I am running a web API inside windows container on a VM, Its need to communicate to Azure Key-Vault through Azure AD MSI Extension ( which already installed on VM where Container has been created )
I tied various ways to access it through
http://HOST_MACHINE IP:50432/oauth2/token
http://DEFAULT GATEWay IP:50432/oauth2/token
http://localhost:50432/oauth2/token
etc..
But I am always getting the error " Unable to connect to the remote server
"
So Is it possible to get MSI extension access from a container and what I need to do if I want to communicate on port 50432 of the host system from a container?
The Azure AD MSI Extension is now end of life, information on the deprecation is here: https://azure.microsoft.com/en-us/blog/azure-ad-managed-service-identity-updates/. Tokens should now be retrieved through the Instance Metadata Service (IMDS) endpoint at http://169.254.169.254/metadata/identity/oauth2/token from within the VM.
Related
I want to use the Azure API Management Service (AMS) to expose the API created with R/Plumber hosted in a Docker container and runs in an Ubuntu machine.
Scenario
With R/Plumber I created some APIs that I want to protect. Then, I created a virtual machine on Azure with Ubuntu and installed Docker. The APIs are in a container that I published on the virtual machine by Docker. I can access them via internet.
On Azure I created an API Management service and added the APIs from the Swagger OpenAPI documentation.
Problem
I want to secure the APIs. I want to expose to the internet only the AMS. Then, my idea was to remove the public IP from the virtual machine and via a virtual network using the internal IPs to connect the API Management Service to the API with the internal IP (http://10.0.1.5:8000).
So, I tried to set a Virtual Network. Clicked on the menu, then External and then on the row, I can select a network. In this virtual network, I have one network interface that is the one the virtual machine is using.
When I save the changes, I have to wait a while and then I receive an error
Failed to connect to management endpoint at azuks-chi-testapi-d1.management.azure-api.net:3443 for a service deployed in a virtual network. Make sure to follow guidance at https://aka.ms/apim-vnet-common-issues.
I read the following documentation but I can't understand how to do what I wanted
Azure API Management - External Type: gateway unable to access resources within the virtual network?
How to use Azure API Management with virtual networks
Is there any how-to to use? Any advice? What are I doing wrong?
Update
I tried to add more Address space in the Virtual network.
One of them (10.0.0.2/24) is delegate for the API Management.
Then, in the Network security group I added the port 3443.
From the API manager I can't reach the server with the internet IP (10.0.2.5). What did I miss?
See common network configuration issues, it lists all dependencies that are expected to be exposed for APIM to work. Make sure that your vnet allows ingress at port 3443 for the subnet where APIM service is located. This configuration must be done on VNET side, not APIM.
I have following applications:
1. Azure cloud application (mvc mobile web application)
2. Service Bus Relay application(currently console application)
In this user interacts with the cloud application and then I'm sending data to the relay service which we are going to host it in client premises. Right now all the data interactions are fine. I'm able to save and receive data.
As it is a console app it always run as a command prompt. I would like to convert service bus relay application as a windows service so that I won't get this command prompt window. Our client doesn't want command prompt to be run in their server. Is it possible to convert it as a service? or is there is any other way to do it? I see all the examples using console applications.
Please help.
If you're running your app in a Virtual Machine or Cloud Service (web/worker role), you can indeed install a Windows Service. You'd just have to code up the Windows Service shell (start/stop/etc) and incorporate Service Bus code.
If you're running your code as a Web App (in an App Service), then no, you cannot install a Windows Service, as App Service doesn't let you install such software (since everything runs in a sandbox).
Can I use Secure-Gateway between my Cloud Foundry apps on Bluemix and my Bluemix docker container database (mongo)? It does not work for me.
Here the steps I have followed:
upload secure gw client docker image on bluemix
docker push registry.ng.bluemix.net/NAMESPACE/secure-gateway-client:latest
run the image with token as a parameter
cf ic run registry.ng.bluemix.net/edevregille/secure-gateway-client:latest GW-ID
when i look at the logs of the container secure-gateway, I get the following:
[INFO] (Client PID 1) Setting log level to INFO
[INFO] (Client PID 1) There are no Access Control List entries, the ACL Deny All flag is set to: true
[INFO] (Client PID 1) The Secure Gateway tunnel is connected
and the secure-gateway dashboard interface shows that it is connected too.
But then, when I try to add the MongoDB database (running also on my Bluemix at 134.168.18.50:27017->27017/tcp) as a destination from the service secure-gateway dashboard, nothing happened: the destination is not created (does not appear).
I am doing something wrong? Or is it just that this not a supported use case?
1) The Secure Gateway is a service used to integrate resources from a remote (company) data center into Bluemix. Why do you want to use the SG to access your docker container on Bluemix?
2) From a technical point of view the scenario described in the question should work. However, you need to add rule to the access control list (ACL) to allow access to the docker container with your MongoDB. When you are running the SG it has a console to type in commands. You could use something like allow 134.168.18.50:27017 as command to add the rule.
BTW: There is a demo using the Secure Gateway to connect to a MySQL running in a VM on Bluemix. It shows how to install the SG and add a ACL rule.
Added: If you are looking into how to secure traffic to your Bluemix app, then just use https instead of http. It is turned on automatically.
I can access a web service from remote machine through vpn.
And cannot access that web service from my local machine. I tried to install Visual studio in remote machine but there is no enough space.
I would like to create a web application and deploy it in remote machine, which will test that web service. Is it possible? or please let me know how to test that web service through my mvc web application.
Implementing the steps here: http://azure.microsoft.com/en-us/documentation/articles/mobile-services-dotnet-backend-how-to-configure-iis-express/
I tried to access the mobile service REST interface from iOS, Android and Windows based applications running on a remote machine performing GETs and POSTS all requests result in an "authorization has been denied for this request" response.
I am able to navigate to the mobile service website from the remote machine mentioned above, which is on the same subnet as the mobile service, however when clicking on the "try it out" link I am prompted to enter credentials. I tried entering the mobile service key, windows credentials and the credentials used when setting up the database none worked all resulted in a re-prompt for credentials.
The same Android and Windows applications work without issue when running on the machine the mobile service is running on. I have to use 10.0.2.2 for android app running in the emulator to get the loopback to work but otherwise the code is unchanged.
The azure mobile service is running in the debugger using Visual Studio 2013 with Update 3. Visual Studio was launched as an admin.
All three apps iOS, Android and Windows can access the same mobile service when its running in Azure (Cloud).
I have read that the mobile service, running in IISExpress, allows anonymous requests originating from localhost but I have not seen any mention about how to configure authentication when accessing remotely or if any adjustments are needed to authenticate properly.
Any ideas?
Remote access for IIS Express is initially blocked
On Vista and Win7 or Win 8 run the following command with administratice Privileges
netsh http add urlacl url=http://xxxxx:port/ user=everyone