Windows Azure – Manage VMs Endpoints
In past posts, i was blogging about how to
Now let’s see how to manage endpoints configured for your VM. This will be treated in 4 points:
- Change an existing Endpoint
- Assign ACL to an existing Endpoint
- Create a new Endpoint
- Remove an Endpoint
Change an existing Endpoint configuration
First of all, let’s determine what are the Endpoints knowed on our VM.
Get-AzureEndpoint -VM (Get-AzureVM -ServiceName "pwrshellxlab" -Name "pwrshell-ok") | ft -AutoSize
LBSetName LocalPort Name Port Protocol Vip ProbePath ProbePort ProbeProtocol ProbeIntervalInSeconds --------- --------- ---- ---- -------- --- --------- --------- ------------- ---------------------- 3389 RDP 52045 tcp 137.117.209.155 0 5986 WinRmHTTPs 65003 tcp 137.117.209.155 0
Here are the two endpoints created by default by Microsoft on our VM. Let’s bypass our work firewall 🙂
Here is how to do this, i’ll set the Public listening port on 443 forwarded 3389 RDP classic port… Beware this command can’t be used if your Endpoint load balanced..
Get-AzureVM -ServiceName "pwrshellxlab" -Name "pwrshell-ok" | Set-AzureEndpoint -Name "RDP" -PublicPort 443 -LocalPort 3389 -Protocol "tcp" | Update-AzureVM
OperationDescription OperationId OperationStatus -------------------- ----------- --------------- Update-AzureVM e5cd98c2-2645-7cd2-bad3-ea0066711bee Succeeded
Let’s check if everything is ok.
Get-AzureEndpoint -VM (Get-AzureVM -ServiceName "pwrshellxlab" -Name "pwrshell-ok") | ft -AutoSize
LBSetName LocalPort Name Port Protocol Vip ProbePath ProbePort ProbeProtocol ProbeIntervalInSeconds --------- --------- ---- ---- -------- --- --------- --------- ------------- ---------------------- 3389 RDP 443 tcp 137.117.209.155 0 5986 WinRmHTTPs 65003 tcp 137.117.209.155 0
As you see our endpoint for RDP is listening on 443 and we can easily connect it on secure envs! But we have open our server through 443 port for every scanners or botnet all over the world, Microsoft thinks about it, and you can assign ACL to an endpoint 🙂
Assign ACL to an existing Endpoint
As i said previously, let’s filter and protect our endpoint.
First, create an ACL object.
$Rights = New-AzureAclConfig
And, add rules on it… If you want to add multiple rules, don’t forget that the order must be unique and it’s important (like ACL in your firewall).
# First let's allow our work network Set-AzureAclConfig -AddRule -ACL $Rights -Order 0 -Action Permit -RemoteSubnet "192.168.10.0/24" -Description "Allow Work Network" # Then Deny all other stuff Set-AzureAclConfig -AddRule -ACL $Rights -Order 1 -Action Deny -RemoteSubnet "0.0.0.0/0" -Description "Deny All kind of stuff"
Then we’ll just have to apply the ACLs and update the VM
Get-AzureVM -ServiceName "pwrshellxlab" -Name "pwrshell-ok" | Set-AzureEndpoint -ACL $Rights -Name "RDP" | Update-AzureVM
And now, you can access your endpoint, only for a machine on the 192.168.10.0/24 network 🙂
Create a new Endpoint
Ok, if you install an IIS Apache Server on your VM and wanna make it accessible, you’ll have to create manually the Endpoint. Nothing diffcult here..
Get-AzureVM -ServiceName "pwrshellxlab" -Name "pwrshell-ok" | Add-AzureEndpoint -Name 'web' -LocalPort 80 ` -PublicPort 80 -Protocol tcp | Update-AzureVM
OperationDescription OperationId OperationStatus -------------------- ----------- --------------- Update-AzureVM ca096f57-f22f-71de-b838-f34ed770588d Succeeded
Let’s check the result..
Get-AzureEndpoint -VM (Get-AzureVM -ServiceName "pwrshellxlab" -Name "pwrshell-ok") | ft -AutoSize
LBSetName LocalPort Name Port Protocol Vip ProbePath ProbePort ProbeProtocol ProbeIntervalInSeconds --------- --------- ---- ---- -------- --- --------- --------- ------------- ---------------------- 3389 RDP 443 tcp 137.117.209.155 0 80 web 80 tcp 137.117.209.155 0 5986 WinRmHTTPs 65003 tcp 137.117.209.155 0
Here we go, all is setted as we want, and our web server is visible for everyone on the internet.
Remove an Endpoint
Nothing difficult here, once again, you’ll have to pipe your VM object to the remove cmdlet and update your VM.
Get-AzureVM -ServiceName "pwrshellxlab" -Name "pwrshell-ok" | Remove-Azureendpoint -Name 'web2' | Update-AzureVM
OperationDescription OperationId OperationStatus -------------------- ----------- --------------- Update-AzureVM 49e16e42-3ffa-73bc-b950-899e4ba0284b Succeeded
Your web Endpoint is now removed 🙁
LBSetName LocalPort Name Port Protocol Vip ProbePath ProbePort ProbeProtocol ProbeIntervalInSeconds --------- --------- ---- ---- -------- --- --------- --------- ------------- ---------------------- 3389 RDP 443 tcp 137.117.209.155 0 5986 WinRmHTTPs 65003 tcp 137.117.209.155 0
Ok, you should know how to manage your endpoints !
Regards,
Nice Post Fabien 🙂
I wish I could find some time to play with Azure, looks neat
Well, thanks 🙂
For me Azure module is not fully stable and/or mature.. many cmdlets are missing. You can’t, for example, by default, create a network with only PowerShell. But Microsoft releases new version very often, so i hope one day all my dreams will be fullfilled 🙂
FX, you’ll have plenty of time to play with Azure now 😉
Great post, helped me fix some ILB issues