Azure Bastion

Azure Bastion is a new feature of Azure which allows RDP/SSH connectivity to virtual machines directly in the Azure portal over SSL and without any public IP on your virtual machines.



Facts about Bastion:

  • It is a PaaS service which provides RDP/SSH connectivity for VM running in azure using SSL without need of Public IP 
  • Azure Bastion and VM's should be provisioned in same Vnet 
  • Connect to Azure Portal over HTTPS and then select the VM you wanted to access 
  • Azure Bastion has public IP which will be used by Azure management portal to provide RDP/SSH over SSL (443) . We cannot SSH or RDP the Bastion Public IP. 
  • New session in browser open and provides access to VM you wanted to connect. 
  • It is like a gateway that you use to connect the VM using a browser and in return you get RDP/SSH session of the VM
How to Configure Bastion:

Bastion can be configured through Powershell, CLI & GUI. Am using GUI method to create the service. 


Subnet name must be AzureBastionSubnet and it should be in same address space as VM created . I have placed my VM's and Bastion in Linux-Vnet 

Public IP created will be used for SSL connectivity 

How to connect :




Key in the Username and upload the SSH key pair for VM hit connect. VM session opens in the browser. 



If you like to harden the Bastion with NSG add below Inbound & Outbound rules. 

Inbound Rules:


Outbound Rules:


Source: 

https://docs.microsoft.com/en-us/azure/bastion/bastion-nsg

https://azure.microsoft.com/en-us/blog/announcing-the-preview-of-microsoft-azure-bastion/

Mapping Azure Container Instance (ACI) to Custom Domain

I recently had a requirement to map my Docker Container instance to a custom subdomain. One of the way to achieve this is mapping the Container FQDN with CNAME in Domain register portal. 

What is FQDN - Fully qualified domain name

what is CNAME : A Canonical Name record 

Tomcat container is used in this project to deploy the webapp. The WAR & Dockerfile used in this project is available in Github account Chennaitechie.


I have built the docker image (considering you are aware of how to build docker image) in local desktop now it needs to be pushed into Azure Container Repo. 

1. Create Azure container registry. Container registry is used as a repo for container images. 

In this project i have name by Registry name as 
2. Next step is to enable user access for the container registry created . Go to container setting and select access key. 




3. Login into Azure Container Registry , Open power shell and type in the command  docker login "Container Registry Name" in this project my registry name is containerimage.azurecr.io



execute the cmd and you will have an option to key your username and password from access key page.

4. Docker image should be taged prior to pushing the image into azure container repo.Use docker tag to create an alias of the image with the fully qualified path to your registry. I have used namespace webapp to avoid clutter in root of the registry. 

docker tag "local container name" "New tag name" 



5. Now lets push the docker image from your local computer to Azure Container Repo and it is a straight forward approach docker push "container name tag"


 docker image is transferred to azure and it is ready for action. 

6. Select Container instance and add new container to bring up below configuration page. 


Image source is selected as Azure Container Registry which will bring up options to select the registry and images available in the repo 


7. Select network configuration we need to assign DNS name and open port 8080 which will be used by tomcat . 

select Review+Create. Tomcat Container should be up and running copy the dns label name under overview and navigate to port 8080 and the webapp name.


FQDN for this container is tomcat.centralus.azurecontainer.io now contact your domain register to update the CNAME record for your domain or you can do it yourself if you have access to domain management portal. 



CNAME record got activated within less than a hour. Thanks for reading !!!

 



Custom Domain register using Azure Active Directory

Steps to be followed to add custom domain to Azure.

* Create your domain (www.xyz.com/in) with Domain register (Godaddy/Namespace/Bigrock) 

* Select Azure active directory service 
                                                     
* In this post am using my default AD directory and select custom domain names 



* Select add domain and key in your domain name in the pop on your right side of the screen. 


In this example am adding custom domain azureblog.com 

* Now we need to add the TX or MX record in domain register to verify the domain in azure active directory. 


Open Domain register portal (Godaddy/Bigrock) from where you have registered the Domain and select DNS management you will get an option to add TXT /MX record 

Note: You can keep the Default TTL value in DNS management portal .

It took less than an hour for me to get my domain verified, Therefore make sure your configuration in Domain register is proper. 






How to configure Azure Load Balancer

How to configure Azure Load Balancer (Step by Step by Procedure ) 



  Azure Load Balancer(LB) works in Layer 4 in OSI model (Transport Layer) and acts as a single point of contact for end users. Work of LB is to distribute inbound traffic to the backend instances.


Azure LB is one of the load balancing concept in Azure we will explore APP Gateway, Traffic Manager is upcoming blog post. LB is configured with rules and these rules work at the port level to forward the traffic from source port to destination port .

Azure LB has two configuration mode 

1. Internal load balancing

2. Public load balancing 

Currently we are working on Public LB. In this mode, Load balancer(LB) is assigned with a public IP address to ensure that the LB can accept incoming request from internet and based on the configured rules it will route the incoming traffic over VM in private network. 

Procedure: 

1. I have created two VM's running Tomcat on CentOS. 

both the VM's are in same region and it should be in same network. In this example my 

network address is 172.16.0.0 

subnet for ho-webapp is 172.16.1.0 

subnet for dr-webapp is 172.16.2.0

2. Create Load Balancer , Make sure LB & VM's are in same region. 




3. To put LB into action we need to configure the below. 


Frontend IP Configuration : 

We are configuring Public LB hence Frontend IP address is assigned as shown below. 





Backend Pools: 

Is a set of VM instance or instance in a VM scale set serving incoming request. It is recommended to add more VM workload to serve the incoming traffic effectively. Adding or removing VM instance from Backend Pool and its following configuration/reconfiguration is taken care by Load Balancer . 

we have two VM instance HO-Webapp & DR-Webapp which are in different subnet and under same VNET



Health Probe:

Health probes allow Load Balancer to detect the backend pool instance status. The configuration of the health probe and probe responses determine which backend pool instances will receive new flows When a health probe fails, Load Balancer will stop sending new flows to the respective unhealthy instance. Outbound connectivity is not impacted, only inbound connectivity is impacted. 

Load Balancer health probes originate from the IP address 168.63.129.16 and must not be blocked for probes. what is Probe source IP 



Load Balancing Rules: 

A load balancing rule distributes incoming traffic that is sent to a selected IP address and port combination across a group of backend pool instances. The VM instance that the health probe considers healthy receive new traffic.


Inbound NAT Rules: 

Network address translation (NAT) is a port forwarding technique. We use NAT Rule to forward traffic from a specific port of the front-end IP address to a specific port of a back-end VM.

In the below example i have enabled SSH service in Frontend IP address to access the port 22 in target ho-webapp vm so i can connect the VM from outside network. 

You can also use custom port under service option. 


Search Results

Web result




I have enabled custom port 2222 to access the VM DR-Webapp backend port 22 for SSH. 

With this configuration Azure public loadbalancer is ready for workload. 

Reference document : Azure Load Balancer