Are there any prerequisites (nsg rules / firewall rules) required for RDP'ing into a VNet Windows VM (private IP only) using Azure Bastion? What ports does it use? Does it use a P2S VPN IP?
You don't need to open any ports in NSG for your VM in the VNET for Azure Bastion. The traffic flow is as follows:
Client from Portal via HTTPS --> Azure Bastion in the VNET --> Translates HTTPS to RDP session and forwards the traffic to VMs within the same VNET with Private IP. So, from the VM's perspective the traffic will be coming from Azure Bastion Instance IP addresses.
You don't need to make any changes to your environment. You can just add Bastion to your VNET and you can RDP to the VMs without Public IP from portal.
Related
I'm wondering if I need port forwarding compatible Vpn given my tasks below:
Ill be connecting to aws services such as documentDB and RDS while travelling.
As a result, I plan on purchasing a dedicated IP VPN, so I can work while travelling, and add my VPN's static IP address to AWS to grant me access.
I'm working with a java spring boot backend. It connects to the documentDB and RDS and performs CRUD operations.
Does my VPN need to be port forwarding compatible?
I'm planning to purchase NordVPN with a dedicated IP, but might have to look into other VPNs port forwarding is required.
Some AWS services are VPC only, i.e. accessible only from the same VPC network. One of those services is DocumentDB, in order to connect directly from your laptop you'll have to create an ssh tunnel and port forward.
Having said that, you could have a bastion host in AWS configured with the right access, ssh (Linux) or RDP (Windows) to it and connect from that host.
The other option is https://aws.amazon.com/vpn/
I have set up Windows Machine in Azure in newly created VNET. After that I set up Virtual Network Gateway on this VNET. The gateway is in different subnet as instructed by Microsoft. I am able to connect to to this VPN from my desktop however I am unable to connect to VM.
VM's private IP is 10.0.0.4. It sits on "default" subnet with address range 10.0.0.0/24. VNET address range is defined as 10.0.0.0/24, and default gateway address range is 10.67.0.0/24.
What have I did wrong? Is there any chance to alter the setup or it requires building VNET from scratch and then VMS?
When you connect to your Azure VM from the desktop via a VPN connection, you could connect to VM with its private IP. If you have set GatewaySubnet address range 10.67.0.0/24, I guess that you should have address space in your VNet like this or you need to expand your address space.
To configure your VPN, you could refer to example values or this step-by-step blog. For windows VPN clients, you could select SSTP(SSL) or IKEv2 and SSTP(SSL) tunnel type.
When you modify your configuration on the Azure portal, you could re-download the VPN client package to re-connect the VPN connection. Let me know if you need further assistance in this case.
I have installed HashiCorp vault in a Linux EC2 machine in AWS. I have unsealed it and allowed all the outbound traffic in Security Group. I am able to access the Vault service within EC2 instance using "http://localhost:8200". But I am unable to use the service when I try to hit the URL using public IPV4 of the EC2 from internet (ex: http://xxx.xxx.xxx.xxx:8200).
Check your network configurations.
There are a few things you can check:
Your Security Group allow connections from your IP to the port 8200
Your EC2 instance is in a public subnet.
The NACL of public subnet allows connections to/from the port 8200 and to/from your IP.
The Route Table of public subnet has attached an Internet Gateway.
If you validate this 4 points and still can't connect with the service, it can be a problem of the service listen-address is 127.0.0.1 (localhost).
https://www.vaultproject.io/docs/commands/server.html#dev-listen-address
In that case, you should start your HashiCorp Vault with the options:
-dev -dev-listen-address="0.0.0.0:8200"
This problem is described here:
Is it possible to start Vault dev server on 0.0.0.0 instead of 127.0.0.1?
How can I setup IAP tunnel to GCP windows vm with no external ip in order to rdp from outside gcp when required
Cloud IAP uses TCP forwarding to provide access via SSH or RDP to VM instances without Public IP and bastion host.
Here are quick start guides you may follow:
Protecting your cloud VMs with Cloud IAP context-aware access controls
Cloud IAP enables context-aware access to VMs via SSH and RDP without bastion hosts
My question is about not being able to connect to my private instance in AWS VPC through a VPN.
I have set up a pfsense instance that also acts as the OpenVPN server.
Then I installed pfsense on AWS with the official pfsense AMI and everything is working as expected so far.
I have 1 public subnet and 1 private subnet containing a linux instance that I want to reach via the VPN.
When connecting to the VPN I can't ping the linux instance in the private subnet.
The pfsense firewall (2.4.4) has the following interfaces:
**WAN** 10.3.0.245
**LAN** 10.3.1.5
The OpenVPN tunnel network is 10.3.2.0/24 going to 10.3.1.0/24 channeling all trafic trough the VPN.
The linux instance has the following private IP: 10.3.1.58
The firewall itself can ping the instance and when I connect to the VPN (windows host) I can ping the firewall on 10.3.1.5 .
However, I can't ping 10.3.1.58 (request timed out).
I cant SSH either into the instance.
Could the route table be wrong?
Route print on windows vpn client:
The security group in amazon allows all trafic for now.
Disabled the firewall on the linux system.
Disabled source / destination checking on the instance and the secondary network interface.
I have allowed traffic from the vpn to the lan (for now I allowed all traffic to see where the problem lies).
Did you disable source/destination checks on the pfsense instance?
You can disable it by following this guide - https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck
My hosts have their gateway set as 10.3.1.1, it should be 10.3.1.5 (PFSense Lan).