We're building a Hub & Spoke network in Azure with NSGs at the spoke network's subnets.
Now we'd like to allow a workload in one of the spokes to make outbound connections to a destination on the internet (TCP, 443). The traffic shall be sent though an NVA in the hub network.
The UDR of the spoke's subnet is configured like this:
Address Prefix: 0.0.0.0/0, Next Hop Type: Virtual Appliance, Next Hop: <IP of Firewall>
How do we need to configure the NSG's outbound rules in this particular scenario?
a) Allow, Source: Virtual Network, Destination: Virtual Network
b) Allow, Source: Virtual Network, Destination: IP Addresses, Destination IP: <IP of Firewall>
c) Allow, Source: Virtual Network, Destination: Any
IMO a) and b) would mean, that the UDR is "evaluated" first, while option c) would mean, that the NSG is applied before the routing takes place.
I very much appreciate you're help and/or links to some documentation on this topic I wasn't able to find so far.
• According to what you have asked with regards to the priority of consideration by Azure Network Resource Management fabric and its design by default, the first priority will be given to the UDR (User Defined Rule) in which the source and destination IP addresses are correctly defined between the virtual networks even if a network virtual appliance is used for forwarding the traffic in between them because when a virtual network is created, Azure automatically routes for every subnet defined during its creation. Thus, when routes are created, the first and priority routes are created and implemented for address ranges that are defined address spaces within the same virtual network, hence implying that by design, the default evaluation priority is given to those UDR if their priority is not set by the user whose source and destination reachable valid IP addresses are correctly defined. Please refer to the below workflow diagram for good understanding: -
• Thus, as per your post, you have asked the evaluation priority for the below UDRs: -
a) Allow, Source: Virtual Network, Destination: Virtual Network
b) Allow, Source: Virtual Network, Destination: IP Addresses, Destination IP: <IP of Firewall>
c) Allow, Source: Virtual Network, Destination: Any
Of the above, the second (b) formatted UDR will be evaluated as ‘first’ in priority, then the first UDR (a) in priority and then the **third (c)**UDR as it is defined for any IP address originating from the virtual network without any defined destination.
• Hence, accordingly, you should go with creating the UDRs in the second (b) format as it will get by default prioritized and ‘evaluated’ correctly by Azure. For more information regarding this topic, kindly refer to the documentation link below: -
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#default
http://gowie.eu/index.php/azure/best-practice/23-nsg-best-practice
Related
Using a Partner Interconnect I'm trying to get the restricted.googleapis.com access to work and having some issues.
The BGP sessions needs to advertise 199.36.153.4/30 for that to work. Does it also need to advertise all the VPC networks? Just the region cloud router is in? None of them?
GCP allows you to advertise the 199.36.153.4/30 network on the cloud router, and it will apply for all the BGP sessions it has, or you can do it for specific ones. It depends on your needs. You only need to advertise this network in order to be known for your on-prem devices which need to know that network.
Consider that you need to define a static route for this same network for your VPC whose next hop is the default internet gateway in order to have that traffic forwarded to the correct destination. For your VMs you need to set firewall rules to allow egress/ingress traffic for this network.
If you require to refer to restricted.googleapis.com from the on-prem network, you can define in your on-prem DNS system A/CNAME records as needed.
You can read more about these topics here and here.
My business network is comprised of four locations across my farm, being my house, feed shed, cold storage and vet (animal welfare), due to the size of the property, the network is fibre to the house, then broadcasting a long range wifi signal with repeaters across the property to the other locations; to reach the feed shed this goes through two repeaters.
I have an R-PI running as a LAMP server, which is accessible on metrics.local and on its IP range 192.66.66.XXX (no idea why this range, that was what the original network engineer set up). The LAMP is hosting a wordpress website which captures internal metrics people record; such as feed used, we have no issues with this in the main residence. I have allowed port 80 without any restrictions as its an internal network through apache.
The problem is, whoever configured the network originally put other locations on separate domains, being 192.168.X.XXX, where the X is a different domain, so I have three LAN networks being 192.66.66, 192.168.1 and 192.168.2.
I have raised this with the network engineering team who have advised we have no firewalls blocking access between the networks and this is not a networking issue, but a server/apache config issue.
I've added routes to my LAMP server to allow the 192 range to connect to my server and I can ping the device from the computers on these other networks, however I cannot access metrics.local, with the browsers simply saying "cannot find the site".
I have reached the end of my ability to google the solution, with most routing topics being about adding additional domains to the LAMP, not allowing network access.
You are basically trying to route packets to a different networks.
192.166.66.XXX
192.168.1.XXX
192.168.2.XXX
All of these are different networks. For same network, packets can be routed by direct switches, but your network admins need the route all of the network t talk to each other using their own network gateway.
alternatively your network/sysadmin can forward your IP so it gets expose to other network, in this way it will be accessable to everyone using any one single assigned IP which works in all three network.
This is how routing works
I have a local network with several PCs and specialized controllers on it. These specialized controllers must be configured with static IP addresses and do not have DHCP capabilities.
I was asked to put together a list of the device hostnames and IP addresses. It's easy to figure out the IP address of each device, however, I'm struggling to find out the host name for these specialized controllers. If it were a Windows PC, I would simply navigate some menus to find the host name.
I'm confused about how the host name is configured for network devices in general. For Windows PCs, it seems like the PC itself determines its own host name. When it joins a network, it simply broadcasts its host name to a DNS server and the DNS server remembers it. For devices that are not DHCP, it seems like I would need to manually go to a DNS server and enter the host name for the specific IP address.
So what exaclty determines the host name? The device itself or a network admin?
This more of networking question and belongs to ServerFault - you will get your answer faster there.
If it were a Windows PC, I would simply navigate some menus to find
the host name.
What kind of system is there if there is no Windows? Linux, *BSD, AIX, other? I'll answer for Linux for now.
So what exactly determines the host name? The device itself or a
network admin?
This depends on your configuration in Linux check - /etc/nsswitch.conf
e.g.
hosts: files dns
Which defines that the hostname will be defined by /etc/hosts and if it is not found there it will check DNS next.
If hosts file, the local resolution, contains the pair ip <-> name it is used. If the DNS takes precedence and it contains the pair it is taken from there. As shown above, it can contain both at once in defined order, then the resolution is done in that order.
By the way, DHCP server can give you static IP addresses based on your MAC address so your controllers will have always the same IP address, if same network card is used. It is way easier to manage than configure all servers manually.
I set up a NLB cluster given two servers (WS 2008 R2). Each server has one NIC card which I set up for a static ip address. I assigned the cluster an internet name (MyCluster), and assigned it a static ip address. The third box is acting as a client sending TCP data (over WCF) to the cluster's IP I configured (static IP). I am observing the NLB cluster from the NLB manager at one of the nodes - both nodes are green, say started. However, I am only able to see traffic coming in to one of the NLB servers. When I suspend it, I see traffic going to the other NLB server, and so on. I was expecting traffic to be split equally between them. I can't figure out what I missed, any tips please?
If you need more detailed information please ask, not sure how much detail to put in here.
Thanks/.
By default, a port rule created with a Filtering mode of multiple host will use single affinity. In other words, multiple requests from the same client will get directed to the same host. To see traffic going to both hosts try accessing the cluster from multiple clients. You could also set the affinity to "none", but this can lead to other problems.
There's good information on the affinity parameter and how to use it in the NLB help file.
In order to notify all computers within the same LAN about my existence, I want to broadcast my hostname and IP address.
How do I go about doing so without sending them as a string?
Avik, this is what DNS is meant to be used for. While "regular" DNS is meant to hold names and IP addresses for each machine (statically configured), there is a dynamic DNS protocol which allows machines to update their DNS entries in real time.
This sort of capability is used in some of the office environments for my clients where printers on a machine are shared but the machines they're attached to use DHCP (meaning their IP address can change).
See here and here for details and the Windows implementation with DHCP.
Lets call your machine that wants to advertise itself the SERVER and all the machines that can use it, the CLIENTS.
Of course, dynamic DNS only notifies DNS itself of the name/IP mapping and is useful if the CLIENTS are already aware of your SERVER so they can get the IP address from DNS. If you have no way for CLIENTS to discover that your SERVER has just been added, you'll still need to broadcast a packet occasionally indicating that your SERVER exists (this will only need the SERVER name since CLIENTS will use DNS to get the IP address).
This broadcast packet should be picked up by all CLIENTS and kept in a local table. If the communications from a CLIENT to your SERVER fails, the local table entry for your SERVER should be removed (it'll be re-added when your SERVER broadcasts again).
Basically re-inventing NetBIOS or ZeroConf, as popular with small embedded devices for discovery by a Windows or OS X based installer or setup utility.
You can try to use UPnP Discovery.