Azure: UDR for Gateway Subnet (Forced tunneling to appliance!)

Microsoft has silently released new network functionality (as of may 2016 ) for Azure Resource Manager. This new functionality allows you to force tunnel traffic from a VM and to your Appliance in the cloud from a Virtual Network Gateway. (ExpressRoute, IPSEC, vnet to vnet)

 In previous scenario's we only had the possibility to tunnel traffic from vm's in a subnet to a subnet where an appliance resided in a one way scenario. 

You would then use technologies like an IPSEC VPN on your appliance to tunnel your traffic to and from a other datacenter and act as a network overlay to route your traffic according to your wishes.

Now it's possible to force traffic coming from the virtual network gateway be it from the IPSEC VPN connection or the ExpressRoute connection to your appliance in a different vNet (so use the default gateway VPN/Expressroute functionality). You need to add a UDR (User Defined Rule) in the "GatewaySubnet" in your vnet telling the exact ip space you with to force tunnel towards the appliance. The Appliance must be in a subnet without any UDR rules on it. 

 Then you can also implement UDR rules on the subnets in which your virtual machines reside. This will force all traffic to your appliance for inspection and other necessary security measures you need as a business.

Reacties

Een reactie posten

Populaire posts van deze blog

One ADFS to serve them all (Part I)!

Afbeelding
One ADFS to serve them all (part I)! The goal is to use a vanity URL host names that your site is using and to also use that same host name to resolve ADFS, without having you redirected back to the ADFS original service name (hostname + URL). Because for the end users this shouldn't look like anything else but the vanity domain they are already connected to. Thus how do we solve this? Follow this basic lab entry to get a feeling for the end solution. (I will post more about this subject in greater detail) The ADFS Limitation. The limitation I'm speaking of, in this case is the endpoint for SAML 2.0 / WS-Federation: "/adfs/ls"  (but as you can imagine it's pretty much every endpoint listed in ADFS) We connect with the 1 possible value set during installation for the federation service name: "your.host.name"  Which results in all endpoints only being accessibly under that federation service name.    Figure A: Federation service
Meer lezen

Microsoft Hub NVA configuration example.

Afbeelding
Microsoft Hub NVA configuration example. So in my previous post i gave a short description of implementing Microsoft Hub-Spoke model in IaaS. And i promised to publish some sample code you could use in CICD. Of course the main goal should be to get in to containers and such technologies but seeing as how slow large enterprises are willing to adopt and move to such technologies I'm guessing IaaS will be a standard for some time yet. So I'm going to give you a sketch of a private data center connection via express route (or a S2S VPN instead of the express route) to your azure subscription. And slowly start to explain a few basic configurations. The first overview:      So in this simple drawing you can see I've implemented a express route. I've not drawn a full blown resource drawing so you're bound to miss certain things like a circuit for instance but lets keep it simple. The green line is a express route configuration over whi
Meer lezen

RDS: Remote Desktop Gateway with NPS and Cross domain identities.

This post is about configuring a Remote Desktop Gateway in Resource Domain A while consuming the identities from Identity domain B. Setup: - NPS in Domain A  - RDG in domain A - MFA in Domain A Requirements a "TWO-WAY trust" with selective authentication (or wide if you have no security risks) It won't be possible to authenticate users from domain B in Domain A via the RDG until the computer account has gotten the permission "Allow to authenticate" on the domain controllers in Domain B. The simplest way to achieve this is by going to properties on the "Domain Controllers" OU in users and computers in domain B (RSAT tools) and going to the security Tab. (if you don't see the security tab in users and computers then make sure you've enabled "advanced features" under the view selection.) Then when you're in the security tab click the bottom advanced button. This will open the "Advanced Security Settings for Domain
Meer lezen