3

I'm running Tomcat on a CentOS vm in Azure. No firewall on host. wget localhost:8080 returns a page as does the same request on private IP address. I can SSH into the server using the public IP address, but wget public_IP_address:8080 does not route to the host.

I have enabled inbound security rule for port 8080, which looks to be identical to the one that allows SSH over port 22.

Inbound security rules

I've been researching this for hours. It seems all the articles about running Tomcat on a linux host in Azure are written with Classic Virtual Machine administration UI. They talk about specifying an endpoint, which isn't available in the modern Azure UI. I likewise see info about establishing an "ILPIP," but that seems to require powershell, which isn't on my CentOS host.

I likewise can't find anything about modifying the supposed "VIP" that's illustrated in above article.

What am I missing for enabling TCP access to my Tomcat server listening on port 8080 on my CentOS virtual machine in Azure?

Update:

Per the suggestion of @MichaelB, I installed Azure command line tools on Mac OS X. 

$ azure vm show minimalfalcon
info:    Executing command vm show
+ Getting virtual machines                                                     
warn:    No VMs found
info:    vm show command OK

In the current Portal UI, clicking 'Virtual Machines (Classic)' shows no instances. When I click 'Virtual Machines,' that's how I access all the settings for my VM. I suspect the Azure CLI tool is connecting to the classic API instead of whatever the current portal uses. And the portal isn't offering classic access to my VM.

I additionally followed @MichaelB's suggestion of disabling the inbound rule for SSH in the security group. Sure enough, SSH access persisted to this VM! So, when I navigate:

Virtual machines >> minimalfalcon >> Settings >> Network interfaces >> minimalfalcon447 >> Network Security Group (minimalfalcon) >> Settings >> Inbound security rules

Those don't really control access to my Virtual Machine. See below screenshot. What hoop needs to be jumped through to apply this network security group policy to my VM? I really can't see how this isn't supposed to be applied. Any guidance appreciated!

Network Security Group Screenshot

mrTexasFreedom
  • 31
  • 2
  • 4
  • Are you sure that that Security Group is applied to that machine? i.e. if you block port 22 does your SSH access stop. (and you can use the Azure Xplat tools, which have mostly the same functionality) – Michael B Jan 19 '16 at 22:52

3 Answers3

0

Unless you need to create a port translation, you should be able to expose that port using the Portal only. Check this

If you created a VM using the new Resource Manager (either via portal or via ARM script), the concept of Endpoint no longer exists. Instead, you have an IP address, associated with a NIC. And that NIC is inside a Network Security Group (NSG). In the NSG, you define inbound and outbound port rules. A few more clicks away, but...

First look at your VM's settings and navigate to the network interface:

NIC

Then navigate to the network security group:

Network Security Group

Finally, edit the inbound rules:

inbound rules

Community
  • 1
  • 1
Canoas
  • 1,981
  • 1
  • 13
  • 13
  • Link provided refers to Classic Virtual Machine administration, not current portal. There are no options for 'Endpoints' in modern Azure portal. – mrTexasFreedom Jan 20 '16 at 01:03
  • Link provided includes both examples, first paragraph is for classic yes, but the rest of the response is for arm. – Canoas Jan 20 '16 at 08:16
0

It worked for me with this inbound rule. Make sure to use the public IP address listed in the VM blade's "Essentials" section.

When creating the inbound security rule, make sure to:

Note: Azure has two different deployment models: Resource Manager and classic. ILPIP is relevant only for classic deployment model.

Note: When a VM is created from the portal (in ARM model), it gets automatically associated to a virtual network (vnet), a specific subnet within the vnet and a network security group.

Siva Edupuganti
  • 133
  • 3
0

2 thoughts:

1) By default on ARM all ports are open (unless you have a firewall or the like). This is why your ssh went through even without the inbound rule. If you want to block access to a port, you must do this explicitly. Thus, if this is for testing purposes, you can remove the NSG completely; This could help determine if the problem is the NSG or something else.

2) You say you can wget localhost:8080 from the VM and it works, right? This makes me think that perhaps your tomcat is listening on 127.0.0.1 instead of your public ip (or 0.0.0.0 for simplicity).

Hope this helps! :)

Neil Sant Gat
  • 857
  • 6
  • 10