IIS/HTTP Endpoint on Azure VM (non-classic)

Question

With the classic Azure VMs, one set up IIS on an Azure VM and then went to the (old) portal and set up an HTTP endpoint for it. On the new VMs, this is apparently done through the Network Security Group in the (new) portal as described here:

How I add new endpoints to my VM on new azure portal (preview)?

However, I can't seem to find how to actually set up an HTTP endpoint... the only available protocols seem to be TCP or UDP.

What settings do I need here to allow http connections to IIS on the VM? I tried source: any; protocol: any; source port range: *; destination: any; destination port range: 80; action: allow, but am still not able to make an external connection to the server's IP on 80 (RPD works fine and internal tests via localhost work fine).

This VM has a public IP and has a disable firewall during this testing/setup phase.

Note: this is a barebones VM provision with a default IIS role set up and the VM using the default network security group: it's not part of a larger IaaS setup.

score 15 · Accepted Answer · answered Dec 13 '15 at 15:02

15

Found it. Should be using TCP as the protocol rather than Any:

answered Dec 13 '15 at 15:02

jleach

7,410
3
33
60

4

Thanks... but WHY? Doesn't "Any" include "TCP"?? – Gerwald Jul 15 '16 at 08:53

score 1 · Answer 2 · edited Dec 30 '15 at 20:30

1

Note that when you create a VM through the portal, it gets associated with a network security group (NSG). A rule to allow RDP or SSH (depending on the operating system) is created in the NSG. To allow any other traffic, you need to explicitly create a NSG rule.

If a NSG is not associated with the VM or its subnet, all ports are open. So you don't actually need to explicitly allow traffic. If you do put an allow, however, you do need to make sure it's TCP and not any :)

edited Dec 30 '15 at 20:30

Siva Edupuganti

133
3

answered Dec 16 '15 at 22:27

Neil Sant Gat

857
6
10

Just curious, if all ports are open by default, why did I have to add the inbound rule to allow 80 before I could access it, and why is there a specific RPD inbound rule by default? – jleach Dec 17 '15 at 03:17
This is purely speculation, but it's probably just something there by default as an example. If you look through https://github.com/azure/azure-quickstart-templates (the ARM template quickstart repo), you'll notice that most of the deployments don't use NSG's at all. For instance, this IIS deployment (https://github.com/Azure/azure-quickstart-templates/tree/master/dsc-extension-iis-server-windows-vm) doesn't open any endpoints (which don't exist in ARM) or configure any NSG's (which do). – Neil Sant Gat Dec 28 '15 at 17:13

IIS/HTTP Endpoint on Azure VM (non-classic)

2 Answers2

Linked