Mar 18 2014 March 18, 2014 March 18, 2014 4Comments by Fabien Dibot

Windows Azure – Manage VMs Endpoints

Posted in

In past posts, i was blogging about how to

Now let’s see how to manage endpoints configured for your VM. This will be treated in 4 points:

  • Change an existing Endpoint
  • Assign ACL to an existing Endpoint
  • Create a new Endpoint
  • Remove an Endpoint

Change an existing Endpoint configuration

First of all, let’s determine what are the Endpoints knowed on our VM.

Get-AzureEndpoint -VM (Get-AzureVM -ServiceName "pwrshellxlab" -Name "pwrshell-ok") |
 ft -AutoSize
LBSetName LocalPort Name        Port Protocol Vip             ProbePath ProbePort ProbeProtocol ProbeIntervalInSeconds
--------- --------- ----        ---- -------- ---             --------- --------- ------------- ----------------------
               3389 RDP        52045 tcp      137.117.209.155                   0
               5986 WinRmHTTPs 65003 tcp      137.117.209.155                   0

Here are the two endpoints created by default by Microsoft on our VM. Let’s bypass our work firewall 🙂

Here is how to do this, i’ll set the Public listening port on 443 forwarded 3389 RDP classic port… Beware this command can’t be used if your Endpoint load balanced..

Get-AzureVM -ServiceName "pwrshellxlab" -Name "pwrshell-ok" | 
Set-AzureEndpoint -Name "RDP" -PublicPort 443 -LocalPort 3389 -Protocol "tcp" | 
Update-AzureVM
OperationDescription                    OperationId                             OperationStatus
--------------------                    -----------                             ---------------
Update-AzureVM                          e5cd98c2-2645-7cd2-bad3-ea0066711bee    Succeeded

Let’s check if everything is ok.

Get-AzureEndpoint -VM (Get-AzureVM -ServiceName "pwrshellxlab" -Name "pwrshell-ok") | 
ft -AutoSize
LBSetName LocalPort Name        Port Protocol Vip             ProbePath ProbePort ProbeProtocol ProbeIntervalInSeconds
--------- --------- ----        ---- -------- ---             --------- --------- ------------- ----------------------
               3389 RDP          443 tcp      137.117.209.155                   0
               5986 WinRmHTTPs 65003 tcp      137.117.209.155                   0

As you see our endpoint for RDP is listening on 443 and we can easily connect it on secure envs! But we have open our server through 443 port for every scanners or botnet all over the world, Microsoft thinks about it, and you can assign ACL to an endpoint 🙂

 Assign ACL to an existing Endpoint

As i said previously, let’s filter and protect our endpoint.

First, create an ACL object.

$Rights = New-AzureAclConfig

And, add rules on it… If you want to add multiple rules, don’t forget that the order must be unique and it’s important  (like ACL in your firewall).

# First let's allow our work network
Set-AzureAclConfig -AddRule -ACL $Rights -Order 0 -Action Permit -RemoteSubnet "192.168.10.0/24" -Description "Allow Work Network"

# Then Deny all other stuff
Set-AzureAclConfig -AddRule -ACL $Rights -Order 1 -Action Deny -RemoteSubnet "0.0.0.0/0" -Description "Deny All kind of stuff"

Then we’ll just have to apply the ACLs and update the VM

Get-AzureVM -ServiceName "pwrshellxlab" -Name "pwrshell-ok" | 
Set-AzureEndpoint -ACL $Rights -Name "RDP" | 
Update-AzureVM

And now, you can access your endpoint, only for a machine on the 192.168.10.0/24 network 🙂

Create a new Endpoint

Ok, if you install an IIS Apache Server on your VM and wanna make it accessible, you’ll have to create manually the Endpoint. Nothing diffcult here..

Get-AzureVM -ServiceName "pwrshellxlab" -Name "pwrshell-ok" | 
Add-AzureEndpoint -Name 'web' -LocalPort 80 `
-PublicPort 80 -Protocol tcp |
Update-AzureVM
OperationDescription                    OperationId                             OperationStatus
--------------------                    -----------                             ---------------
Update-AzureVM                          ca096f57-f22f-71de-b838-f34ed770588d    Succeeded

Let’s check the result..

Get-AzureEndpoint -VM (Get-AzureVM -ServiceName "pwrshellxlab" -Name "pwrshell-ok") | ft -AutoSize
LBSetName LocalPort Name        Port Protocol Vip             ProbePath ProbePort ProbeProtocol ProbeIntervalInSeconds
--------- --------- ----        ---- -------- ---             --------- --------- ------------- ----------------------
               3389 RDP          443 tcp      137.117.209.155                   0
                 80 web           80 tcp      137.117.209.155                   0
               5986 WinRmHTTPs 65003 tcp      137.117.209.155                   0

Here we go, all is setted as we want, and our web server is visible for everyone on the internet.

Remove an Endpoint

Nothing difficult here, once again, you’ll have to pipe your VM object to the remove cmdlet and update your VM.

Get-AzureVM -ServiceName "pwrshellxlab" -Name "pwrshell-ok" | 
Remove-Azureendpoint -Name 'web2' | 
Update-AzureVM
OperationDescription                    OperationId                             OperationStatus
--------------------                    -----------                             ---------------
Update-AzureVM                          49e16e42-3ffa-73bc-b950-899e4ba0284b    Succeeded

Your web Endpoint is now removed 🙁

LBSetName LocalPort Name        Port Protocol Vip             ProbePath ProbePort ProbeProtocol ProbeIntervalInSeconds
--------- --------- ----        ---- -------- ---             --------- --------- ------------- ----------------------
               3389 RDP          443 tcp      137.117.209.155                   0
               5986 WinRmHTTPs 65003 tcp      137.117.209.155                   0

 

Ok, you should know how to manage your endpoints !

Regards,

Tags: