I have storage account that contains one container, When I am generating SAS token from Portal without IP restriction it is working fine but when I am generating SAS token from portal with IP restriction, then it is not working. I am providing the Vnet IP range in the IP range column. But when I am trying to access through Azure Explorer which is installed in one of the VM inside the Vnet address space, it is giving error "This request is not authorized to perform this operation using this source IP".
Vnet Ip range -192.168.0.0/24 and VM private IP is 192.168.0.68.
I do not know from where this 100.74.202.44 source IP is coming. VM private is 192.168.0.68 and its public IP is also different i.e 52.34.X.X.
Let me know what I am doing wrong here or this is Bug?
VM private is 192.168.0.68 and its public IP is also different i.e 52.34.X.X. Let me know what I am doing wrong here or this is Bug?
Base on my knowledge, it is the internal IP that VM get from the Azure DataCenter by DHCP. On the Azure classic portal we can get the internal ip from the Classic VM Dashboard as following:
But in the Azure new portal, I can't find it out.
When try to visit the Azure storage from the Azure VM then it seems that via Azure internal Ip 100.x.x.x.
So please have a try to add this IP for restriction to generate SAS token, then it will work.
Related
I am trying to set up SSM on Windows.
I have an ASG in a private subnet (absolutely 0 internet access). I can not use NAT, only VPC endpoints.
In the instance launch configuration, I have a PowerShell script that uses Set-DnsClientServerAddress so that the instance can find and join an AWS Managed MS AD service. I would also like to set up the instance so it can be fully managed with SSM.
The problem comes with the DNS Client Server Address.
When I set it to match the address of the AD service SSM will not work.
When I leave the DNS Client Server Address default, SSM works but I can not join the AD.
I tried forcing the SSM Agent to use the endpoints by creating a amazon-ssm-agent.json file and setting all three endpoints in there. This allowed the instance to show on the Managed Instance list, but its status never changed from pending and requests from within the instance still timed out.
Does anyone know the magic sauce to get these things all working at the same time?
EDIT 1:
I also tried adding a forward as described in this thread, however I'm either missing somethign or it is not working for my case:
https://forums.aws.amazon.com/thread.jspa?messageID=919331󠜣
It turns out that adding the forwarder as described in the link above worked. The part I was missing was joedaws comment, "I would also remove the existing 169.254.169.253 entry so that only the 10.201.0.2 ip address is in the list".
Of course, my IPs are different, but once I removed the preexisting forward so that my x.x.x.2 IP was the only one in the list (I did this for both of the AD DNS servers) the instance was discoverable by SSM.
So, I would make a minor change to the list that saugy wrote:
On a domain joined windows instance, log in with AD domain Admin user
Open DNS manager
Connect to one of the DNS IP addresses for the AWS AD
Select forwarders
Add the VPC's DNS IP (x.x.x.2 from you VPC's CIDR range)
Remove the existing IP (so you VPCs IP is the only one)
Click Apply
Repeat from step 3 with the other DNS IP address for the AWS AD (not 1
Also, as mentioned in the other post. This only has to be done once and the settings persist in the AD DNS.
I am trying to create a new traffic manager profile of either Performance or Weight configuration but I keep getting stuck when trying to add an Azure Endpoint.
I have a two public IP inside of Azure, one with an optional DNS name, one with out.
When I try to add either of these as an endpoint, I get the following error message:
The one with a dns name on it:
Failed to save configuration changes to Traffic Manager profile 'profilename'. Error: Endpoint target type, 'DomainName', is not allowed for this profile. Valid values are: IPv4Address.
The one without a dns name:
No DNS name is configured.
If i choose External Endpoint and add the IPv4 directly it will work.
I tried with several different Traffice Manager profiles.. Is there a secret that I am missing out on? I am stuck..
Usually, There are three types of endpoint supported by Traffic Manager:
Azure endpoints are used for services hosted in Azure.
External endpoints are used for IPv4/IPv6 addresses, FQDNs, or for services hosted outside Azure that can either be on-premises or
with a different hosting provider.
Nested endpoints are used to combine Traffic Manager profiles to create more flexible traffic-routing schemes to support the needs
of larger, more complex deployments.
...
Azure endpoints are used for Azure-based services in Traffic Manager.
The following Azure resource types are supported:
PaaS cloud services. Web Apps Web App Slots PublicIPAddress resources
(which can be connected to VMs either directly or via an Azure Load
Balancer). The publicIpAddress must have a DNS name assigned to be
used in a Traffic Manager profile.
In this case, when you add a public IP address in the same subscription as an Azure endpoint, it will grey out if no DNS name configured in the Azure portal. You could add it when the public IP address configured with Azure provided DNS name like somedns.westus2.cloudapp.azure.com, this works on my side.
For example, there is a public IP address with the DNS name used for an Azure load balancer frontend.
Environment (User):
Windows 10 laptop
AzureAD joined
User in the office
Side note: Majority of our users are domain joined, this user travels alot, so we set him up as AzureAD to see how it would work.
Environment (Network)
Firewall controls DHCP, routing, etc.
DNS is running on DC (windows server 2016); DNS = 192.168.1.10
DC is hosted in Azure (connected to on-prem via VPN to firewall)
Problem:
This user cant ping host (A) records on the DNS server. The user can ping the FQDN though. e.g. can not ping servername, can ping servername.internal.company.com
This is breaking a service this user needs to run.
All the machines settings for DNS are correctly set (getting pulled through from the firewall). It just seems like the azuread joined device is not able to authenticate to the DC/DNS to retrieve details about a host name, but I find it really weird it can get responses back when using the FQDN of the server?
Can anyone please suggest why this user is getting blocked? I am thinking that becasue this is an AzureAD user their is an authentication issue, any help on the matter is greatly appreciated.Thanks!
recently I have faced the same problem with azure windows VM I have tried all the best possible afford to resolve the issue, but not success finally I have to change the VM IP with azure login panel after restart internet is working.
Want to setup a Azure Network adapter on a Windows Server 2019 DE machine. However, it does not matter what I try, the same error occurs:
Error: Virtual Network Gateway submission
Message Failed to submitted the update request of Microsoft Azure
Virtual Network Gateway WAC-Created-vpngw-99, Detail error message
from Azure: The BgpPeeringAddress for the virtual network gateway
/subscriptions/xxxxx/resourceGroups/Nett/providers/Microsoft.Network/virtualNetworkGateways/VPN-Gateway
cannot be modified
Also tried to Configure BGP ASN on the Azure gateway adapter, with an ASN number in the private range. No luck.
Any help will be grately appriciated.
As far as I know, the BgpPeeringAddress for the virtual network gateway is a specific IP address, which is the second last address from the GatewaySubnet range. The official DOC states this:
The Azure VPN gateway will allocate a single IP address from the
GatewaySubnet range defined for the virtual network. By default, it is
the second last address of the range. For example, if your
GatewaySubnet is 10.12.255.0/27, ranging from 10.12.255.0 to
10.12.255.31, the BGP Peer IP address on the Azure VPN gateway will be 10.12.255.30. You can find this information when you list the Azure VPN gateway information.
I can reproduce your issue, when I change the BgpPeeringAddress to an invalid IP address 172.24.1.250. A valid IP address should be IP address 172.24.1.254 in my GatewaySubnet range 172.24.1.0/24
I check this via Azure Resource Explorer. You can get more details from this blog.
I have been facing this issue well over couple of weeks now. I can use some guidance and help.
Current Setup:
Aws ec2 instance (windows 2012 r2 server) hosting "abcd.com" domain. It is also a DNS server. Also, Elastic public IP has been attached.
Server I am promoting is in different VPC (let's say my own personal computer). Also running windows server 2012 r2. Configured DNS settings to point to Elastic public IP of aws instance.
I am able to perform "nslookup abcd.com" which returns private ip of the aws instance. Unable to perform ping though (since it resolves to private ip).
I tried configuring the dns entry on aws instance so it maps to elastic public ip. after that i was able to ping "abcd.com". But this seemed dirty to me.
Overall, I am not able to promote my pc to the domain controller which is on aws instance. If I put domain controller and server being promoted in same network, it works like a charm (don't even need a public IP in that case). But keeping it in separate networks things aren't working for me. Your inputs would be greatly appreciated.