I have a classic network setup in Azure, complete with VMs, vnets and site to site VPN.
I need to introduce a RM VM to integrate with this network. Are there any special considerations I need to make to ensure that the RM VM can integrate with the classic network?
Thanks
The only thing you have to do is to create a Vnet-Vnet connection between the ASM (Azure service manager or classic) and the ARM network. You can do this by creating a gateway and connect them . The only consideration is to use non overlapping subnets. The same consideration you have when creating a vpn between on-premise and Azure.
Related
I have an Azure web app which talks to the Azure VMs via Azure Load balancer. The VMs have NSG rules setup. The VMs are also being used by other servers/web apps. How do I prevent someone impersonating the IP and trying to get access to the VMs? Or how do I add another layer of security other than whitelisting the client IPs in the NSG of the VMs?
To secure Azure VMs, please try the following workarounds:
Make use of Azure Bastion, to securely connect to virtual machines from Azure Portal over TLS. If you are using Azure Bastion there is no need to create public IP on the Azure VM.
Try creating DDoS protection plan and enable it to your virtual network. DDoS protection plan is a paid service that offers enhanced DDoS mitigation capabilities.
Make use of Azure Firewall which filters IPs by denying traffic from known malicious IP addresses.
Enable all the above options in your virtual network like below:
Otherwise,
Make use of JIT (just-in-time) VM access that allows only legitimate users to access the VM when necessary by reducing the attack.
Try using VPN gateways which send encrypted traffic between Azure virtual networks. Please note that each virtual network can have only one VPN gateway.
For more information, please refer below links:
How to secure a Windows Server virtual machine in Azure (microsoft.com).
Best practices for defending Azure Virtual Machines - Microsoft Security Blog.
I have a Web App (Azure App Service) and I have an Azure SQL Database that this Web App talks to. I have two questions regarding communication between the two.
When connecting from the Web App to the Database (using the connection string), does the communication go out to the internet and then back into Azure or does Azure know to keep the traffic locally in Azure?
I have been looking into V-Net Service Endpoints as a possible way to improve speed of communication between the two. It is said that when connecting from a VM on V-Net with Service Endpoints enabled to a SQL Database, that Azure knows to keep the traffic internal to the Azure network and not go out to the internet, is this the same for Azure App Services?
Is it possible to keep traffic between an App Service and SQL Database internal to Azure? If so, how do I go about doing this? Any guidance on this is greatly appreciated.
It knows to keep it local on the "Azure backbone" (as per Azure doco). It doesn't go out to the public internet
Yes
Yes. It is already internal to the "Azure Backbone"
Having said that.... networks are really complicated.
As I understand it the main benefit of V-Net is that you can define your own network and add things to it like firewalls, security groups, subnets, peering between networks. Also it helps when setting up a hybrid network - i.e. connecting Azure resources to an on-premises network. When you can set up the same kind of structures as on premise, it's easier to 'transparently' make it part of the on-premises network. Lastly (rereading the doco), you can remove any incoming public IP firewall rules. These are "Azure backbone" IP addresses but they are also "public internet" addresses
There may be a performance improvement if the App Service and Azure SQL are on the same V-Net.
Azure SQL service endpoints are a bit mysterious. They "connect" to the VNET but you still need to connect to a public address. They don't actually take a up a local IP adress.
Depending on what you are really doing, you might want to look into private endpoint, which actually assigns a private IP to your Azure SQL.
Yes, communication between Azure App Service and Azure SQL Database is "local" within the Azure Virtual Network and does not go out to the public internet.
IBM Secure Gateway is a kind of VPN connectivity tool. I need to query an LDAP in an on-premise intranet network.
There is also an another VPN service offered by IBM Bluemix named IPSec.
Which of the two would be more feasible?
It depends on what kind of resources your application needs,
if you are using PaaS services (former Bluemix) you can use the Secure Gateway. If you are using IaaS services (baremetal or VMs) than I would suggest Vyatta rather than IPSec, because the latter doen't offer a connecction suitable for production, while Vyatta provides a lot of functionalities among which also an enterprise grade VPN termination bidirectional.
https://knowledgelayer.softlayer.com/topic/ipsec-vpn
https://knowledgelayer.softlayer.com/procedure/how-configure-ipsec-vyatta
https://www.ibm.com/blogs/bluemix/2015/03/bluemix-secure-gateway-yes-can-get/
I did connect my on-premise ldap to a service hosted on our dedicated instance. I configured destination to ldap server host and port. Our services are deployed on liberty profile so I had to change server.xml for that.
Configuring IPSec VPN is more complicated. I think you should be able to do it using secure gateway
The problem I have is that we're trying to use our WebApp in Microsoft Azure to connect to an external SQL-database (not our own) through a VPN. The SQL-database is only allowing connections from our local IP-addresses that we put up as a Network (for example 176.0.0.0/24).
We are now connected to the same virtual private network, and through our Azure-VM we can now connect to the SQL-Server through SQL Server Management Studio.
Now we want to do the same with a WebApp, but we're not getting through to the server. It gets "Not authenticated" before reaching the SQL-Server (probably the server isn't accepting our IP from the WebApp).
The different problems I have tried to look through is:
Do we only try to connect through our Outbound IPs?
Is the WebApp not connected to the VPN?
I have unfortunatley not found any real answers, and neither any solutions to my problem. If you have any ideas of how to solve our problem, or maybe know how I could tunnel all of the SQL-calls through the VM, the help would be very much appreciated!
Hybrid connection is one option. What you can also do is enable point-to-site in your VPN. Once you do that, you can directly integrate your web app to the vnet and your connections will work. (Go to your web app -> Settings -> Networking -> VNet Integration)
If your Vnet is V1(older way of creating VNs) then enabling point to site is very straightforward. You can do it through portal. For V2 Vnets you have to do it through powershell commands.
Here is a link for the documentation which explains both the options.
https://azure.microsoft.com/en-in/documentation/articles/web-sites-integrate-with-vnet/
There's a way to "tunnel all of the SQL-calls through the VM". You may want to use hybrid connections (cf https://azure.microsoft.com/en-us/documentation/articles/integration-hybrid-connection-overview/).
The principle is to have an agent installed on the VM that can access the database with the correct IP address.
Suppose you can access the SQL DB as mysqldbsrv from the VM. You add an hybrid connection associated to your web app, you install the agent on the VM. Then, when you connect to mysqldbsrv from the Web App, you go through the VM.
I have deployed jasperserver with my web application in the environment like Clustered two Tomcat sharing same database in Microsoft Azure Load Balanced Virtual Machines. But the problem is jasperserver strictly requires session affinity which is not possible in Microsoft Azure Load Balanced Virtual Machines.
1) If you have any other solution/suggestion which is suitable for my environment, please guide me.
2) Which one is best suitable for my environment and why ? on comparing Azure load balanced Virtual Machines and Apache httpd load balancing.
Environment :
1) Jasperserver 5.5 Commercial edition with session replication.
2) Two apache-tomcat-6.0.36 clustered instance sharing same database (Mysql 5.5).
3) Linux Machine - Ubuntu 13.10 Server in Azure load balanced Virtual Machines.
Thanks in advance for reading and answering my question. Every comment/idea is highly appreciated.
Look at publishing a VM using the new (in preview) reserved public IP which avoids the cloud service / load balancing setup. This VM could run your own custom load balancing setup that would allow session affinity (Kemp also offer their load balancer in azure - http://kemptechnologies.com/au/solutions/loadmaster-azure). You could create a couple of these VMs and then use Azure Traffic Manager to front-end the setup.
Please tell what are the steps needs to be follow for Kemp Load balancer which replaces Azure load balancing. Thanks, Vasanth N