Microsoft released many enhancements to Windows Azure Platform at TechEd last week. You can find a good summary of these enhancements below:
They also released a new feature that will allow you to set Access control lists on public end points for compute resources running in Windows Azure. You cannot configure Access Control Lists(ACL’s) via Portal at this time. Portal updates are coming soon. If you want to configure ACL’s the only option available right now is to use PowerShell.
First you need to download the latest Windows Azure PowerShell cmdlets
Best resource to learn about Access Control Lists is the following session at TechEd.
Other resource for updates to PowerShell cmdlets is the following post from Michael Washam.
Here are the ACL related cmdlets:
1. New-AzureAclConfig : It creates a empty new ACL configuration object
2. Get-AzureAclConfig: Gets ACL configuration object from a VM
3. Remove-AzureAclConfig: Removes ACL configuration from a VM
4. Set-AzureAclConfig: Sets the ACL Configuration object on an existing Azure VM Configuration
5. Set-AzureEndpoint: Updates an existing endpoint assigned to an existing Azure virtual machine.
6. Set-AzureLoadBalancedEndpoint: Updates all of the endpoints in a given load balancer set within a Windows Azure Service
If you need more information about this cmdlets you can use get-help cmdletname -full for examples and description of the cmdlet.
Most organizations use DMZ in their on premise environments. As they start leveraging public cloud like Windows Azure they have a need to establish DMZ like environment in public cloud as well.
I investigated using ACL’s to create a DMZ like environment in Azure Virtual Network. To keep this simple I assumed that cross premise connectivity is not established. So the VM’s in the virtual network has their own Active Directory Domain Controller and DNS.
Here are the steps at a high level:
1. I created Azure Virtual network called funwithvnetacl. It has 3 subnets: FrontEndSubnet has web servers(web1, web2), Backend Subnet has application servers(appsvr1, appsvr2) and DomainSubnet(DC01) has the domain controller.
<NetworkConfiguration xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/ServiceHosting/2011/07/NetworkConfiguration"> <VirtualNetworkConfiguration> <Dns> <DnsServers> <DnsServer name="DC01" IPAddress="192.168.3.4" /> </DnsServers> </Dns> <VirtualNetworkSites> <VirtualNetworkSite name="funwithvnetacl" AffinityGroup="funwithnetacl"> <AddressSpace> <AddressPrefix>192.168.0.0/16 </AddressSpace> <Subnets> <Subnet name="FrontEndSubnet"> <AddressPrefix>192.168.1.0/24 </Subnet> <Subnet name="BackEndSubnet"> <AddressPrefix>192.168.2.0/24 </Subnet> <Subnet name="DomainSubnet"> <AddressPrefix>192.168.3.0/28 </Subnet> </Subnets> <DnsServersRef> <DnsServerRef name="DC01" /> </DnsServersRef> </VirtualNetworkSite> </VirtualNetworkSites> </VirtualNetworkConfiguration> </NetworkConfiguration>
2. I created on load balanced end point for the two web servers. It uses Port 80 or external and private port. This is where one can host a public web site. End Point for RemoteDesktop is also configured on both web1 web2 servers.
3. Appsvr1 and Appsvr2 also have RemoteDesktop port open.
Since FrontEndSubnet and BackEndSubnet are in the same virtual network the web servers can access application servers over private endpoint.
We only want to allow RemoteDesktop from your corporate network. This means that we will need to use Access Control Lists to secure every public Remote Desktop endpoint on servers web1, web2, appsrv1 and appsvr2.
It was easy to apply ACL’s on the endpoints. The script I used is shown below.
You can only apply ACL on public endpoints.
RemoteSubnet argument in Set-AzureAclConfig only accepts public IP addresses. If you provide private IP addresses the cmdlet will run without error but will not apply the rule.
Azure Virtual network does not currently offer load balancing over internal endpoints. The only way to get load balancing to work is to create a public endpoint. In my example I chose not to load balance the app servers and just connected the web1 to appsvr2 and web2 to appsvr2.
#Create DMZ #Create a new ACL config $acl1 = New-AzureAclConfig #Add a rule that allows my Home PC to RDP into web1, web2, appsvr1, appsvr2 #Keep in mind we RemoteSubnet only accepts public IP addresses Set-AzureAclConfig -AddRule -ACL $acl1 -Action Permit -RemoteSubnet XX.XX.XXX.XXX/YY -Order 100 -Description "Allow my home Servers in Frontend subnet to access rdp endpoint on web1,web2, appsvr1, appsvr2" Get-AzureVM -ServiceName "web-acldemo" -Name "web1" | Set-AzureEndpoint -ACL $acl1 -Name "RemoteDesktop" -Protocol tcp -LocalPort 3389 -PublicPort 56180 | Update-AzureVM Get-AzureVM -ServiceName "web-acldemo" -Name "web2" | Set-AzureEndpoint -ACL $acl1 -Name "RemoteDesktop" -Protocol tcp -LocalPort 3389 -PublicPort 61176 | Update-AzureVM Get-AzureVM -ServiceName "appsvr1-acldemo" -Name "appsvr1" | Set-AzureEndpoint -ACL $acl1 -Name "RemoteDesktop" -Protocol tcp -LocalPort 3389 -PublicPort 56180 | Update-AzureVM Get-AzureVM -ServiceName "appsvr1-acldemo" -Name "appsvr2" | Set-AzureEndpoint -ACL $acl1 -Name "RemoteDesktop" -Protocol tcp -LocalPort 3389 -PublicPort 61176 | Update-AzureVM Get-AzureVM -ServiceName "web-acldemo" -Name "web1" | Get-AzureEndpoint Get-AzureVM -ServiceName "web-acldemo" -Name "web2" | Get-AzureEndpoint Get-AzureVM -ServiceName "appsvr1-acldemo" -Name "appsvr1" | Get-AzureEndpoint Get-AzureVM -ServiceName "appsvr1-acldemo" -Name "appsvr2" | Get-AzureEndpoint
Access Control Lists are a big improvement as they allow you to control access to your public endpoint at the infrastructure layer. You can also use Windows Firewall on the servers to control access but I prefer infrastructure layer access control.
If you are interested in implementing internal load balancing solution in Windows Azure Virtual network you should look at http://techlib.barracuda.com/display/BWAFv76/Deploying+the+Barracuda+Web+Application+Firewall+Vx+-+Windows+Azure
ACL’s currently work on Virtual Machines only. They work in Virtual Machines in Azure Virtual Network and on Virtual Machines that are not in Virtual Network. ACL’s don’t work on Cloud Services(Web Roles/Worker Roles) yet.
Updated on 11/7/2013
Windows Azure Management Portal was recently updated to allow you to create ACL’s using the portal. For those of you who prefer using Portal over writing PowerShell scripts this is a welcome improvement.
Select the virtual machine that has public endpoint where you need to apply an ACL.
Select the tab for end points.
You will see a new button at the bottom called “MANAGE ACL”
Press the button and you will see a popup that will allow you to create the ACL.
You will need to enter a description for the rule. Action that is Permit or Deny and finally a place to enter IP address range in CIDR notation. In my example below I wanted to only allow my Home PC to access the virtual machine so I used “External IP Address of my Home”/32
You can find your external IP address using http://www.whatismyip.com