1

What can I do to fix this Advisory message?

The VM this relates to is a webserver, which sits behind an Azure LoadBalancer. The NSG rule that is causing this (only 1 'not default rule' ) is:

Type: Allow
Source: Service Tag - Internet, source port range = *
Destination: ASG for this VM, destination port 80,443, protocol tcp

If I remove this rule, the message disappears (after some hours) but than the internet web traffic can not reach the VM anymore.

Should I ignore the Azure Advisory message? Or am I overlooking something? I was looking forward to getting this nice and tidy, AND have a 'satisfied' advisory state.

Paul0515
  • 23,515
  • 9
  • 32
  • 47

2 Answers2

0

I see that your VM is behind an Azure LoadBalancer. So, the network flow might be similar to : enter image description here

Then, your web server should not be public to the internet. It should only be accessible from the loadbalancer. You can set the source service tag to AzureLoadBalancer. For more information about service tags, you may check the official documentation: Service tags

Update:

By further researching, the AzureLoadBalancer service tag in NSG rule is used to allow Azure health probes. Actually, there is a default rule for allowing load balancer to probe to endpoints.

enter image description here

So, the suggestions are:

  1. You should not assign public IPs to each instances. In this way, your backends can only be accessed by private IPs. In other words, clients can only access your web via load banlacer.

    enter image description here

  2. Add NSG inbound rules with 80 and 443 ports for web service. And 22 or 3389 port for remote management.

In this case, your servers should be secure now. If there are still any warnings, I think you may ignore them. The Azure system may just see that you opened 80 and 443 ports to public. However, your instances do not have public IP.

Hope the above would be helpful to you.

Jack Jia
  • 5,268
  • 1
  • 12
  • 14
  • Thank you for this. This indeed is exactly my situation. I never realised I could choose the Loadbalancer as a source. My impression was that that could be used for the LB probe only. Anyways .. I made the modification. This is already much better!! However ... I'm sorry to say, but I still get the same Advisory message .... any thoughts on that? Or should I wait a bit longer for Azure to detect the new config? – Paul0515 Jan 13 '20 at 14:12
  • Strange effect ... when I make this config, it runs fine. The webserver can be reached. Then after an hour, traffic to the webserver is blocked... – Paul0515 Jan 13 '20 at 16:11
  • Not sure about it. You may just remove the NSG rule to see if your web is accessible. If no, then I am afraid that there might be some problems with your web. – Jack Jia Jan 13 '20 at 16:18
  • Thanks for your input .. I'll re-try again from scratch (again)... – Paul0515 Jan 13 '20 at 21:49
  • 1/2 Ok, it seems that many of my tests were not effective in terms of correctly finding out what works and what not. Azure settings were incredibly slow to become effective. Once I found that out, it became easier to isolate and learn. The screen "Effective Security Rules" in the nsg screen proved to be the game changer. After changing a security rule, simply wait for the changes to be effective and then evaluate the result. – Paul0515 Jan 14 '20 at 02:15
  • 2/2 Anyways .. I dont like to inform you ... but the source servicetag 'AzureLoadBalancer' does not work for incoming webtraffic. Traffic is simply blocked. Servicetag internet does work as expected. Thanks for your help ... but it did not work. A remaining question with this configuration is ... is this considered a safe setup? – Paul0515 Jan 14 '20 at 02:19
  • Checked the documentation again. I am sorry that I made some mistakes. Check my update. – Jack Jia Jan 14 '20 at 07:26
0

You can run your webserver on the VMs on different ports than 80 and 443. The load balancer can translate between port 80/443 on your public IP and whatever port you choose inside the VMs. Since Load Balancers are a fairly simple service, this is probably your only option.

As an alternative, you could try Application Gateway instead of your load balancer. It should act as the reverse proxy you need. Be aware that it is a bit more costly than the load balancer, but it also has a lot more features.

Alex AIT
  • 17,361
  • 3
  • 36
  • 73
  • The first option is currently setup. The traffic flows, but the advisory message is still active.... – Paul0515 Jan 14 '20 at 12:24