7-0.ibr01.amb.ntwk.msn.net [104.44.5.32]     TimeExceeded
 13       144 ms        be-5-0.ibr01.lts.ntwk.msn.net [104.44.4.233]    TimeExceeded
 14       144 ms        be-2-0.ibr01.lon30.ntwk.msn.net [104.44.5.38]   TimeExceeded
 15       142 ms        be-11-0.ibr01.nyc30.ntwk.msn.net [104.44.5.104] TimeExceeded
 16       143 ms        be-7-0.ibr01.was02.ntwk.msn.net [104.44.4.35]   TimeExceeded
 17       145 ms        be-6-0.ibr01.bl7.ntwk.msn.net [104.44.5.85]     TimeExceeded
 18       142 ms        ae101-0.icr01.bl20.ntwk.msn.net [104.44.10.119] TimeExceeded
 19      2002 ms        timed out
 19      2001 ms        timed out
 19      2001 ms        timed out
 20      2002 ms        timed out
 20      2002 ms        timed out
 20      2001 ms        timed out
 21      2001 ms        timed out

 Endpoint rules:

endpoint_rules.jpg

I can connect to that VM using another Azure VM which is whitelisted in "Endpoints". Is this some sort of network issue? I can easily telnet that port from another VM and can't do that from my working PC. Other Azure VMs are accessible without any problems.

3 Replies

Did you check the NSGs you have to allow the port 22 for inbound port from anywhere or specific IP

I don't have any NSG assigned to that VM. There are only endpoint rules.

1st rule covers a subnet my ip-address belongs to. The last rule includes only my ip-address.

I also have a rule for another server's address and from that server port is open but if I add my computer's ip, VM is not accessible through the same port. It really seems like firewall exceptions work only for some ip addresses.

 

Are you sure the your Public IP is a static. can you put 0.0.0.0/0 instead and check the RDP is allowed
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
50 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
32 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
15 Replies
Dev channel update to 80.0.355.1 is live
josh_bodner in Discussions on
67 Replies