We are building a SaaS application where multiple tenants will be using single deployed application. Some tenants wants to access this application over vpn only (for security reasons). To achieve this we need to set site to site connectivity with tenant's network. But we are facing following problem.
Two tenant may be using same IP range. How can we connect Azure Vnet with these different local network with same IP range. [I am not sure but I guess, connecting these local network with two different vnet first and then connecting these two vnet to main vnet will work, but this will complicate the system].
Thanks In Advance
You can't solve your problem easily. This is a basic issue with IP address range allocation and isn't restricted to Azure. You could have some form of on-premise solution rolled out that would meet your requirements by laying down a range you control that your customer then needs to connect their internal network to. Even doing that you'd probably still have problems where your Azure VNET private IP address range overlaps a customer's internal range which is highly likely to happen.
You need to work out with customer to make sure that all participating networks in the VPN have different address space.
This can be easily work out at on premise level, it should be easy to have different address space even if everybody is using say 192.168 series.
NATing at on premise networks should be straight forward.
Related
I'm trying to set up an Openstack environment with two Kubernetes clusters, one production and one testing. My idea was to separate them with two networks in Openstack and then have a VPN in front, to limit the exposure through floating ip:s (for this I would have a proxy that routes requests into the correct internal addresses).
However, issues arise when trying to tunnel requests to both networks when connected to the VPN. Either I choose to run the VPN in its own network or in one of the two, but I don't seem to be able to make requests across network boundaries.
Is there a better way to configure the networking in Openstack or OpenVPN, so that I can keep the clusters separated and still have access to all resources through one installation of OpenVPN?
Is it better to run everything in the same Openstack network and separate them with subnets? Can I still have the production and test cluster expose different IP-addresses externally? Are they still separated enough to limit the risk of them accessing each other?
Sidenote: I use Terraform to deploy the infrastructure and Ansible to install resources, if someone has suggestion in the line of already prepared scripts.
Thanks,
The solution I went for was to separate the environments with their own networks and cidr and then attach them to the VPN instance to let it get access to them. From there I just tunnel everything.
I have a couple of virtual machines in one Cloud Service. They are assigned to the same VNET and have received private IP addresses in the same subnet.
I noticed that I was unable to PING from one server to another and when I started to look into it there is no connectivity whatsoever between the servers. I have disabled windows firewall on both servers but that didn't do the trick.
Just now I tried on one of the vm's to ping the internal ip address assigned to itself but it fails.
Can anyone shed some light into this? Is this expected behavior?
The reason I am looking into this right now is because we are adding a third VM to do some performance monitoring and since the other two VM's are part of a Cloud Service we cannot open endpoints to both of them using the same port and need to go directly to the internal IP's.
Thanks in advance
I had a similar issue not too long ago. I had three servers in the same vnet that were able to communicate via site-to-site VPN to my HQ but could not communicate with one another. After several hours of banging my head against the desk, I ended up just re-building the vnet and connectivity to one another was restored successfully. The vnet router feature had become corrupt and could no longer send traffic internally.
To rebuild the vnet, you'll need to delete the VM's. Keep the disks though, and you can re-build them quickly after the new vnet is back online.
Im building out an Azure hosted website, but it needs to reach into our home office to connect to some internally hosted web services. Our firewall is setup to only allow traffic over certain IP's, so we're looking to determine what IP range we need to allow access to.
Currently I'm still using the MSDN "Free" Azure subscription, so I don't know what options may be limited, but is there a way I can determine what source IP, subnet, whatever my Azure hosted site will attempt to call my web services from?
Thanks!
Be careful opening your firewall to the entire Azure datacenter IP ranges. Anybody can host anything in Azure, including malicious software, so if you open your firewall to the entire Azure IP range you may as well just open to 0.0.0.0-255.255.255.255 because in effect you are getting the same security.
A better option is to deploy your service and just whitelist that one IP address. That IP address is guaranteed to remain the same until you delete your service. With the ability to do in-place upgrades and VIP swaps there should be no reason why you would need to delete your hosted service and lose your IP address. If you ever do run into a scenario where you need to delete/redeploy you can always update your firewall at that time.
It sounds like this is what you're looking for:
Windows Azure Datacenter IP Ranges
So, my work has several networks and small business locations all with an internet blocking server. The managers all rotate and want freedom from the server, AKA static IP addresses outside the range of DHCP.
my problem is that they all need access to each others network, so setting up an alternate configuration is not that useful. How would I create an application that will change my users IP Address so that it will match their static IP at the location they changed it too?
This is just their internal IP address on their local machine, and each location's network has a static ip waiting for them. Just have to change their IP Address.
Is there a batch file command that can help achieve this? if not maybe writing a script or going into a larger application?
Doing this on the machine itself will be difficult. It needs to be able to recognise each network, and what will it do when connecting to an unknown network like a home network or a hotspot?
I think it would be better to let the DHCP server hand out static addresses from outside the normal dynamic address pool. That way everything keeps working automatically while also giving static addresses to the machines.
I know this is not a real answer to your question, but I hope this gives you an alternative.
I'm currently revising for an exam and I'm stuck on a question which is:
"Explain the static and dynamic host configuration approaches."
I'm unsure if the answer is correct but what I've write is this:
static host configuration are hard-coded addresses that will only work on one specific network segment, which is intended for stationary computers
dynamic host configurations work best with portable computers like laptops that move between network segments.
that's my answer, could anyone help me to understand if this is correct or not?
You are correct about the difference. But there s a lot more than what you have stated.
DHC : Used to configure IP addresses automatically to the systems without any intervention of network administrator.
For Eg. When you register for a new internet connection, your ISP(network administrator, in this case) will provide you access to the DHCP server which ll allot you the IP address on the runtime.
To prevent the same IP address being assigned to two different computers
Also the main use is, ISP s will have a range of IP addresses with them. You ll be assigned any of their IPs dynamically by DHCP Server when your lease time expires for a particular IP that have been assigned earlier
SHC : Used to manually configure the IP addresses to systems.
When you knew how many systems are going to be present exactly inside the network
And when you want to uniquely identify a system in the ntwk using its IP address
For Eg. When you configure LAN in your house, between, say, around 4 computers. You will know exactly the number of systems in the group. So you don't have to allot a DHCP Server to allot the IP addresses for these 4 systems. YOu manually configure them
Hope that helps :)