SNAT Ports for Outgoing Connection from Azure (Stack)

Question

I don't manage to get a working outgoing connection from my load-balanced VMs created in Azure Stack. I have scenario 2 of the documentation: "Public Load Balancer associated with a VM (no Instance Level Public IP address on the instance)". Only port 80 is working as an outgoing connection out of the box. I am behind an additional firewall and I ask myself whether I have to open any other specific ports to allow communication to the internet. Three questions:

Is it the problem, that the port I try to access from inside the VMs is translated to a different SNAT port by the load-balancer?
The documentation says something about the amount of used SNAT ports, but it does not say which SNAT ports are used? Which ports do I have to open in the outer firewall?
Why is port 80 working out of the box? I can per default access the web from within the VMs. This means, that it is possible to reach the public internet. I did not include any additional rule for port 80 myself.

I found the following in the incoming connection section of the Azure security group: There are explicitly mentioned ephemeral ports between 49152 and 65534. Unfortunately, opening these ports in the outgoing connections of our outer firewall didn't do the trick either. All VM internal firewalls are open on all ports.

I created the cluster using the following template. The SKU should be the default one "standard", since I did not specify anything else for the LoadBalancer.

  {
    "apiVersion": "[variables('lbApiVersion')]",
    "type": "Microsoft.Network/loadBalancers",
    "name": "[concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name'))]",
    "location": "[variables('location')]",
    "dependsOn": [
      "[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-','0'))]"
    ],
    "properties": {
      "frontendIPConfigurations": [
        {
          "name": "LoadBalancerIPConfig",
          "properties": {
            "publicIPAddress": {
              "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('lbIPName'),'-','0'))]"
            }
          }
        }
      ],
      "backendAddressPools": [
        {
          "name": "LoadBalancerBEAddressPool",
          "properties": {}
        }
      ],
      "loadBalancingRules": [
        {
          "name": "LBRule",
          "properties": {
            "backendAddressPool": {
              "id": "[variables('lbPoolID0')]"
            },
            "backendPort": "[variables('nt0fabricTcpGatewayPort')]",
            "enableFloatingIP": "false",
            "frontendIPConfiguration": {
              "id": "[variables('lbIPConfig0')]"
            },
            "frontendPort": "[variables('nt0fabricTcpGatewayPort')]",
            "idleTimeoutInMinutes": "5",
            "probe": {
              "id": "[variables('lbProbeID0')]"
            },
            "protocol": "tcp"
          }
        },
        {
          "name": "LBHttpRule",
          "properties": {
            "backendAddressPool": {
              "id": "[variables('lbPoolID0')]"
            },
            "backendPort": "[variables('nt0fabricHttpGatewayPort')]",
            "enableFloatingIP": "false",
            "frontendIPConfiguration": {
              "id": "[variables('lbIPConfig0')]"
            },
            "frontendPort": "[variables('nt0fabricHttpGatewayPort')]",
            "idleTimeoutInMinutes": "5",
            "probe": {
              "id": "[variables('lbHttpProbeID0')]"
            },
            "protocol": "tcp"
          }
        },
        {
          "name": "AppPortLBRule1",
          "properties": {
            "backendAddressPool": {
              "id": "[variables('lbPoolID0')]"
            },
            "backendPort": "[parameters('loadBalancedAppPort1')]",
            "enableFloatingIP": "false",
            "frontendIPConfiguration": {
              "id": "[variables('lbIPConfig0')]"
            },
            "frontendPort": "[parameters('loadBalancedAppPort1')]",
            "idleTimeoutInMinutes": "5",
            "probe": {
              "id": "[concat(variables('lbID0'),'/probes/AppPortProbe1')]"
            },
            "protocol": "tcp"
          }
        },
        {
          "name": "AppPortLBRule2",
          "properties": {
            "backendAddressPool": {
              "id": "[variables('lbPoolID0')]"
            },
            "backendPort": "[parameters('loadBalancedAppPort2')]",
            "enableFloatingIP": "false",
            "frontendIPConfiguration": {
              "id": "[variables('lbIPConfig0')]"
            },
            "frontendPort": "[parameters('loadBalancedAppPort2')]",
            "idleTimeoutInMinutes": "5",
            "probe": {
              "id": "[concat(variables('lbID0'),'/probes/AppPortProbe2')]"
            },
            "protocol": "tcp"
          }
        }
      ],
      "probes": [
        {
          "name": "FabricGatewayProbe",
          "properties": {
            "intervalInSeconds": 5,
            "numberOfProbes": 2,
            "port": "[variables('nt0fabricTcpGatewayPort')]",
            "protocol": "tcp"
          }
        },
        {
          "name": "FabricHttpGatewayProbe",
          "properties": {
            "intervalInSeconds": 5,
            "numberOfProbes": 2,
            "port": "[variables('nt0fabricHttpGatewayPort')]",
            "protocol": "tcp"
          }
        },
        {
          "name": "AppPortProbe1",
          "properties": {
            "intervalInSeconds": 5,
            "numberOfProbes": 2,
            "port": "[parameters('loadBalancedAppPort1')]",
            "protocol": "tcp"
          }
        },
        {
          "name": "AppPortProbe2",
          "properties": {
            "intervalInSeconds": 5,
            "numberOfProbes": 2,
            "port": "[parameters('loadBalancedAppPort2')]",
            "protocol": "tcp"
          }
        }
      ],
      "inboundNatPools": [
        {
          "name": "LoadBalancerBEAddressNatPool",
          "properties": {
            "backendPort": "3389",
            "frontendIPConfiguration": {
              "id": "[variables('lbIPConfig0')]"
            },
            "frontendPortRangeEnd": "4500",
            "frontendPortRangeStart": "3389",
            "protocol": "tcp"
          }
        }
      ]
    },
    "tags": {
      "resourceType": "Service Fabric",
      "clusterName": "[parameters('clusterName')]"
    }
  },

To make it short? How to realize outgoind connections from Azure VMs.

What is the SKU of the load balancer? (Standard or basic?) – Neil Sant Gat Jul 19 '18 at 21:23 — Neil Sant Gat, Jul 19 '18 at 21:23
What do you mean about the third question? – Charles Xu Jul 20 '18 at 02:20 — Charles Xu, Jul 20 '18 at 02:20
@CharlesXu-MSFT: I edited the third question. – BaluJr. Jul 20 '18 at 10:50 — BaluJr., Jul 20 '18 at 10:50

score 0 · Answer 1 · answered Jul 23 '18 at 07:56

0

For your issue, I will tell you all I know. Hope it will help you.

Is it the problem, that the port I try to access from inside the VMs is translated to a different SNAT port by the load-balancer?

No, use SNAT rules, you can translate access flow from the Internet to a different port or not, all as you want. Azure Load Balancer SNAT rules mean you can connect to the VM port A inside from the Internet with port B. Port A and port B can be the same or not.

The documentation says something about the amount of used SNAT ports, but it does not say which SNAT ports are used? Which ports do I have to open in the outer firewall?

As I test, you even can use port 1 in Load Balancer NAT rules. So I assume that the document means how many ports can be used per IP configuration. I suggest you can read the document again and understand carefully.

Why is port 80 working out of the box? I can per default access the web from within the VMs. This means, that it is possible to reach the public internet. I did not include any additional rule for port 80 myself.

For this issue, you should make sure for some things. First, if you have a public IP associated to your VM except the Load Balancer. Second, you should take a look in the Azure portal if there are any other NAT rules. Or you can use cli command az network lb inbound-nat-rule list.

answered Jul 23 '18 at 07:56

Charles Xu

29,862
2
22
39

Hmh.. I think this is a misunderstanding. I am not talking about the NAT Rules which I can configure in the load balancer to direct _incoming_ requests to a target machine. I am talking about **S**NAT, which is performed under the hood for _outgoing_ requests, in case that multiple private IP adresses are hidden behind one public IP. From the documentation, I would say, you cannot configure or even see it. It uses temporal short-living ports which are dynamically created by Azure. – BaluJr. Jul 23 '18 at 12:42
The linked documentaton calls the temporal ports _ephemeral ports_: **Ephemeral ports preallocation for port masquerading SNAT (PAT)** Azure uses an algorithm to determine the number of preallocated SNAT ports available based on the size of the backend pool when using port masquerading SNAT (PAT). SNAT ports are ephemeral ports available for a particular public IP source address. – BaluJr. Jul 23 '18 at 13:30
I added a fourth question. In the security group settings I find something about ephemeral ports. This could be the solution... – BaluJr. Jul 23 '18 at 14:23
For your fourth question, the network security group rules are not the solution, it just allows the traffic going out from the VM, it's a security strategy. – Charles Xu Jul 24 '18 at 01:54
Yes exactly. I think it is a hint where to find the ephemeral ports. I will have to open the same ports in my outer firewll. – BaluJr. Jul 24 '18 at 05:39
@BaluJr. For your question, you can not define the SNAT port for yourself, there is a policy the define the SNAT port in Azure itself, and also according to the management of SNAT (PAT) port exhaustion. – Charles Xu Jul 25 '18 at 01:29

SNAT Ports for Outgoing Connection from Azure (Stack)

1 Answers1