Azure VM – ILPIP edition

This is a follow-up to my original post: So you want to host multiple SSL websites on one Azure VM?

I always follow the approach of “there is no one size that fits all”. Very true of using virtual IPs for hosting multiple SSL websites on a single Azure instance. The image below (image via Microsoft) does a great job of explaining how a virtual public IP (VIP) is structured:

figure1

As you can see the VIP is assigned to the cloud service associated with the Azure VM and then individual VMs/website may be configured via the Azure Firewall[1].

Azure firewall does a great job of locking down access to the Azure VM and each port would have to undergo configuration in the firewall to allow public access but this also fails in instances where you would want to communicate randomly over certain ports. For instance, if your VM is running passive FTP, you would need to randomly open up communication ports with the client (shown below, image via Slacksite) and this scenario conflicts in a non-scalable way with the Azure firewall.

passiveftp.gif

Another instance where you may want to bypass the Azure firewall – pinging a VM directly. I had an instance where a partner company had a device that connected to a web service to an Azure VM but had to have ping work successfully before this happened. Azure firewall disables ICMP pings and there is no way to enable this on the Azure firewall.

The only way for some of these scenarios to work is to bypass the Azure firewall and connect to the VM directly.

Enter (Instance Level Public IP) ILPIP, a direct public IP to your VM. Configuring this for an existing VM is rather easy:

  1. Use Powershell to connect to your Azure account (steps 1-3 in my previous post)
  2. Get AzureVM settings with this command:
    Get-AzureVM -ServiceName servicename -Name vmname
    Pay close attention to the results, these fields will have no values:
    PublicIPAddress :
    PublicIPName :
    PublicIPDomainNameLabel :
    PublicIPFqdns : {}
  3. Now attach a Instance Level Public IP (ILPIP) with this command to the VM:
    Get-AzureVM -ServiceName servicename -Name vmname `
    | Set-AzurePublicIP -PublicIPName ipname `
    | Update-AzureVM
  4. Re-running the Azure settings command yields a different result this time:
    Get-AzureVM -ServiceName servicename -Name vmname
    Results:
    PublicIPAddress : xxx.xxx.xxx.xxx
    PublicIPName : ipname
    PublicIPDomainNameLabel :
    PublicIPFqdns : {}

The PublicIPAddress field is your public IP address on the internet. Right off the bat, you can try to RDP (default port 3389) and this should work, whereas this would’ve failed with the default Azure firewall for VM.

As with any approach, this one comes with it’s unique set of cons:

  1. Since you’re bypassing Azure firewall you have to be more mindful of how you handle your VM’s security, particularly the local firewall settings.
  2. Only one ILPIP for each VM. This means hosting multiple SSL websites on a single VM got infinitely more tricky

[1]Please note: a lot of my examples often refer to the classic portal since that’s the least common denominator. Most classic portal functions are supported on the new portal and then some.

Advertisements

1 thought on “Azure VM – ILPIP edition”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s