SNAT Ports for Outgoing Connection from Azure (Stack)

0
votes

I don't manage to get a working outgoing connection from my load-balanced VMs created in Azure Stack. I have scenario 2 of the documentation: "Public Load Balancer associated with a VM (no Instance Level Public IP address on the instance)". Only port 80 is working as an outgoing connection out of the box. I am behind an additional firewall and I ask myself whether I have to open any other specific ports to allow communication to the internet. Three questions:

  • Is it the problem, that the port I try to access from inside the VMs is translated to a different SNAT port by the load-balancer?

  • The documentation says something about the amount of used SNAT ports, but it does not say which SNAT ports are used? Which ports do I have to open in the outer firewall?

  • Why is port 80 working out of the box? I can per default access the web from within the VMs. This means, that it is possible to reach the public internet. I did not include any additional rule for port 80 myself.

I found the following in the incoming connection section of the Azure security group: a hint in the firewall settings There are explicitly mentioned ephemeral ports between 49152 and 65534. Unfortunately, opening these ports in the outgoing connections of our outer firewall didn't do the trick either. All VM internal firewalls are open on all ports.

I created the cluster using the following template. The SKU should be the default one "standard", since I did not specify anything else for the LoadBalancer.

  {
    "apiVersion": "[variables('lbApiVersion')]",
    "type": "Microsoft.Network/loadBalancers",
    "name": "[concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name'))]",
    "location": "[variables('location')]",
    "dependsOn": [
      "[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-','0'))]"
    ],
    "properties": {
      "frontendIPConfigurations": [
        {
          "name": "LoadBalancerIPConfig",
          "properties": {
            "publicIPAddress": {
              "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('lbIPName'),'-','0'))]"
            }
          }
        }
      ],
      "backendAddressPools": [
        {
          "name": "LoadBalancerBEAddressPool",
          "properties": {}
        }
      ],
      "loadBalancingRules": [
        {
          "name": "LBRule",
          "properties": {
            "backendAddressPool": {
              "id": "[variables('lbPoolID0')]"
            },
            "backendPort": "[variables('nt0fabricTcpGatewayPort')]",
            "enableFloatingIP": "false",
            "frontendIPConfiguration": {
              "id": "[variables('lbIPConfig0')]"
            },
            "frontendPort": "[variables('nt0fabricTcpGatewayPort')]",
            "idleTimeoutInMinutes": "5",
            "probe": {
              "id": "[variables('lbProbeID0')]"
            },
            "protocol": "tcp"
          }
        },
        {
          "name": "LBHttpRule",
          "properties": {
            "backendAddressPool": {
              "id": "[variables('lbPoolID0')]"
            },
            "backendPort": "[variables('nt0fabricHttpGatewayPort')]",
            "enableFloatingIP": "false",
            "frontendIPConfiguration": {
              "id": "[variables('lbIPConfig0')]"
            },
            "frontendPort": "[variables('nt0fabricHttpGatewayPort')]",
            "idleTimeoutInMinutes": "5",
            "probe": {
              "id": "[variables('lbHttpProbeID0')]"
            },
            "protocol": "tcp"
          }
        },
        {
          "name": "AppPortLBRule1",
          "properties": {
            "backendAddressPool": {
              "id": "[variables('lbPoolID0')]"
            },
            "backendPort": "[parameters('loadBalancedAppPort1')]",
            "enableFloatingIP": "false",
            "frontendIPConfiguration": {
              "id": "[variables('lbIPConfig0')]"
            },
            "frontendPort": "[parameters('loadBalancedAppPort1')]",
            "idleTimeoutInMinutes": "5",
            "probe": {
              "id": "[concat(variables('lbID0'),'/probes/AppPortProbe1')]"
            },
            "protocol": "tcp"
          }
        },
        {
          "name": "AppPortLBRule2",
          "properties": {
            "backendAddressPool": {
              "id": "[variables('lbPoolID0')]"
            },
            "backendPort": "[parameters('loadBalancedAppPort2')]",
            "enableFloatingIP": "false",
            "frontendIPConfiguration": {
              "id": "[variables('lbIPConfig0')]"
            },
            "frontendPort": "[parameters('loadBalancedAppPort2')]",
            "idleTimeoutInMinutes": "5",
            "probe": {
              "id": "[concat(variables('lbID0'),'/probes/AppPortProbe2')]"
            },
            "protocol": "tcp"
          }
        }
      ],
      "probes": [
        {
          "name": "FabricGatewayProbe",
          "properties": {
            "intervalInSeconds": 5,
            "numberOfProbes": 2,
            "port": "[variables('nt0fabricTcpGatewayPort')]",
            "protocol": "tcp"
          }
        },
        {
          "name": "FabricHttpGatewayProbe",
          "properties": {
            "intervalInSeconds": 5,
            "numberOfProbes": 2,
            "port": "[variables('nt0fabricHttpGatewayPort')]",
            "protocol": "tcp"
          }
        },
        {
          "name": "AppPortProbe1",
          "properties": {
            "intervalInSeconds": 5,
            "numberOfProbes": 2,
            "port": "[parameters('loadBalancedAppPort1')]",
            "protocol": "tcp"
          }
        },
        {
          "name": "AppPortProbe2",
          "properties": {
            "intervalInSeconds": 5,
            "numberOfProbes": 2,
            "port": "[parameters('loadBalancedAppPort2')]",
            "protocol": "tcp"
          }
        }
      ],
      "inboundNatPools": [
        {
          "name": "LoadBalancerBEAddressNatPool",
          "properties": {
            "backendPort": "3389",
            "frontendIPConfiguration": {
              "id": "[variables('lbIPConfig0')]"
            },
            "frontendPortRangeEnd": "4500",
            "frontendPortRangeStart": "3389",
            "protocol": "tcp"
          }
        }
      ]
    },
    "tags": {
      "resourceType": "Service Fabric",
      "clusterName": "[parameters('clusterName')]"
    }
  },

To make it short? How to realize outgoind connections from Azure VMs.

1
azureazure-vm-scale-setazure-load-balancerazure-stack
What is the SKU of the load balancer? (Standard or basic?) - Neil Sant Gat
What do you mean about the third question? - Charles Xu
@CharlesXu-MSFT: I edited the third question. - BaluJr.

1 Answers

0
votes

For your issue, I will tell you all I know. Hope it will help you.

Is it the problem, that the port I try to access from inside the VMs is translated to a different SNAT port by the load-balancer?

No, use SNAT rules, you can translate access flow from the Internet to a different port or not, all as you want. Azure Load Balancer SNAT rules mean you can connect to the VM port A inside from the Internet with port B. Port A and port B can be the same or not.

The documentation says something about the amount of used SNAT ports, but it does not say which SNAT ports are used? Which ports do I have to open in the outer firewall?

As I test, you even can use port 1 in Load Balancer NAT rules. So I assume that the document means how many ports can be used per IP configuration. I suggest you can read the document again and understand carefully.

Why is port 80 working out of the box? I can per default access the web from within the VMs. This means, that it is possible to reach the public internet. I did not include any additional rule for port 80 myself.

For this issue, you should make sure for some things. First, if you have a public IP associated to your VM except the Load Balancer. Second, you should take a look in the Azure portal if there are any other NAT rules. Or you can use cli command az network lb inbound-nat-rule list.