When I create a vm with defaults, it creates scale set without errors but it I do not seem to be able to RDP to the box using the NAT rule configuration.
New-AzVmss `
-ResourceGroupName $resourceGroup `
-Location "WestUS" `
-VMScaleSetName "tktestScaleSet1" `
-VirtualNetworkName "myVnet1" `
-SubnetName "mySubnet" `
-PublicIpAddressName "tktestvmssPIP1" `
-LoadBalancerName "tktestLoadBalancer1" `
-UpgradePolicyMode "Automatic" `
Even a simple default scaleset creation does not work
$vmssName = <VMSSNAME>
# Create credentials, I am using one way to create credentials, there are others as well.
# Pick one that makes the most sense according to your use case.
$vmPassword = ConvertTo-SecureString <PASSWORD_HERE> -AsPlainText -Force
$vmCred = New-Object System.Management.Automation.PSCredential(<USERNAME_HERE>, $vmPassword)
#Create a VMSS using the default settings
New-AzVmss -Credential $vmCred -VMScaleSetName $vmssName
It also seems to create a nat for 3389 and for 5985. Why is it creating nat for port 5985
This is not the behavior when I create the scaleset from portal for that it does not create the extra NAT rule for 5985 also I am able to RDP.
Is this a bug, or am I configuring it wrong?
It might be expected behavior. I also face the same scenario as you.
By default, that command New-AzVmss with default parameters does not create the health probe but creates a load balancing rule in the Azure portal. In this case, you could add a probe to enable the load balancing rules, then you could RDP to each of the VMSS instances.
You also see the parameters. If no values are specified, ports 3389 and 5985 will be used for Windows VMS, and port 22 will be used for Linux VMs.
From my experiment it looks like a bug with New-AzVmss. After running New-AzVmss I added an NSG to the Network and added inbound rule after that it started to work. It should have created a NSG when running New-AzVmss by default which did not happen but does from the portal.
-SecurityGroupName
The name of the network security group to apply to this Scale Set. If no value is provided, a default network security group with the
same name as the Scale Set will be created and applied to the Scale
Set.
Related
I am writing a script to automatically set the "Register this connection's addresses in DNS" & "Use this connection's DNS suffix in DNS" in Advanced TCP/IP Settings on a fresh out of the box device.
I've been successful clicking through the Network Settings prior to running the script in order for those settings to be set. I want to avoid doing that at all cost.
This is my code.
Disable-NetAdapterBinding -Name "*" -ComponentID ms_tcpip6
Get-NetAdapter -name "*" | Set-DnsClient -UseSuffixWhenRegistering $True
When I run this code in powershell only the "Register this connection's addresses in DNS" box is checked not the "Use this connection's DNS suffix in DNS" box.
There are a couple ways to do this. I tend to use the WMI method. First thing to do is get all the adapters that are IP Enabled. Once you have this then all you need to do is use the SetDynamicDNSRegistration Method. This method takes two Overloads both are Boolean and map to the two check boxes (Register this connection's addresses in DNS and Use this connection's DNS suffix in DNS). The below example would check the Register this connection's addresses in DNS box and uncheck the Use this connection's DNS suffix in DNS box"
$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "IPEnabled = 'True'"
$adapters.SetDynamicDNSRegistration($true,$false)
This example would result in both boxes being checked:
$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "IPEnabled = 'True'"
$adapters.SetDynamicDNSRegistration($true,$true)
I have encountered the same issue.
When setting 'Use this connection's DNS suffix' through the Set-DNSClient cmdlet it appears to run successfully. Running the Get-DNSClient cmdlet shows the the setting being correctly adjusted but the related registry key is not created nor is the GUI updated.
Key - HKLM:\System\CurrentControlSet\Services\TCPIP\Paramters\Interfaces\
Property - RegisterAdapterName
Adapter - IPV4 Properties - Advanced - DNS
During testing I have noticed that after the key is created, either through the WMI code above, REGEDIT or the GUI, the PowerShell cmdlets do correctly amend the registry key/gui.
I have resorted to using code similar to the example provided by DaSmokeDog to force the creation of the registry keys for a given adapter then return to using the simple PowerShell cmdlets afterwards.
Not ideal having to work this way but my (limited) testing shows it working.
I have a Django app deployed on AWS Lambda through Zappa and my app needs to communicate with the public internet, so I need to use a NAT Instance. I am using a NAT instance because it's about 10x cheaper than a NAT Gateway using the free tier. The downside is that unlike NAT Gateway, a NAT Instance needs actual maintenance, and I am unsure what type of maintenance it needs. I want to learn about things I need to do to keep my server running well and healthy.
What are things I can do to make sure of that?
Here is my AWS Architecture:
All of the following is in my VPC. I have 1 subnet in ca-central-1a and 1 in ca-central-1b. In the route table, both subnets point to my NAT Instance. I have a 3rd subnet in ca-central-1b and in the route table it points to an internet gateway. My NAT Instance is in ca-central-1b.
My NAT Instance security group NATSG has HTTP and HTTPS inbounds from both of my subnets in ca-central-1a and ca-central-1b and outbound to 0.0.0.0/0. Should I make another NAT Instance in ca-central-1a and make it only inbound from the subnet in ca-central-1a i.e 1 NAT Instance for each subnet? Would that be healthier/safer?
Extra information:
I disabled Source/dest check. Was that a good idea?
For my AMI I chose a recent community AMI amzn-ami-vpc-nat and I created an Auto Scale Group which has my NAT instance. It only has 1 instance, is there any point of the Auto Scale Group if there's only 1 instance in it? I am not sure that I am using the Auto Scale Group right, I simply created it but haven't configured anything.
Maintenance for NAT instances is necessary for security updates, security groups and instance failures.
It's not necessary to place NAT instance in every subnet. You can connect multiple instance through single NAT instance. Also it is recommended to place NAT instance in public subnet.
source/destination check is enabled by default for each EC2 instance which shows that instance must be the source or destination of traffic which it send or receive. So source/destination check must be disabled for NAT instance as NAT instance is not source or destination to send or receive the traffic. It
just act as intermediate to send traffic to the private instances.
Below link gives the detailed description of Disabling Source/Destination Checks
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck
Setting up desired capacity to 1 will always keep your 1 NAT instance
up. But concern is when a NAT instance gets terminated, auto-scaling
group will launch the respective NAT instance which has
Source/destination 'enable' by default. We have to make it disable
manually, Also the entries which where made in route table by
selecting target as nat-instance-id will not get change and Route
Table will be pointing at the instance that was terminated. To get
SourceDestCheck attribute disabled for newly launch NAT instance you
could launch this from the User Data of the instance.Here is an example shell script.
EC2_INSTANCE_ID=`wget -q -O - http://169.254.169.254/latest/meta-data/instance-id`
EC2_AVAIL_ZONE=`wget -q -O - http://169.254.169.254/latest/meta-data/placement/availability-zone`
EC2_REGION=`echo \$EC2_AVAIL_ZONE\ | sed -r 's/.{2}$//'`
echo "Region:" $EC2_REGION
aws ec2 modify-instance-attribute --instance-id $EC2_INSTANCE_ID --source-dest-check "{\"Value\": false}" --region $EC2_REGION
rc=$?; if [[ $rc != 0 ]]; then echo "Failure:" $rc; exit $rc; fi
echo "Success"
Sorry, #Rony Azrak for the delayed response. As your concern is to configure instance details after launch, we assume that you are considering about updating user-data script, the possible way to do so is to run the script through a shell. Just need to save the given script in .sh file say some a.sh and execute it through command as #sh a.sh.
But this changes will only be specific to instance, it will not reflect for next upcoming instance which may get launch through autoscaling if you are using it. For this purpose, you need to create a new launch configuration with required modification by adding the script in Advanced Details section, as existing launch configuration can't be edited. This ultimately leads to launching a new instance.
About Auto scaling, we would suggest you use auto scaling which will automate your task of launching an instance. It does not incur any extra charge you pay only for resources what you use.
I'm trying to set a new IP-Address by using a powershell script. I use this command:
New-NetIPAddress -InterfaceAlias $interfaceName -IPAddress $_.IPAddress -AddressFamily IPv4 -PrefixLength $maskLegth
However, on a disconnected interface i get this error:
New-NetIPAddress : Inconsistent parameters PolicyStore PersistentStore and Dhcp Enabled
But when i set the -PolicyStore to ActiveStore, the script will run without errors:
New-NetIPAddress -InterfaceAlias $interfaceName -IPAddress $_.IPAddress -AddressFamily IPv4 -PrefixLength $maskLegth -PolicyStore ActiveStore
I'm not quite sure what this property does, since after restart the settings still are in place. Are there any drawbacks here? Or why does this error even come up?
New-NetIPAddress : Inconsistent parameters PolicyStore PersistentStore and Dhcp Enabled
PersistentStore is separate from ActiveStore, and there is also separate GPO store.
These stores are firewall and network configurations.
ActiveStore contains configuration for this computer.
GPO store is configuration from local group policy.
Active store is curentlly active configuration, and includes both GPO and Persistent store.
Problem you are getting is because Persistent store is set to DHCP and you are configuring static address, which makes not sense.
first disable DHCP in active store and then set IP for interface.
For information about these stores and how to set them see:
https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallsetting?view=win10-ps
I am trying to open a port in a Windows Azure virtual machine. I have a game listening on that port, and I am able to access it via localhost, so the game is running.
I have also opened the port in the firewall and created an endpoint in the virtual machine, but the port doesn't seem to be open to the outside world. I have tried accessing it both via the IP address and the DNS with the same results.
Is there anything else I should do? I have looked up several tutorials online and can't figure out what I am doing wrong.
this has changed to this
I would recommend ignoring 100% of what is on google at the moment
Irina, make sure you have configured your endpoint properly by setting the private and public port. Here's a documentation that explains the steps to accomplish this...
http://www.windowsazure.com/en-us/documentation/articles/virtual-machines-set-up-endpoints/
It's easy via Azure CLI, for example , open port 80
$ az vm open-port -g MyResourceGroup -n MyVm --port 80
Open multiple ports at the same time
az vm open-port -g MyResourceGroup -n MyVm --port 80-100 --priority 100
Open all..
az vm open-port -g MyResourceGroup -n MyVm --port '*'
Pay special attention to this parameter,Must be unique for each rule
--priority : Rule priority, between 100 (highest priority) and 4096 (lowest priority).
Must be unique for each rule in the collection. Default: 900.
This is a two step process:
Configure the port rule in the Azure Portal (No need of any restarts. The effect takes place in a few minutes.)
Here are the steps (at the time of writing): Click on the VM -> Click on 'Networking' -> Click 'Allow inbound port rule'
Configure the port rule in the VM's own Firewall - this depends on the Operating System your VM has got (OR disable this firewall)
Here are the steps for Windows 10:
Open 'Windows Firewall with Advanced Security' Desktop App -> Click on 'Inbound Rules' on the left panel -> Click on 'New Rule' in the Actions panel on the right. The following screenshots explain the rest.
Now the application listening to the port can be reached over the internet.
For future reference, if you're trying to listen to 3000 or that range it simply does not work.
Go to the 8080's range, make the inbound rule and you're up and running.
Probably this is the latest solution at a time of writing this answer:
You need to create a Network Security Group (or use an existing one). The easiest way is to search for Network Security Groups in the search resources bar. If there is an existing NSG, click on it and find inbound security rules from the settings. Then add an inbound rule with your desired port.For example, I opened port 8080 on my VM with settings shown in picture below.
More info: https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-windows-nsg-quickstart-portal/
In addition to described, you may need to create inbound rule in VM firewall. The settings in portal create forwarding from public IP towards VM. VM itself should allow applications to listen on the port.
This may explain why this didn't work for Irina on some ports and worked on other ports.
Check the Windows firewall on the VM also. If port 8080 is not added in firewall inbound rules, then make sure to add a new inbound rule to allow access to port 8080. (Remotely login to your VM. Windows Defender Firewall -> Advanced Settings)
Source port ranges: * (allows any source port)
After you've created a VM that's configured to serve web requests on the standard TCP port 80, you can:
Create a network security group.
Create an inbound security rule allowing traffic and assign values to the following settings:
- Destination port ranges: 80
- Source port ranges: * (allows any source port)
- Priority value: Enter a value that is less than 65,500 and higher in
priority than the default catch-all deny inbound rule.
Associate the network security group with the VM network interface or subnet.
it's assumed you've already started the appropriate services and opened any OS firewall rules on the VM
for other example : port ranges: 2022-2023
I am having trouble connecting to an Amazon Elastic Cloud Computer Instance via a browser.
I attempted going to ********.compute-1.amazonaws.com , but the browser returns that the connection has timed out.
I can connect via ssh and winscp. That is how I uploaded a web app I developer. I have also created a security group and added rules to open ports 22 and 80.
Do I have to assign the security group to the instance somehow?
The security group's rules also do not have a source IP, well they do its 0.0.0.0/0
I would really appreciate any and all help in getting this site ' viewable ' via a browser.
By default, your instances will only be in the default security group. If it's an EC2 instance you cannot change security groups while the instance is running, you'll have to specify them in advance. If it's a VPC instance you can change security groups at runtime.
Add the rule to the default group
You can however add the rule to allow port 80 to that default security group; just don't create a new security group as it can not be associated with the running instance.
Is the web server up?
Also, make sure that your web server is up and running. From your instance (using SSH shell access), check if the right process is listening on port 80, using the command netstat -lnp. You should then see a row with proto tcp and a Local Address ending in :80. The IP Address listed should be either 0.0.0.0 (meaning 'any IP') or a specific IP of a listening network interface.
Web server not up
If you are in need of a web server, take a look at Apache or Nginx. They both support PHP.
Hope this helps.
I had also faced similar issue with ec2 micro instance. I was using Red-Hat AMI. Despite of opening ports 8081 in security group, I was not able to a telnet to the host port. Disabling the iptable did the trick for me:
sudo /etc/init.d/iptables stop
Do not forget to disable firewall if you use windows for your server.
I faced the same issue while setting up redash AMI image on AWS. Inbound security rules should be changed when instance is not running. Let's say if the instance is running (meaning it's active and started); If you change the inbound rules of that machine you'll still face firewall issue. So Stop the machine on which you want to change the inbound rules on. Change the inbound rules. Start the machine now. Now you can hit the machine url from the ip you just opened the access to the machine to.
The EC2 instance firewall is maybe enabled.
Check it with this command:
sudo systemctl status firewalld
if enabled you can disable it with :
sudo systemctl disable firewalld
or setup rules to allow port 80 trafic