Azure : What does the Direct Server Return option do for a Load Balancer?

Introduction

When setting up a load balancing rule in Azure, you’ll be given the opportunity to enable/disable “Direct Server Return”.

2016-08-18 16_06_29-Add load balancing rule - Microsoft Azure

 

So what does it do?

Apart from disabling the “backend port” input field, what does it do? Clicking on the “?” gives us a start…

2016-08-18 16_06_00-Add load balancing rule - Microsoft Azure

Basically, DSR (Direct Server Return) will disable any NAT involved. So the targetted VM should be aware of the loadbalancer IP, or the network flow will break.

So it’s usefull to use as a cluster IP address (for example, when using a cluster IP), though do NOT use it for typical load balancing scenario’s where the nodes aren’t aware of the cluster address.

 

Advertisements

Azure : Enumeration and reconnaissance activities for Security Officers

Introduction

A while back I saw a very interesting session on penetration testing on Azure at the Hope conference by Apostolos Mastoris.

A Penetration Tester’s Guide to the Azure Cloud
(45 mins) Apostolos Mastoris — The wide adoption and the benefits of cloud computing has led many users and enterprises to move their applications and infrastructure towards the Cloud. However, the nature of the Cloud introduces new security challenges, therefore organizations are required to ensure that such hosted deployments do not expose them to additional risk. Auditing cloud services has become an essential task and, in order to carry out such assessments, familiarization with certain components of the target environments is required. This talk will provide insight into the Microsoft Azure Cloud service and present practical advice on performing security assessments on Azure-hosted deployments. More specifically, it will demystify the main components of a cloud service and dive further into Azure-specific features. The main security controls and configurations associated with each of the mainstream Azure components will also be explored. Areas that will be covered include role-based security, secure networking features, perimeter security, encryption capability, auditing, and monitoring of activities within the Azure Cloud environment. Additionally, the talk will include the demonstration of a new tool that uses the Azure PowerShell cmdlets to collect verbose information about the main components within a deployment. The tool also provides functionality to visualize the components within a network infrastructure using an interactive representation of the topology and the associations between the deployment’s components.

And yesterday I saw that Azurite (the tool) was released! So let’s take a look at how this looks when running this against one of my lab environments.

 

Prerequisites

Before engaging, be sure to have the following requisites on your system ;

 

Let’s get into the action!

The summary of command’s we’ll be handling ;

# PS> Import-Module AzureRM
# PS> Import-Module ./AzuriteExplorer.ps1
# PS> Review-AzureRmSubscription
# CMD> C:\python27\python.exe AzuriteVisualizer.py azure-subscription__.json

Basically, ensure that the resource manager module is loaded and import the custom Azurite module. Afterwards startup the cmdlet “Review-AzureRmSubscription”; where you’ll enter your credential and select the targeted subscription.

Once done, use python toe parse the extracted json file. That’ll generate an “AzuriteVisualizer.html”-document. Open the latter with Firefox to see a nice visualization!

 

The screenshots of the action

Starting “Azurite Explorer”

2016-08-18 09_28_59-

Parsing the json file to generate the html

2016-08-18 09_29_27-Windows PowerShell

Taking a look at the output in Firefox

2016-08-18 09_29_45-Azurite Visualizer - Azure Subscription Topology Overview

Azure : VNet Peering

Introduction

We’ve talked about setting up VPN connections between VNets in the past… At the end of July, VNet peering entered “preview”. This one allows you to connect two VNets within the same region without the need for a gateway.

 

How does this look?

So let’s look at an example with several VNets ; Two in west europe and one in north europe.

2016-08-16 09_19_01-Choose virtual network - Microsoft Azure

If we select on VNet (from West Europe), we’ll notice another option called “Peerings”.

2016-08-16 09_19_17-Choose virtual network - Microsoft Azure

Press “Add” here, and you’ll be able to link another VNet in the same region.

2016-08-16 09_19_26-Choose virtual network - Microsoft Azure