Is there any way to setup a static inbound IP for azure IoT hub? I'm not much experienced with networking. My client have a firewall, it is IP based. They need to set IP whitelisting. What should be the best way to achieve this?
The IP address prefixes of IoT hub are subject to change. These
changes are published periodically via service tags before taking
effect. It is therefore important that you develop processes to
regularly retrieve and use the latest service tags. This process can
be automated via the service tags discovery API. Note that Service
tags discovery API is still in preview and in some cases may not
produce the full list of tags and IP addresses. Until discovery API is
generally available, consider using the service tags in downloadable
JSON format.
IoT Hub IP addresses
In addition to the above, You can use IP filter to receive traffic only from a specified range of IP addresses and reject everything else.
By default, the IP Filter grid in the portal for an IoT hub is empty. This default setting means that your hub blocks connections from all IP addresses. This default setting is equivalent to a rule that blocks the 0.0.0.0/0 IP address range.
You can follow the documentation Use IP filters for more details.
Related
I have published an ASP.NET core Web API on IIS. The website is hosted on a Windows Server 2019 dedicated server with a number of IP addresses. In Plesk I have set the IP address which I want the website to be bound to (let's assume is it 10.1.1.1). When I ping the domain name I see the correct IP address.
In one of the API's endpoints, there is an HTTP Request made to an external API which has access restriction to pre-defined IP addresses. If a request is made to this external API from an unknown IP it returns an error with that IP address.
Our website's IP address is set properly at the external API. However, when our API tries to connect to the external API from code it doesn't use the website's correct IP Address. It uses the first available IP address on the server. Therefore, the connection to the external API is refused.
My question is, why the HTTP Request is not made from the same IP address as the website and what can I do to make things right?
When we bind sites to IIS, you are only binding the incoming IP address. Traditionally we would want to control and sanitize all outbound requests, it there are multiple NICs configured, the outbound traffic would be routed through the NIC that is configured with the gateway, or the NIC that is on the same subnet as the target.
If your server has multiple IP addresses defined in the same NIC, the outbound IP address from IIS hosted content is selected for you. I'm not sure if it is a round robin but I can tell you it is not in any way related to the incoming IP address that your site is bound to.
Outbound traffic is NOT associated with IIS at all, outbound traffic from IIS follows the normal pathway and rules as outbound connections from all processes on your PC/server.
The general standard to avoid this issue in IIS is to use SSL and Host Header Names. That way you can host multiple sites on the same IP address, or realy you are inbound address agnostic meaning your configuration can be easily ported to other hosts without having to mess around with multiple physical or virtual IP addresses.
Following this advice from Forcing Windows Server to Use a Specific Outgoing IP Address, you can use powershell to exclude specific IP addresses from being used as the external source.
Assuming the IP address you want to be primary is 192.168.33.129.
$primaryIP = "192.168.0.4"
Set-NetIPAddress -IPAddress $primaryIP -SkipAsSource $false
Get-NetAdapter | Get-NetIPAddress | ? { $_.IPAddress -ne $primaryIP } | % {
Set-NetIPAddress -IPAddress $_.IPAddress -SkipAsSource $true
}
Now all IP addresses, except the one you are designating as "primary," will be excluded from consideration as primary. We can verify this using...
Get-NetAdapter | Get-NetIPAddress | Select-Object IPAddress,SkipAsSource
It must also be said that communications outside of your IIS host can be routed via VPNs and Firewalls, even if you manage to fix the internal IIS server outbound IP address, the external site will still register your network's external IP address, not the internal 192.168.0.4 on the NIC.
Most enterprise firewalls will have the ability to configure Source NAT (SNAT) rules or policies, sometimes referred to as Multipath Routing, that will allow you to bypass or negate any configuration on the IIS NIC as described above.
I have a non-azure, non-Windows, non-microsoft site-to-site tunnel set up between an Azure cloud environment and an on-premise LAN; at the azure end, the proprietary (non-microsoft) S2S host sits behind an Azure load balancer.
The proprietary tunnel is route-based and as such, I'd like to route connections all the way from our on-premise network to various resources in Azure.
e.g.
OnPrem Server -> OnPremFw -> (tunnel) -> CloudFW -> LB -> vNET1 -> vNET2 -> VMtarget
When packets hit the CloudFW, they are being "Hidden NAT'd", so the source IP address is translated from its On-premise IP address to an IP address recognised by Azure as directly associated with an Azure subnet range. In this case, things work as expected.
However, if I turn off the H-NAT, so that packets carry their original on-prem source IP address in to Azure, then no matter what security or routing rules I apply, nothing works.
Is it plausible that Azure is passively dropping these packets, or is silently screening them out, something like address spoofing?
I can't find any Azure documentation confirming this, but the behaviour I am seeing strongly implies this must be the case. Could anyone confirm?
I would like to know if essentially, it isn't possible to use "non-Azure" IP addresses in Azure routing and security configurations.
thanks
The answer to this question is No.
It is possible to use non-Azure-defined IP addresses in Azure route table rules and in Azure nsg rules.
For the scenario where a firewall/proxy doesn't support IoT Hub's FQDN.
The recommended approach is to script the updating of the firewall's whitelist - not going to happen in our case.
My plan B is to introduce a "gateway" on the IoT Hub side to provide a static IP address, and forward traffic to IoT Hub. I can see a few azure appliances which might serve here:
Azure Application Gateway
Azure Firewall
Azure Load Balancer
Proxy Server on VM
Has somebody been through this? What was your experience, and where did you land?
I have implemented something like this by building an HA proxy solution (based on Squid proxy) on a VM Scale Set with a Load Balancer in front. You can find the full solution here: https://github.com/sebader/azure-samples-collection/tree/master/VmssProxySolution
This one uses an internal LB (private IP) but you can also easily modify this to expose a static, public IP.
I have developed an IOT module which can connect to the Wi-Fi and send data to the internet, the module can send data (string) to specific IP address on the specific port.
The internet server should store that information to the data base and display that information to the user via HTTP (web page).
When I set the port to the 9081 (any random number) and my local computer IP address as IP address that module should send data to, I can see data on my local computer terminal.
My question is that how can I send that data to the internet?
What I have in mind is that I can purchase domain name, host and develop a web site (HTTP) which by default listen to port 80. The service provider only give me a basic services such as HTTP, HTTPS and FTP which make it possible to upload website and I don’t have access to other protocols and ports.
Should I purchase virtual private server or I should use any specific cloud services or the module can send data to the server on port 80 without getting conflict with web pages and web contents?
Please give me some suggestion.
I did something similar with an IoT module. There are two options that I also considered. Before we describe, there is no need to buy a domain name. You can comfortably use the IP address to connect to. If you have some spare cash go for it.
Send everything to the web server on your local computer. To have access to the local computer you must enable port 80 to be accessible over the internet. You do this on a router. This is called port forwarding. You setup a rule such that all the requests made to your IP address on port 80 should be redirected to your local computer on whatever port the web server is listening to. This is the cheapest method available. Also, there is an important limitation: you're local computer needs to be switched on all the time if you want to access the data.
Buy a droplet (virtual private server). The workflow is the same as 1, but you don't need to port forwarding anything. These are usually setup and ready to use. However, this is usually expensive. Most of these providers offer pay-as-you-go services (e.g., Digital Ocean is the one that I used). There are other providers which offer free but limited versions. These are usually developer trial versions. If you go over a number of transactions, or space, you will have to pay (have a look at Parse).
Our product has software-managed virtual networks and has multiple local IP addresses from which network communications could be routed. One of the requirements we have is to ensure that outgoing traffic is routed from a specific, desired local IP when communicating with the Azure blob storage endpoint.
The Azure SDK does not seem to expose any means of specifying which local IP address to use for communications to the Azure blob endpoint. Please let us know if you think the SDK does expose and if so how we can utilize the facility.
If not, we are evaluating making changes to the azure-storage-java SDK source in order to support the local IP binding requirement.
Has this kind of situation been brought to your attention before? Do you have any suggestions as to how this might be accomplished?
Thanks,
Sowmya.