Azure : What does the Direct Server Return option do for a Load Balancer?

Introduction

When setting up a load balancing rule in Azure, you’ll be given the opportunity to enable/disable “Direct Server Return”.

2016-08-18 16_06_29-Add load balancing rule - Microsoft Azure

 

So what does it do?

Apart from disabling the “backend port” input field, what does it do? Clicking on the “?” gives us a start…

2016-08-18 16_06_00-Add load balancing rule - Microsoft Azure

Basically, DSR (Direct Server Return) will disable any NAT involved. So the targetted VM should be aware of the loadbalancer IP, or the network flow will break.

So it’s usefull to use as a cluster IP address (for example, when using a cluster IP), though do NOT use it for typical load balancing scenario’s where the nodes aren’t aware of the cluster address.

 

Azure : Enumeration and reconnaissance activities for Security Officers

Introduction

A while back I saw a very interesting session on penetration testing on Azure at the Hope conference by Apostolos Mastoris.

A Penetration Tester’s Guide to the Azure Cloud
(45 mins) Apostolos Mastoris — The wide adoption and the benefits of cloud computing has led many users and enterprises to move their applications and infrastructure towards the Cloud. However, the nature of the Cloud introduces new security challenges, therefore organizations are required to ensure that such hosted deployments do not expose them to additional risk. Auditing cloud services has become an essential task and, in order to carry out such assessments, familiarization with certain components of the target environments is required. This talk will provide insight into the Microsoft Azure Cloud service and present practical advice on performing security assessments on Azure-hosted deployments. More specifically, it will demystify the main components of a cloud service and dive further into Azure-specific features. The main security controls and configurations associated with each of the mainstream Azure components will also be explored. Areas that will be covered include role-based security, secure networking features, perimeter security, encryption capability, auditing, and monitoring of activities within the Azure Cloud environment. Additionally, the talk will include the demonstration of a new tool that uses the Azure PowerShell cmdlets to collect verbose information about the main components within a deployment. The tool also provides functionality to visualize the components within a network infrastructure using an interactive representation of the topology and the associations between the deployment’s components.

And yesterday I saw that Azurite (the tool) was released! So let’s take a look at how this looks when running this against one of my lab environments.

 

Prerequisites

Before engaging, be sure to have the following requisites on your system ;

 

Let’s get into the action!

The summary of command’s we’ll be handling ;

# PS> Import-Module AzureRM
# PS> Import-Module ./AzuriteExplorer.ps1
# PS> Review-AzureRmSubscription
# CMD> C:\python27\python.exe AzuriteVisualizer.py azure-subscription__.json

Basically, ensure that the resource manager module is loaded and import the custom Azurite module. Afterwards startup the cmdlet “Review-AzureRmSubscription”; where you’ll enter your credential and select the targeted subscription.

Once done, use python toe parse the extracted json file. That’ll generate an “AzuriteVisualizer.html”-document. Open the latter with Firefox to see a nice visualization!

 

The screenshots of the action

Starting “Azurite Explorer”

2016-08-18 09_28_59-

Parsing the json file to generate the html

2016-08-18 09_29_27-Windows PowerShell

Taking a look at the output in Firefox

2016-08-18 09_29_45-Azurite Visualizer - Azure Subscription Topology Overview

Azure : VNet Peering

Introduction

We’ve talked about setting up VPN connections between VNets in the past… At the end of July, VNet peering entered “preview”. This one allows you to connect two VNets within the same region without the need for a gateway.

 

How does this look?

So let’s look at an example with several VNets ; Two in west europe and one in north europe.

2016-08-16 09_19_01-Choose virtual network - Microsoft Azure

If we select on VNet (from West Europe), we’ll notice another option called “Peerings”.

2016-08-16 09_19_17-Choose virtual network - Microsoft Azure

Press “Add” here, and you’ll be able to link another VNet in the same region.

2016-08-16 09_19_26-Choose virtual network - Microsoft Azure

Behind the scenes : Creating a Microsoft SQL Server as a Windows / Docker Container

Introduction

This post is the first of a series in my journey to build a flexible / production ready MSSQL windows container. I thought this would have been a breeze with my experience on Docker for Linux, though I must admit running into multiple issues… This post will not provide you with a working container, as I’m still developing that one.

2016-07-06 14_23_15-kvaeschost01 - 104.45.23.120_3389 - Remote Desktop Connection

Once I deem it as production ready, it’ll be released to the community to be used freely. Though I want it to meet my personal quality standards, being that it should be stable and flexible enough to run in production mode.

 

Blueprint Braindump

For those who have been following me for a while (real life, twitter, yammer, linkedin, …); you probably know I’ve been preaching about MSSQL as a container for way too long. My personal vision was to have a MSSQL run in a container. The data should be located outside of the container, which would enable a (more/relative) easy path for the changes you want to implement.

kvaes-mssql-container-blueprint-docker-persistent-storage-identity-repository

So where volume mapping would be an option… I was also considering an integration with an external storage service. As an Azure fanatic, I (also) want to leverage the option of storing my data/temp files on Azure storage. This would provide my with total host independent storage persistence on Docker! For those who have been playing with Docker for a while, this is truly a powerful combination.

As a long term goal, I would like to see this running on a “serverless” platform. From what I have seen in the market, this is still an unreachable utopia/Walhalla at this point. So my current objective in that areas is to investigate the option of deploying this setup on a Service Fabric or to leverage the power of Rancher with Windows containers.

Continue reading “Behind the scenes : Creating a Microsoft SQL Server as a Windows / Docker Container”

Integrating Azure Active Directory with Rancher

Introduction

Today we’ll be doing a post on how to integrate “Azure Active Directory” with my favorite docker orchestration tool “Rancher“. A few months back I issued a request towards the Rancher team (via Github) and it was added in the latest 1.1.0 release!

 

Authentication & Authorisation

So what can we do with it? The first thing I want to point out that in any identity process, there are two conceptual aspects;

  • Authentication ; Here you provide a way to prove that you are really you… This can be done via user/pass, certificates, … and so on.
  • Authorization ; Once your identity has been known, you can be granted with a given set of permissions (maybe grouped by role).

Why do I say this? It’s important to know that once you enable the AAD (Azure Active Directory) integration, this part will become responsible for the authentication part. Rancher UI (or Rancher Server) will remain responsible for the authorization part!

 

Identity Flow with the AAD integration

The following diagram will show you how the flow goes…

kvaes-rancher-azure-active-directory-integration

Continue reading “Integrating Azure Active Directory with Rancher”

Issue : Exposing ports with Windows Containers on TP5

A brief post today, so assist people who are probably going to “enjoy” the same networking issue. When coming from docker on linux and working with docker on windows, the first thing you’ll probably run into is the port exposing…

I built a MSSQL 2016 container with the default port (1433) exposed.

PS C:\Users\kvaes> docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
efc7a981f6b9 kvaessql2016 “cmd /S /C ‘powershel” 6 minutes go Up 6 minutes 1433/tcp

Though I was unable to connect from the container host to this port…

PS C:\Users\kvaes> Test-NetConnection -Port 1433 -ComputerName Localhost
WARNING: TCP connect to Localhost:1433 failed

ComputerName : Localhost
RemoteAddress : ::1
RemotePort : 1433
InterfaceAlias : Loopback Pseudo-Interface 1
SourceAddress : ::1
PingSucceeded : True
PingReplyDetails (RTT) : 0 ms
TcpTestSucceeded : False

Now let’s try that directly from the container…

PS C:\Users\kvaes> docker exec -ti efc7a981f6b9 powershell Test-NetConnection -Port 1433 -ComputerName Localhost

ComputerName : Localhost
RemoteAddress : ::1
RemotePort : 1433
InterfaceAlias : Loopback Pseudo-Interface 2
SourceAddress : ::1
PingSucceeded : True
PingReplyDetails (RTT) : 0 ms
TcpTestSucceeded : True

This had me totally flabbergasted! After searching for a solution, I ran into the following github issue ; https://github.com/Microsoft/Virtualization-Documentation/issues/253 

Which pointed me to the following statement ;

This is a known limitation in our Windows NAT implementation (WinNAT) that you cannot access the external port in a static port mapping directly from the container (NAT) host.

The following github issue showed a workaround ; https://github.com/docker/docker/issues/15740

So let’s check the IP of our container…

PS C:\Users\kvaes> docker exec -ti efc7a981f6b9 ipconfig

Windows IP Configuration

Ethernet adapter vEthernet (Temp Nic Name):

Connection-specific DNS Suffix . : 404nupum1doencwb55jgqiwlph.ax.internal.cloudapp.net
Link-local IPv6 Address . . . . . : fe80::3077:b4b4:3a8c:5d83%31
IPv4 Address. . . . . . . . . . . : 172.27.75.141
Subnet Mask . . . . . . . . . . . : 255.240.0.0
Default Gateway . . . . . . . . . : 172.16.0.1

And then setup a proxy to reroute the traffic ;

PS C:\Users\kvaes> netsh interface portproxy add v4tov4 listenaddress=127.0.0.1 listenport=1433 connectaddress=172.27.75
.141 connectport=1433

What does the test from our container host say now?

PS C:\Users\kvaes> Test-NetConnection -Port 1433 -ComputerName Localhost

ComputerName : Localhost
RemoteAddress : ::1
RemotePort : 1433
InterfaceAlias : Loopback Pseudo-Interface 1
SourceAddress : ::1
PingSucceeded : True
PingReplyDetails (RTT) : 0 ms
TcpTestSucceeded : True

And now it works! In all honesty, I find this a serious flaw in the Windows implementation and truly annoying to anyone making the shift from containers in the Linux ecosystem to the Windows ecosystem.