For the scenario where a firewall/proxy doesn't support IoT Hub's FQDN.
The recommended approach is to script the updating of the firewall's whitelist - not going to happen in our case.
My plan B is to introduce a "gateway" on the IoT Hub side to provide a static IP address, and forward traffic to IoT Hub. I can see a few azure appliances which might serve here:
Azure Application Gateway
Azure Firewall
Azure Load Balancer
Proxy Server on VM
Has somebody been through this? What was your experience, and where did you land?
I have implemented something like this by building an HA proxy solution (based on Squid proxy) on a VM Scale Set with a Load Balancer in front. You can find the full solution here: https://github.com/sebader/azure-samples-collection/tree/master/VmssProxySolution
This one uses an internal LB (private IP) but you can also easily modify this to expose a static, public IP.
Related
I have an Azure web app which talks to the Azure VMs via Azure Load balancer. The VMs have NSG rules setup. The VMs are also being used by other servers/web apps. How do I prevent someone impersonating the IP and trying to get access to the VMs? Or how do I add another layer of security other than whitelisting the client IPs in the NSG of the VMs?
To secure Azure VMs, please try the following workarounds:
Make use of Azure Bastion, to securely connect to virtual machines from Azure Portal over TLS. If you are using Azure Bastion there is no need to create public IP on the Azure VM.
Try creating DDoS protection plan and enable it to your virtual network. DDoS protection plan is a paid service that offers enhanced DDoS mitigation capabilities.
Make use of Azure Firewall which filters IPs by denying traffic from known malicious IP addresses.
Enable all the above options in your virtual network like below:
Otherwise,
Make use of JIT (just-in-time) VM access that allows only legitimate users to access the VM when necessary by reducing the attack.
Try using VPN gateways which send encrypted traffic between Azure virtual networks. Please note that each virtual network can have only one VPN gateway.
For more information, please refer below links:
How to secure a Windows Server virtual machine in Azure (microsoft.com).
Best practices for defending Azure Virtual Machines - Microsoft Security Blog.
I have a non-azure, non-Windows, non-microsoft site-to-site tunnel set up between an Azure cloud environment and an on-premise LAN; at the azure end, the proprietary (non-microsoft) S2S host sits behind an Azure load balancer.
The proprietary tunnel is route-based and as such, I'd like to route connections all the way from our on-premise network to various resources in Azure.
e.g.
OnPrem Server -> OnPremFw -> (tunnel) -> CloudFW -> LB -> vNET1 -> vNET2 -> VMtarget
When packets hit the CloudFW, they are being "Hidden NAT'd", so the source IP address is translated from its On-premise IP address to an IP address recognised by Azure as directly associated with an Azure subnet range. In this case, things work as expected.
However, if I turn off the H-NAT, so that packets carry their original on-prem source IP address in to Azure, then no matter what security or routing rules I apply, nothing works.
Is it plausible that Azure is passively dropping these packets, or is silently screening them out, something like address spoofing?
I can't find any Azure documentation confirming this, but the behaviour I am seeing strongly implies this must be the case. Could anyone confirm?
I would like to know if essentially, it isn't possible to use "non-Azure" IP addresses in Azure routing and security configurations.
thanks
The answer to this question is No.
It is possible to use non-Azure-defined IP addresses in Azure route table rules and in Azure nsg rules.
Configuring a VNet-to-VNet connection is the preferred option to easily connect VNets if you need a secure tunnel using IPsec/IKE. In this case the documentation says that traffic between VNets is routed through the Microsoft backbone infrastructure.
According to the documentation, a Site-to-Site connection is also possible:
If you are working with a complicated network configuration, you may prefer to connect your VNets using the Site-to-Site steps, instead the VNet-to-VNet steps. When you use the Site-to-Site steps, you create and configure the local network gateways manually.
In this case we have control over the configuration of the virtual local network address space, but we need expose public IPs. Documentation donĀ“t says nothing about where the traffic goes (azure internal or public internet)
My question is, in this scenario, S2S between VNets, the traffic is routed through azure infrastructure as in the case of VNet-to-VNet or the comunication is done through public internet?
edit
The traffic in an S2S between VNets is routed through Microsoft backbone network. See this doc.
Microsoft Azure offers the richest portfolio of services and
capabilities, allowing customers to quickly and easily build, expand,
and meet networking requirements anywhere. Our family of connectivity
services span virtual network peering between regions, hybrid, and
in-cloud point-to-site and site-to-site architectures as well as
global IP transit scenarios.
I have a set up I would like to implement but just not sure on the details. As you can see in the image below I have a single VPS in the web which I would like to use as a gateway to a number of locally running web servers. Im using the VPN to hide the IP/location of the server farm while maintaining the ability to host locally.
What I am not sure on is the implementation as I have never used a VPN before. My understanding is that I can host the VPN server on the server farm, have the VPS connect to it which will give me another 'local' network interface which I can then use apache to proxy traffic through?
The server farm is basically a small Kubernetes cluster give or take a little.
Is my understanding correct and can you offer any advice on implementaion?
Thanks in advance!
server farm example image
The VPN server should have two network interfaces. The first is the public interface that connects to the Internet and the second is the local interface that connects to the server farm. All the servers in the farm should connect only to the local interface and have the gateway set as the VPN server.
You can use the Reverse Proxy functionality in Apache to route incoming traffic to the appropriate server. See Reverse Proxy Guide
There are two servers:
Local Server
behind a firewall (DSL Router)
connected to microcontrollers (actors & sensors)
Cloud Server
sends commands to Local Servers
The idea is that the Cloud Server sends commands to the Local Server. E.g. to trigger an actor. If there was no firewall, the best way would be IMHO to have a REST API on the Local Server. Unfortunately configuring a NAT is not an option.
What is the simplest and most common way to solve this?
Your other options are:
a) pulling, webrequest from local to online server.
b) service bus, also a pulling pattern but with a queue (i.e. Azure Service Bus or Event Hub in example)
c) server of manufactor, sometimes there is already a online service ready, like meethue-API for the hue Philips IoT Lamps
Let me know if you need more hint's.
Frank