user2713516's questions

I have a very simple scenario, Azure Vnet with a subnets 10.140.1.0/24 (GatewaySubnet, SKU=Gw2 gen1) and 10.140.10.0/24 (VirtualMachineSubnet). Then an OnPrem network with 10.190.0.0/16.

I have a successful Site2Site connection to the OnPrem network. I can ping the 10.190.x.x. from a VM in my Azure VirtualMachineSubnet (with IP 10.140.10.4). But when I introduce a NAT rule this no longer works. The OnPrem device is only allowing traffic from my VirtualMachineSubnet(+an extension on that range), but I want to widen this on my side, hence the NAT.

I tried to simplify this to the most simple NAT rule, a rule that does not actually translate. So the NAT rule I have is: Static, EgressSnat, InternalMapping: 10.140.10.4/32, ExternalMapping: 10.140.10.4/32, meaning, there should be no change in IP.

The moment I link this NAT rule to the S2S-connection the pinging stops working. Whats going on?

It looks like the moment I link any NAT rule to the connection, the connection stops working.

Note: Routebased, no policytraffic filters, no BGP, I also tried to translate the whole VirtualMachineSubnet to VirtualMachineSubnet and same result. I have also tried completely random Subnets that are not even in use, yet the pinging from my Vm-Subnet stops working. Also tried adding an Ingress rule mapping 1:1 the onPrem IP range, not working.

I have 2 scenario's that I am trying to solve in my Azure network environment. In both scenario's OnPrem-branch1 needs to connect to OnPrem-branch2 via my own Azure virtual network. I have Azure Site2Site VPN tunnels to each OnPrem branch from one of my Vnets in Azure. Note: There are multiple branches hence the 2 case below.

Case 1:

OnPrem-branch1 <--- Azure S2S VPN ---> Azure Vnet <--- Azure S2S VPN ---> OnPrem-branch2

Both branches are connected to my Vnet using the same Azure VPN Gateway. How can I link the 2 branches together?

Case 2:

OnPrem-branch1 <--- Azure S2S VPN ---> Vnet1 <--- ? ---> Vnet2 <--- Azure S2S VPN ---> OnPrem-branch2

In this case I have an old Vnet1 that has a S2S connection to branch one. And a newer Vnet2 connected via S2S to branch2. I can using Azure Networking peering to connect to the 2 Vnets, but will branch1 be able to reach branch 2 going through 2 Vnet's? Or do I need to setup a Vnet-to-Vnet VPN to connect the Vnets instead of Network Peering?

The new VPN Gateway is VpnGw1-series generation1 so I can apply the new NAT-feature (when upgrading to VpnGw2)

I have a cisco ISR on-prem with 2 endpoints (primary and secondary) and I want to connect my Azure VPN Gateway to both endpoints through a single connection (same local address space for both IP's).

When creating an Azure local network gateway I can only enter 1 public IP address, not 2. Is there a way to connect with 2 IP's from the Azure VPN Gateway?

Thank you

I'm coming from a Microsoft Azure perspective here, and looking to move from manually created/partially scripted infra-setup with VM's to full IaC using Azure DevOps as a single repo for code, infra and pipelines.

In my current infrastructure we have a lot of Windows Server VM's that after provisioning still require additional OS configuration and app installations.

Am I correct in thinking that IaC only really 'works' as intended if you only provision Azure managed services (like storage, containers, app services etc), and not use IAAS like VM's? Ofcourse I can still 'code' the Virtual Machines themselves, but that still leaves the configuration of the VM uncoded? So can IaC be fully used for 'legacy' IAAS scenarios?

I have a storage account in Azure that has network security enabled, meaning only selected networks can access the storage account. I also have a Azure point 2 site VPN for which I have given its subnet access to the storage account (as part of the 'selected network' to is allowed).

In practice I often create SAS tokens for download blob URL's, but those are blocked now obviously. Can I route my calls from my local computer to the download blob URL's via my point 2 site VPN so that access is allowed? Also, the IP-whitelisting feature is not an option due to dynamic ip's of everyone needing access.

I have a multicloud setup using Azure VM's and Google Cloud VM's that are connected via a site-to-site VPN (from Azure). VPN connectivity is all working fine, however I'm now trying to join all (both Azure and Google) VM's to the same domain hosted in Azure (AADDS). Azure VM's are joined successfully after peering the Vnets and adjusting the DNS servers to point to the AADDS interal IP's, but I'm stuck at the google VM's.

I have:

• verified the VPN connectivity from google VM's to the AADDS internal ip's, I get a successfull ping reply on both ip's.
• used DIG to see the DNS config that the Azure VM's are using and tried to copy those to a Google DNS Zone (private).
• verified that I can ping the domain(name) from my google VM.

I feel this is a DNS issue, considering the ping is working fine. Initially I got the SVR-record missing error so I added a specific SVR record _ldap._tcp.dc._msdcs svr and also tried the wildcard SVR. But I end up with the following error when trying to join:

Note: This information is intended for a network administrator.  If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\Windows\debug\dcdiag.txt.

DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "mydomain.com":

The query was for the SRV record for _ldap._tcp.dc._msdcs.mydomain.com

The following domain controllers were identified by the query:
mydomain.com


However no domain controllers could be contacted.

Common causes of this error include:

- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.

- Domain controllers registered in DNS are not connected to the network or are not running.

I'm running an Azure VPN Gateway (VpnGw1, gen1, Route-based) and trying to connect a S2S connection to a Fortigate gateway. The connection is losing connectivity every so hours and I'm wondering if I can turn off Replay Detection as a possible solution.

To my knowledge this is enabled by default (I assume for security reasons) but I can't find a setting (via powershell) to turn this off. If this is not possible on my gen1-gateway, is it possible on gen2, policy-based or other SKU's?

I have an Azure infrastructure environment with multiple VM's and an Azure VPN Gateway for both Point 2 site (RDP, SSMS) connections, and multiple site 2 site connections for connecting to external networks (customers)

The requirement of needing multiple site2site connecties forced me to use the dynamic routing vpn-type. However I now have a customer that cannot and will not change their legacy VPN, that only supports static routing.

I cannot add another (static) VPN gateway to the same virtual network, but are there workarounds for this? Can I create a 2nd Vnet, attach a static VPN gateway to this. And then connect Vnet-to-Vnet using the VPN gateway?

I'm using IIS (10) on Server 2016 for my FTP site. I have a list of IIS users that have rights to their own subfolder under my FTP site. I have passive FTP configured to use a portrange of a 100 ports. I have a about 50 users so 100 ports is not that for fetched I would think.

However I'm wondering if I can configure a port per user or per subfolder of the site so that some of my clients don't have to open 100 ports outbound to support my site's entire port range.

Thanks!

I have several VM's in Azure that use 2 or 4TB disks or use striped disks (4x4TB), Azure Backup doesn't let me backup VM's that have disks attached that are greater than 1023GB, is there a way around this?

Is using the Azure backup agent an option that is normally used for non-azure servers?

I am thinking of a backup plan for fast recovery scenario for my windows Azure hosted VM's. My plan is to create a backup disk that is attached to my VM and using Windows Server Backup I create a backup on that disk using Windows Server Backup.

I assume this disk is normally not safe against ransomware, but is this also the case if I select this backup disk as a dedicated disk in the Windows Server Backup wizard? Because then the disk won't be visible in file explorer anymore either, so not reachable by the malware?

Secondly, I want to create a second backupset using Azure Recovery Vault. If I connect my VM via the azure-backup-agent to the vault, would my vault-stored -data be vulnarable to ransomware attacks? Thanks!

Using Azure gateway VPN I created a site to site connection with another vpn device (checkpoint) over which I have no control (customer endpoint).

I created the connection, using their public ip, declared the secret key and for local address space I discussed with the client what 'local' IP is desired from both sides. We agreed to an IP in the 172.0.0.0 range.

The gateway connection says succeeded/connected, and I see very little traffic in the data-out field (kb's not mb's).

However, when I try to ping the local address space (172.xxx.xxx.xxx) from my windows server 2016 VM I only get Request timed out-errors.

Do I need to create additional routes in windows? I tried adding route

  route -p ADD 172.xxx.xxx.xxx MASK 255.255.255.255 0.0.0.0

but the host is still unreachable.

Any Ideas? Thanks

EDIT: added some progress below

Thanks, I allowed the ping and I can now ping my VPN Gateway from my Azure VM (which is 10.XXX.XXX.4). I then added the route "route -p ADD 172.xxx.xxx.xxx MASK 255.255.255.255 10.XXX.XXX.4"

and via tracert I can see the 172 address is routed to/via de vpn gateway, but then it times out. Does this mean the issue now is on the on-premise side?

Edit 2

By now, when running the vpn diag. log I do see some traffic, but I still cannot reach the other side.

Connectivity State : Connected
Remote Tunnel Endpoint : XXX.XXX.XXX.XXX
Ingress Bytes (since last connected) : 360 B
Egress Bytes (since last connected) : 5272 B
Ingress Packets (since last connected) : 3 Packets
Egress Packets (since last connected) : 130 Packets
Ingress Packets Dropped due to Traffic Selector Mismatch (since last connected) : 0 Packets
Egress Packets Dropped due to Traffic Selector Mismatch (since last connected) : 0 Packets
Bandwidth : 0 b/s
Peak Bandwidth : 0 b/s
Connected Since : 9/18/2017 5:33:18 AM

I need to give some customers access to my server(Azure VM) via either FTP or SQL (they want to retrieve files via FTP and want to connect to a special database), no remote desktop.

Currently I'm using Azure's P2S VPN for this (I gave them the client-installer and client certificate), is this good enough for this kind of purpose? should I keep other security concerns in mind? Thanks!

I'm building a network of VM's in Azure, 1 group of VM's for the webtier and 1 group of VM's for the data/sql-tier. I will create a jumpbox VM that enables access for devops purposes via VPN.

Now I read that I should have minimal software and connection-options to my actual VM, as it should run via the jumpbox to minimize the attack surface of my VM's and to have a central access point.

Now I want to do 2 things:

1. Connect via Remote Desktop to all my VM's, I figured I can simple create a VPN RDP connection to my jumpbox, and when logged into my jumpbox, simply open another RDP window to my other VM's using the internal v-network IP.

2. Access my (loadbalanced w/ availability set) MSSQL 2016 instance directly via SQL Server Management Studio or an application using a connection string. The MSSQL instance lives on my sql-tier VM, not on my jumpbox, can I somehow forward SQL traffic from my jumpbox to my sql-tier VM? I would guess that accessing the sql-tier VM directly goes against the whole idea of having a jumpbox.

Notes: - running MS SQL Server 2016 on Windows Server 2016

I am configuring multiple (named) instances of SQL Server 2016 on my Windows Server 2012 Azure VM. I have LogMeIn Hamachi installed on this VM and my own computer for a secure connection between the two.

I can connect to my default SQL instance by just using the IP in my SQL Server Management Studio, but connecting to my named instanced just doesn't work.

• I set the port to 1435 in Sql server config manager for all IP's
• I tried using the VM IP + "\instancename" and ip + ":1435"
• I tried using the Hamachi IP + "\instancename" and ip + ":1435"

I have Sql management studio installed on that specific VM and I can login to the named instance using the internal IP\instancename and also machinename\instance, but any attempt to connect remotely fails.

I have a Virtual Machine running in Azure that is hosting several websites in IIS. The VM has a loadbalancer in front of it, and in my DNS settings I point my A-record to the loadbalancers's IP address.

This all works fine with one website in IIS when I can set the binding IP to 'All Unassigned', but when using multiple sites, I'm stuck.

How I can I configure this, can I register multiple IP's to my Azure Loadbalancer or can I soly fix this with IIS config.

Thank you.

I have an Azure VM with IIS8 and the URL rewrite module installed. I have a single website configured, with both default http (80) and https (443) bindings (for all unassigned traffic).

Both http and https work fine and load the website, however, when I apply some kind of HTTP to HTTPS redirect both http://mydomain and https://mydomain stop working.

I have tried using the standard HTTP Redirect module and I've tried to create a rule using URL Rewrite using the following: http://www.meltedbutter.net/wp/?p=231

Thanks for any ideas:)

I want to have multiple VM's for my webtier and a load balancer configured in Azure. Currently I have 1 VM and load balancer working, I can easily create a 2nd VM and get it to work with the load balancer, but then I'd have to fully re-configure the 2nd VM even though it is identical to the first VM.

How can I easily copy/replicate my main VM and create a 2nd or 3rd VM that is identical so I can provide a multi-VM setup? It's not just about the VM technical configuration, but mostly about the software installed and IIS config for instance.

I'm using Azure's new Resource Manager.

I have a SQL Server 2016 instance on Windows Service 2012 VM running in Azure. Currently the network security group/firewall allows for port 1433/TCP traffic so I can connect from my PC using SQL Server Management studio.

However, I don't want that anyone on the internet that can guess my SQL username can access the VM/Databases.

I now have Hamachi installed on my VM's to create a virtual network, but what do I have to change to only allow users within the virtual hamachi network to access SQLServer Management studio?

I've learned that to have the most available Windows Azure VM setup it's best to create availability sets.

My setup would be to have an availability-set for 2 web-VM's and a set for 2-sql-VM's

The database for the SQL server VM is stored on a premium storage disk, however, I obviously only want to have 1 datasource for my database. How can I 'share' this database containing disk across my 2 SQL-server VM's?

I have the same issue on the web-VM where the user can upload images to the website, and they are then stored in a storage account. But both of the VM's in the web-availability-set should have access to these images. All VHD's are stored in Azure blobs.