How do I make VPN connection working from Azure VM? - azure-virtual-network

I have created Virtual Network Connection.
I have created Connection for Site to Site(IPSec) which connects to VMWare-snx
Connection status is "Connecting". (Also connection from VMWare SNX side)
I have VM in subnet. VNet is same as with Gateway Subnet.
I try to ping or RDP to VM in VMWare side, but do not have connection.
Did I understand correctly that I should have automatically connection from all subnet in VNet.
No routing is needed between Gateway Subnet and others?
Is there any way to troubleshoot if ping passed Azure VPN?
https://vzerotohero.com/2017/03/step-by-step-deploy-vmware-nsx-with-microsoft-azure-ipsec-vpn-site-to-site/

If the VPN connection is set up well, the Connection status should be "connected". Please follow the step by step in the article, especially the note things:
NSX VPN as of now only supports Policy-Based VPN type.
PFS: Disable Perfect Forward Secrecy since its not supported with Azure Static-Policy based VPN.

Related

Provide access to Azure Sql from vnet only

I've got vnet in Azure 10.1.0.0/24. VM connected to vnet directly by static ip: 10.1.0.5 and has not public endpoint. I connect to vnet using VPN and able to connect to VM. That wokrs fine.
I'd created Azure Sql database and want to limit connection only from vnet 10.1.0.0/24 (no public endpoint). So, my VM should be able to connect to Azure Sql and I shoul be able to connect to it when connected through VPN.
How can I configure this?
In this case, if you have set up a private connection to Azure – via P2S VPN, S2S VPN, or Express Route, then you can use a TCP proxy server to forward traffic to the public IP address for SQL Database because the virtual network rules are not supported VPN scenario, read the limitation and this.
Main Steps:
You can add Azure VM vnet&subnet to virtual network rule on SQL Database as described here
Download Nginx and change only the body the nginx.conf file without modifying headers to forward any traffic received on port 1433 to your SQL Database server sqlserver.database.windows.net:1433.
You could read this blog for more details.

Are point to site VPN clients supposed to support peered VNETs?

I have P2S SSTP connection to VNET1. VNET1 is peered to VNET2. VPN client does not add address space of VNET2 and hence routing from P2S client never works to VNET2. Are SSTP VPN clients supposed to be adding routes for all peered VNETs to installation file?
Yes, the VPN clients will get routes to the direct-peered VNets in the VPN client downloaded file. In this case, you need to configure Hub-spoke network topology in Azure.
To allow gateway traffic to flow from spoke to hub, and connect to remote networks, you must:
Configure the peering connection in the hub(have gateway subnet VNet1) to allow gateway transit.
Configure the peering connection in each spoke(no gateway subnet VNet2) to use remote gateways.
You could get more information from the step by step to work with P2S VPN in a similar scenario.

Access Azure SQL Database when connected to VNET via Client Gateway

I have an Azure Virtual network and I connect to the network using Point-to-point with the VPN client downloaded from Azure. This works as expected as I can now RDP to VMs in the VNet if required.
I also have an Azure SQL Server instance and in the firewall section I have added the VNet above to the Virtual networks rule list.
With my work laptop, I was now hoping that I would be able to connect to the VNet using the VPN client and then be able to access the SQL database using SSMS. However, when I try and connect I get a message telling me that I cannot access the server and instead need to add my client IP to the Firewall rule list, which is what I was trying to avoid doing.
Is there something else I need to be doing here to get this working?
Is there something else I need to be doing here to get this working?
If you just use an Azure SQL Database, which is a Paas in Azure, itself is not located inside a VNet. You can directly add the client Public IP in the firewall of Azure SQL Server. Whereas this is not your expectation. You need to make it inside a VNet, then you can do these followings.
If you are using a SQL Managed instance which located inside a VNet, want to access the Database instance from on-premises with a private address, you need to make a VPN connection or ExpressRoute connection between the on-premise and the Managed Instance VNet.
Now, you have a P2S VPN connection, you still need to make VNet peering with Gateway Transit between the P2S VNet with SQL instance VNet. Note: To use remote gateways or allow gateway transit, the peered virtual networks must be in the same region. To do so, make the following very specific changes under the Peering settings.
In the VNet that hosts the VPN gateway, go to Peerings, then to the
Managed Instance peered VNet connection, and then click Allow
Gateway Transit.
In the VNet that hosts the Managed Instance, go to Peerings, then to
the VPN Gateway peered VNet connection, and then click Use remote
gateways.
Once the peering complete, you can check the status on the Azure portal. You need to remove the VPN client and re-download it and re-install it on your laptop, this will make the route update on your client side.
If you've established on-premises to Azure connection successfully and you can't establish a connection to Managed Instance, check if your firewall has an open outbound connection on SQL port 1433 as well as 11000-12000 range of ports for redirection.
For more reference, you can read Connect your application to Azure SQL Database Managed Instance.

Hosting server farm begind VPN

I have a set up I would like to implement but just not sure on the details. As you can see in the image below I have a single VPS in the web which I would like to use as a gateway to a number of locally running web servers. Im using the VPN to hide the IP/location of the server farm while maintaining the ability to host locally.
What I am not sure on is the implementation as I have never used a VPN before. My understanding is that I can host the VPN server on the server farm, have the VPS connect to it which will give me another 'local' network interface which I can then use apache to proxy traffic through?
The server farm is basically a small Kubernetes cluster give or take a little.
Is my understanding correct and can you offer any advice on implementaion?
Thanks in advance!
server farm example image
The VPN server should have two network interfaces. The first is the public interface that connects to the Internet and the second is the local interface that connects to the server farm. All the servers in the farm should connect only to the local interface and have the gateway set as the VPN server.
You can use the Reverse Proxy functionality in Apache to route incoming traffic to the appropriate server. See Reverse Proxy Guide

Connection refused - nettcp WCF Service from work - client connecting over VPN

Here's the scenario: A client machine has connected to the 'Work network' via VPN (Cisco VPN Client). The work network hosts a machine that has a WCF service with nettcp binding. The client tries to connect to this service and gets an exception as follows:
Could not connect to
net.tcp://workMachine:2010/SomeService.
The connection attempt lasted for a
time span of 00:00:01.3180754. TCP
error code 10061: No connection could
be made because the target machine
actively refused it workMachine:2010.
Things I tried:
Changed the Workgroup of the client
machine to the work network
workgroup
Added domain/username/password for the Windows Networking Password vault, so that it can be used to connect
Changed the wcf service path with an IP address instead of the workMachine name
Checked client machine firewalls and added to allow the wcf client through it
All above failed and didn't work.
Has anyone encountered similar issues?
The client machine is on Windows 7
SecurityMode of the WCF service is set to NONE - so that shouldn't be an issue.
Any insights will be helpful
You may need to supply client credentials explicitly through your proxy object.
Assume that the proxy object in the code below implements one of the ClientBase interfaces.
proxy.ClientCredentials.Windows.ClientCredential.UserName = "clientaccount";
proxy.ClientCredentials.Windows.ClientCredential.Password = "S3cr3t1337Pwd";
Could you - just for testing purposes - expose the same service on the same machine using a HTTP endpoint, and try to connect to that one from your VPN client?
NetTcp is an excellent choice behind the corporate firewall - just don't know how the Cisco VPN client might cause troubles here, that might not show up when using an http-based protocol. Just a wild guess for now, but if you have nothing else to go on, give it a try!
Marc
Just another thought to assist with debugging of these kind of issues, using CMD execute "netstat -a" (you can append the -o switch and find the related process id also) and see if the port in question is currently open, if it isn't you may have an issue with the SMSvcHost.exe (this is the Windows process for managing an IIS hosted TCP Service).
I've had this issue before and rectified it by restarting the following services (obviously you'll need to carefully consider this if you are dealing with a live production system):
NetTcpActivator (Net. Tcp Listening Adapter)
NetTcpPortSharing (Net. Tcp Port Sharing Service)
and possibly if relevant:
NetMsmqActivator (Net. Pipe Listener Adapter)
NetPipeActivator (Net. Pipe Listener Adapter)
Hope this helps someone!
J.