This is a second video on Azure Private Endpoints and DNS. Previously, we reviewed options for DNS name resolution with Private Endpoint that included a forward lookup zone for the privatelink.file.windows.core.net zone. However, that option required manually adding hosts to the DNS zone. This video reviews a hub-and-spoke configuration leveraging a forwarder server in Azure and conditional forwarding in Windows DNS. Although slightly more complicated, this option does not require manually adding hosts to the DNS lookup zone.Continue reading “Private Endpoints and DNS Part Deux: Azure Private DNS Zones”
Private Endpoints in Azure provide a secure way to access resources over the private, internal network. But the options for configuring DNS for Private Endpoints is not as straight forward. This video goes over the options available for DNS with Private Endpoints. We start by crating a storage account with a Private Endpoint, the review the default DNS configuration. We look at The WireServer and how it can be used with a Conditional Forwarder as well as using Forward Lookup Zones for name resolution.Continue reading “Private Endpoints and DNS in Azure”
This video goes over two Azure IP addresses used for Azure VM’s. The WireServer IP of 18.104.22.168 and the Azure Instance Metadata Service (IMDS) IP address 169.254.169.254. In the video, I go over what each is used for and then give a demonstration on using the WireServer IP address to query DNS. After that, I use the IMDS REST Endpoint to pull metadata including the Azure environment and scheduled events.Continue reading “Two Azure IP Addresses You Need to Know About”
I recently worked on a project to deploy several VM’s in Azure. One of the requirements for this was to block all internet access from the Azure VM’s. This is a prudent step in securing an environment; preventing malicious code from web based threats.
Update 1/2018 – Microsoft has implemented NSG Service Tags for storage and Azure SQL. Information on that is located here. Additional information and the opportunity to vote on adding other services can be found here.
To accommodate this, a Network Security Group (NSG) was created and applied to the VM Subnet. Several rules were applied, including one similar to the picture below. The rule simply blocked traffic from the VirtualNetwork out to the Internet on any source or destination port.
After the rule was put in place and tested I began to setup the rest of the environment. Right away I ran into trouble, the VM’s took up to 30 minutes to deploy and errored out with the message “New-AzureRmVm : Long Running Operation Failed with status ‘Failed’. Continue reading “Azure VM and Internet Access”