Problem Description
We used to set up an Ubuntu Azure VM (consider Private IP as 109.11.23.11) for sending some simulated data. We need to set up multiple azure VM's for each one for every simulator.
For that simulator to send data outside we specify an inbound rule for the specific port as below
Here for data receiver we specify the connection details as below
:
Ex: 109.11.23.11:50000
Instead of doing that I want to try out having one Azure Windows Server VM which contains multiple Ubuntu Hyper-V machines
Then I set up that Windows server machine and then enabled Hyper-V. And then setup a virtual network to be used by Hyper V using the below Powershell script
New-VMSwitch -Name VmNAT -SwitchType Internal
New-NetNat -Name LocalNAT -InternalIPInterfaceAddressPrefix "192.168.49.0/24"
Get-NetAdapter "vEthernet (VmNat)" | New-NetIPAddress -IPAddress 192.168.49.1 -AddressFamily IPv4 -PrefixLength 24
Install-WindowsFeature -Name 'DHCP' –IncludeManagementTools
Add-DhcpServerV4Scope -Name "DHCP Scope" -StartRange 192.168.49.50 -EndRange 192.168.49.250 -SubnetMask 255.255.255.0
Set-DhcpServerV4OptionValue -DnsServer 168.63.129.16 -Router 192.168.49.1
Now I am a bit confused about how to open up port 50000 as in the earlier method for this Hyper-V.
What I tried
I created an inbound rule in the host VM as we have done in the Ubuntu VM earlier. And in the receiver tried giving the public IP of the host machine/Ubuntu Hyper V separately. Both of these things failed. The receiver is not getting connected to this simulator VM as earlier. I did not try with the host machine's private IP yet. Any suggestions?
• Since, you have created a ‘NAT’ subnet and attached an additional NIC (Network Interface Card) to the Azure VM in this subnet which communicates and manages the IP addresses for the nested VMs on the Azure VM, and a regular LAN (Local Area Network) subnet on which the host Azure VM is placed, please ensure that an inbound rule exists for Port 50000 in the NSG (Network Security Group) for the ‘NAT’ subnet NIC. Also, ensure that the network architecture of the nested VMs hosted on Azure VM is as below: -
• Then, also ensure that a virtual switch is created on the Azure VM to forward traffic from the nested VMs via host Azure VM to the internet and vice versa. Execute the below powershell command to add NAT static mapping with the external IP address used by the Azure VM: -
Add-NetNatStaticMapping -NatName "NestedSwitch" -Protocol TCP -ExternalIPAddress 0.0.0.0 -InternalIPAddress 10.4.2.2 -InternalPort 5000 -ExternalPort 5000
Also, create an inbound firewall rule on the Azure host VM by executing the below powershell command for internal switch created on Hyper-V: -
New-NetFirewallRule -RemoteAddress 192.168.217.0/24 -DisplayName "Allow217net" -Profile Any -Action Allow
Also, ensure that port forwarding is enabled for inbound access to happen from the RDP port to the nested VMs on the nested VMs subnet. So, execute the below command on the host Azure VM to forward the traffic to the concerned ports: -
Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 50004 -Protocol TCP -InternalIPAddress "192.168.0.4" -InternalPort 3389 -NatName NATNetwork
Also, ensure that the below command is executed on the Azure VM to map the listening port to the required NIC on the nested VMs: -
netsh interface portproxy add v4tov4 listenaddress=<nat address> listenport=<random port> connectaddress=<nested vm address> connectport=<nested vm service port>
The above solutions should help you to resolve your issue for inbound rules on the nested VMs.
Related
I have a VM that i am manipulating using an azure devops pipeline. Previously, using WinRM to transfer files to the VM worked fine. However the vm's ram was not suitable for our needs, so i re-sized the VM to add more ram. Since resizing the VM, the VM's ip address has changed. This has caused WinRM to stop working. I tried to use winrm quickconfig -force in the console, and get this error:
Unable to enable the firewall for WinRM.
I removed the HTTPS listener from 5986 who's host was the old IP address, however i cannot add a new listener that points at the correct IP.
Start-RemotePSSession does not fail, or if it does, then it does so silently
I have looked at the certs and only can see one for the old ip address:
How can i add a cert for my new ip address? Or is there a different/better way to accomplish what i am trying to do (get winrm working again)
Since you have an old cert issued to the old Public IP address, you can generate a new cert issued to the new public IP address.
For example,
1.
Go to the VM console and generate a self-signed cert for a test.
$certificateName = "51.x.x.x"
$thumbprint = (New-SelfSignedCertificate -DnsName $certificateName -CertStoreLocation Cert:\LocalMachine\My -KeySpec KeyExchange).Thumbprint
Delete the old https listener and bind a new cert for the https listener.
winrm delete winrm/config/listener?Address=*+Transport=HTTPS
$thumbprint="7AD714C2AA0EF690EEFxxxxxxD"
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $thumbprint –Force
Enumerate the listeners.
winrm e winrm/config/listener
Note: the winrm quickconfig does not work for self-signed certs based on my validation. You could follow the above steps to manage it. If you have not allowed port 5986 in the windows firewall inside the Azure VM, you can enable it with PowerShell. If there is a network security group in your Azure VM subnet or associated NIC, you also need to enable it for HTTPS port. Read this blog for more details.
New-NetFirewallRule -DisplayName "winrmhttps" -Direction Inbound -LocalPort 5986 -Protocol TCP -Action Allow -RemoteAddress Any
I'm trying to change an existing VM deployed via Resource Manager in Azure. The VM is configured with a wrong VirtualNetwork / Subnet. Changing this via portal.azure.net is not possible.
I've managed to retrieve the required network adapter by running: $adapter = Get-AzureRmNetworkInterface -Name xxxxx -ResourceGroupName xxxxx.
I can see the current configured subnet id via $adapter.IpConfigurations.Subnet and I've retrieved the new subnet via $net = Get-AzureRmVirtualNetwork -ResourceGroupName xxxxx -Name xxxxx.
I tried changing the $net.IpConfigurations.Subnet.Id = $net.Subnets.Id but I get a failure :
Subnet default referenced by resource xxxx is not the same Virtual
Network ....
Can anybody tell me how to change the virtual network that a network adapter is using if it was deployed using Resource Manager (the "Classic" has the simple Set-Subnet command).
Changing the Virtual Network for an exiting ARM deployed VM is not possible. But, changing the subnet for a VM is quite easy.
Login the Azure Portal
In Resource groups, choose the resource group your VM is in.
Choose your VM in the resources list of your resource group.
in Setting blade of your VM, and choose Network Interfaces.
Select the network interface you want to change, and click IP Address.
Choose a Subnet, and specify an IP address, or choose Dynamic Assignment.
If none of the exiting subnets meets your requirement, click your Virtual network to create a new subnet.
If you really want to change the Virtual Network of your VM, you can backup your OS Disk, and create a new VM with the OS Disk, and of course with the desired Virtual Network.
I found this excellent blog post which shows the steps to set up a NAT Virtual Switch, which I followed.
https://4sysops.com/archives/native-nat-in-windows-10-hyper-v-using-a-nat-virtual-switch/
First, the cmdlet New-NetNat does not even take an external IP as a parameter. How does NetNat know which external IP to use if there is more than one (which is my case)?
Say my host machine has an external IP "192.168.1.112" and the guest machine behind the NAT has an internal IP "10.0.75.2". I am trying to set up a port forwarding. The obvious syntax to try is:
Add-NetNatStaticMapping -NatName "NAT" -ExternalIpAddress "192.168.1.112" -ExternalPort 4000 -InternalIPAddress "10.0.75.2" -InternalPort 3389 -Protocol TCP
and I am getting the following error:
Add-NetNatStaticMapping : The external IP address 192.168.1.112 and
port number 4000 for the static mapping does not match an existing
ExternalAddress' IP address or port range. Use
Add-NetNatExternalAddress to add an ExternalAddress.
I don't understand what it means, but I follow the suggestion and type:
Add-NetNatExternalAddress -NatName "NAT" -IPAddress "192.168.1.112" -PortStart 4000 -PortEnd 4000
and I get the following error:
Add-NetNatExternalAddress : Element not found.
At this stage I have reached the limits of my competence. I can't find any relevant documentation on this NAT feature, apart from PowerShell's unhelpful tautology ("Add-NetNatExternalAddress: Adds an external address to a NAT instance.").
What does adding an External Address to a NetNat do? What happens if I don't specify the ports? Will it have any impact on the ability of the host to connect? What is the correct syntax to add an External Address in a way that will allow me to set up a Static Mapping?
The link above is to my blog, Cloudpuzzles. The scenario there is when using NVGRE and NAT gateways, and not the new NAT virtual switch. I don't currently have a write up about it, but Thomas here did a bit on it: http://www.thomasmaurer.ch/2015/11/hyper-v-virtual-switch-using-nat-configuration/
Basically, before adding addresses etc, you have to add a new NetNat (which is the NatName you're referring to in Add-NetNatExternalAddress).
PortStart and PortEnd, when it comes to NVGRE at least, is used as a boundary for which ports tenants can use.
I had the same problem and though I am not sure why the Add-NetNatExternalAddress command is failing I was able to get the NetNatStaticMapping to work by doing the below steps:
Run the following command:
Get-NetNatExternalAddress
From the list of External Addresses you get, choose any External IP and External port and use it as the parameter for the Add-NetNatStaticMapping command.
try something like:
Add-NetNatStaticMapping -NatName "NAT" -Protocol TCP -ExternalIPAddress 0.0.0.0 -InternalIPAddress 10.0.75.2 -InternalPort 3389 -ExternalPort 4000
This will work for sure... and I recommend you to reconsider your IP scopes...because the IP 192.168.1.11 should be in a private network, and vice versa.
First you need to create a Virtual Switch with NAT:
New-VMSwitch -Name "HTTPS-NAT" -SwitchType NAT -NATSubnetAddress 192.168.100.0/24
Then you need to connect the necessary VM to the specified vswitch and enable the address translation rule for all virtual machines connected through this Hyper-V virtual switch:
New-NetNat -Name HTTPS-NAT -InternalIPInterfaceAddressPrefix 192.168.100.0/24
Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 443 -Protocol TCP -InternalIPAddress "192.168.100.77" -InternalPort 443 -NatName HTTPS-NAT
After executing these PowerShell commands, all HTTPS traffic that comes to port 443 of the Hyper-V host will be forwarded to the private IP address of the virtual machine.
I have deployed a VisualStudio web app onto my Azure VM and I need a public IP to the VM so that the public can use my URL to access the web.
The Azure Doc. says: "Every Virtual Machine is automatically assigned a free public Virtual IP (VIP) address. "
..but I can't find how to get this IP.
I tried "VM > Powershell > ipconfig > IPv4 Address. . . . . ."
but I cannot ping this IP from the Internet.
"Every Virtual Machine is automatically assigned a free public Virtual IP (VIP) address"
In order to find out the public ip goto-
Azure portal and then your VM dashboard. Here at the right side you see a quick glance tab under which you will be able to see the public IP. Snapshot for your reference-
Using powershell you can use below command for the same.
Get-AzureVM -ServiceName "testservice" -Name "testvm" | select PublicIPAddress
NOTE - Public IP will be null if instance is in stopped state. To know more on public IP you can read this-
https://azure.microsoft.com/en-in/documentation/articles/virtual-networks-instance-level-public-ip/
ICMP (ping) is not permited to bypass Azure gateways, Try check connectivity with other TCP tools (ie. TELNET / SSH / RDP etc ).
To get the IP address of the VM - you can simply go to www.whatismyip.com
I have installed the openvSwitch server on my two centos server (KVM). I have created two VM’s and bridged using openvSwitch. I am able to ping between the two VM’s. I am using VLAN for differentiating the private network.
Below is the VM IP
VM1 IP : 198.0.0.2 (resides in host1)
VM2 IP : 198.0.0.3 (resides in host2)
VLAN: 1000
I have followed the steps from the below link to configure the openvSwitch and it works fine.
http://openvswitch.org/support/config-cookbooks/vlan-configuration-cookbook/
Now I want to block few ports. I want to block the incoming traffic to the port 443, 80 for the VM1. One option is I can modify the iptables in my VM to drop the traffic to the ports. But I don’t want to modify the firewall rules in the VM. I want to drop the packets from the OVS integration Bridge itself.
Thanks,
Kalpeer