Azure Site to Site VPN Blocking Some Traffic

I ran across an interesting a couple of weeks ago when working with a client. The client has several subsidiaries each with their own vNet. The client had a site to site VPN been the Azure vNets. All traffic was successfully crossing the Azure Site to Site VPN as expected. The sticking point was that a software licensing server running in one of the subsidiaries Azure infrastructure configurations. The software licensing software simply wasn’t working.

We fired up Wireshark on Azure VM which was running the software as well on the Azure VM which was running the licensing software. In Wireshark on the VM running the software, we could see the software trying to talk to the licensing software. On the licensing server, we could see the connection request come in, and we could see the response from the licensing software going back to the client. But we looked on the VM running the software we couldn’t see the packet coming back from the licensing server. So the network traffic was simply getting blocked, somewhere. We didn’t have any network security groups set up, and we didn’t have any software firewalls in place. So nothing should be blocking traffic.

We looked at the response that was coming from the licensing server, and it had the DoNotFragment bit set on the response network packet. Now the sure weird thing is that the packet was only 1430ish bytes in size. So it would have fit within the 1500 byte packet, so there was zero chance of the packet being fragmented. But the bit was being set within the vendor’s software, so we didn’t have any way to remove that flag.

We were able to fix it, by changing from a Site to Site VPN to a peered network connection between the two vNets. Changing the network connection to a peer allowed the software licensing process to work as expected and solved the problem.

So if you have software which requires the DoNotFragment bit in your connection, then an Azure Site to Site VPN isn’t going to work for you. If you are doing everything in Azure a peer can work while a Site to Site VPN doesn’t work.

Denny

Contact the Author | Contact DCAC

Protecting Your Data At Conferences

In less than two weeks, we will mark the start of the PASS 2019 Summit.  The annual conference of fellow data nerds, SQL Server geeks, family and friends.  It is a week that many of us often look forward to.  As we ramp up to this event, you will find bloggers that will post about the event such as places to eat, how to get around, things to do, or places to go site see.   This is great information to have, however, in this post, I want to talk about something else.

Data Security.  More specifically, your data security and what you can do to help protect it.

Let’s face it.  Data breaches happen all the time.  When you get a large crowd together in the same place, it could be considered a smorgasbord for hackers and data thieves.  As much as I’d like to think that my fellow data professionals wouldn’t hack my data, it happens unfortunately

So, let’s talk about a few things you can do to help keep your data safe.

Virutal Private Network (VPN)

Like any large conference, there will be WiFI available for conference attendees.  Most folks don’t think about it, but data thieves love free WiFi.   In order to counter-act them, I am a huge proponent of utilizing a VPN service.  This could be one that you built yourself or there are several VPN services that can be purchased at a monthly cost.    I built my own VPN server in Azure (or I use the one we have for the company) but purchasing one is definitely an option.

Make sure to consider your phone as well and not just your laptop.   I’ve configured my phone to utilize my VPN so that when I am using my phone on a free wireless network, I can ensure that my connection to the internet is as secure as possible.  Taking the time to ensure all your devices can utilize a VPN will help ensure your data is secure.

Juice-Jack Blockers

I’ve always been paranoid about plugging in my phone or any USB device into an unknown port, including the USB ports offered in most modern hotels.  You do not really know where that port might be plugged into (unless you can trace the wires) and if you don’t know where/what it’s plugged into, you don’t know what might have access to your device.   Even modern aircraft will provide USB ports for you to plug your phone in to charge during flight.  Do you know where that port goes?  I don’t.  So since I don’t know where that port really goes, I rarely use any USB port on flights instead using deferring to us a regular AC outlet to charge my device.

Until now.  

Thanks to a tweet from Cathrine Wilhelmsen (B|T), I discovered that they make devices that allow you to plug your device into a USB port and only charge the device.  They are called juice-jack defenders.   These little devices have the data pins removed and only allow electricity to flow to your device.  I was able to purchase two of these devices from Amazon for $12.

These simple devices will help to ensure that regardless of which USB port I plug my device in, I know that there is zero chance that anything but electricity is passing to the device.   Pick up one or two before heading out to the conference and make sure to take a moment before you plug your phone into that random USB port.

Encrypt Your Hard Drive

This is a big one for me.  If you have a work laptop, I sincerely hope that its already encrypted.  Windows offers up Bitlocker (has to be the Professional edition I believe) and fellow Apple users has FileVault built into the OS for free.   If you have a personal device and you don’t already have your hard drive encrypted, you are just asking for a data breach.

In todays world, local disk encryption won’t cause performance issue on most machines.  However, if you decided to enable encryption, do so well before you leave for any conference.  It will take some time for the encryption process to fully lock up your hard drive.  You will also want to make sure you backup (in a safe place) any recovery keys that might be need to decrypt the hard drive.

This is also great if your laptop/device gets stolen.  While I don’t want my laptop stolen (who does?) I would sleep easier knowing that my hard drive is encrypted, and any data contained on the drive is safe.

Please, please, please, please make sure your hard drive is encrypted.  The data you might save just might be your own.

Summary

Protecting your personal data while traveling should be on the forefront of your mind.  Spending some time configuring or purchasing a VPN service, or encrypting your hard drive, or a small purchase from Amazon could save your data.  This will help ensure you have a safe and relaxing time at the conference knowing your data is safe.

After-all, you don’t want to go back home knowing you let your data down right?  I know that I don’t.

See you at the conference!

© 2019, John Morehouse. All rights reserved.

Contact the Author | Contact DCAC

Building a Personal VPN Azure Solution

Since joining Denny Cherry & Associates Consulting, I tend to travel about once a month.  This isn’t a huge amount and is usually over a weekend (except for that opportunity to go to Australia that didn’t pan out).  Since I work in the IT field, security is highly important to me, especially my own security.  I am referring to my digital security.  For example, I don’t like using public WiFi’s because I don’t know who else is on that particular network, and well, I’m a paranoid IT guy.  Due to that, I’m cautious as to what I do on my various electronic devices (laptop, phone, tablet, etc) on the internet while out and about.

The solution?  A VPN Service.

There are various VPN Services that you can subscribe for a monthly/annual fee that offer you the ability to ensure that you have a secure connection.  Beyond just having a secure connection, you could also select which country you want the end point to be.  For example, if I was in Australia, I could select a server in the United States and I would “look” like I was in the United States.  Some services will log everything you do, some will not.  In any case, if you decide to use a 3rd party VPN service, make sure you fully understand what is or isn’t included in the service.

On top of wanting to see if I could build it, I also did not want to pay a monthly fee. Since I really only travel about once a month, the need for a constant service was not on my priority list.  Really, I wanted a low-cost solution that I could spin up or down whenever I need to.  Using the mobile app, this is really easy to accomplish.

I thought that Microsoft Azure would be a great fit for me.  A small virtual machine in conjunction with free VPN software would suit my needs.  I could spin up the virtual machine before leaving town and then turn it off when I’m back home.  Remember, even if you turn it off,  you still pay for the storage.  However, you can select to use normal hard drives and not fast solid state drives which helps save on the costs when not using it.

After doing some research, I stumbled across a Do-It-Yourself (DIY) blog post from Microsoft.  The solution uses a virtual machine in the Azure cloud with a free VPN open source software SoftEther.   Once I discovered this blog post, I got to work.

First I need to stand up a virtual machine.  Upon logging into the Azure portal, I started tonfigure a new virtual machine.  First I need to pick a size.

I choose to go with a DS2_v2.

From the sizing chart, we can see that this virtual machine has 2 vcpus, 7GB of memory and traditional spinning disks.  There are some other metrics listed there as well.  If you were to leave it up and running for the entire month, the costs would be approximately $75 US dollars.   Now, I’m not going to leave it up and running the entire month, just when I need it so this did not dissuade me.  You can certainly select a smaller size virtual machine.

 

Next, I had to choose an operating system.  Since I didn’t need a server grade operating system, I went with Windows 10. The amount of traffic going through this VPN server would be minimal most of the time and I would be the only user, unless I shared it with family & friends.  There isn’t a limit on the amount of users you can add to the VPN server other than hardware resources.

Once the virtual machine was up and running, I just followed the direction from the blog post to get SoftEther installed and configured.

 

Afterwards, I was able to download the OpenVPN client for my laptop, install the config file and get connected.  I can verify that it’s working by going to http://whatismyip.com.  Before connecting to the VPN service, my IP address reflects Louisville, KY since that’s where I am physically at.

Due to the fact that the virtual machine is in the East-US region for Azure and using a dynamic IP address, we can see that now I’m “located” in Bristow, VA.  This is because the virtual machine is running in a data center in Virginia.  If I were to reboot the server and obtain a different IP address or moved it to a different region, it would be something completely different.

Another option is to utilize the OpenVPN application for your mobile devices.  Download it from the store (Apple or Google), follow the documentation from the above blog post and then your phone can have a security connection as long as you have internet connectivity through your provider.

Ensuring that I have safe, easy, and secure access to the internet is important to me.  This solution was about 30 minutes worth of effort to complete and now I can travel knowing that any traffic I send over public Wifi can be secured.

Note, before embarking on this adventure, make sure that you do a cost estimate.  I have some free credits from Microsoft to play with so this solution fits within that budget. It’s quite possible that a 3rd party service is more cost effective for what you might need/want.  Your mileage may vary.  If you don’t have an Azure account yet, you can sign up for free and get $200 of credits for the first 30 days.  If you have a Visual Studio subscription, you can get $50/month! An excellent opportunity to start learning Azure!

Let’s face it, that’s pretty cool.

 

© 2018, John Morehouse. All rights reserved.

Contact the Author | Contact DCAC

Take Your Time With Azure Site to Site VPN Configurations

Setting up Azure Site to Site VPN Endpoints can be a real treat sometimes. Recently I was setting up a site to site VPN between two Azure sites. One in the US West data center and the other was in the West Europe data center.

Now the annoyance when setting up a site to site VPN between two Azure sites is that you have to do some stuff in the Azure Portal (manage.windowsazure.com) and some stuff through PowerShell. You have to do this because (as of when I’m writing this) you have to create the dynamic routing gateway in the portal because PowerShell only supports creating a static routing gateway and you have to change the pre-shared key in PowerShell because the “Manage Key” button in PowerShell only supports showing you the key but not changing it.

Well when I was trying to get this setup I was trying to get it done as quickly as possible as I had other stuff to focus on that day. And apparently I wasn’t waiting long enough for the commands which the UI was running to actually finish before trying to run the PowerShell cmdlet Set-AzureVNetGatewayKey to change the pre-shared key. This then ended up causing problems for the commands which the UI had kicked off and the Gateway would only be half created and wouldn’t show up correctly, so I’d drop the gateway and try again.

Long story short I ended up starting the gateway creation then went to dinner. When I came back everything was done, and I could change the pre-shared key and get everything back up and running again without issue.

When creating site to site VPN links between Azure take your time. You’ll spend less time if you slow down than you would otherwise.

Denny

Contact the Author | Contact DCAC

Video

Globally Recognized Expertise

As Microsoft MVP’s and Partners as well as VMware experts, we are summoned by companies all over the world to fine-tune and problem-solve the most difficult architecture, infrastructure and network challenges.

And sometimes we’re asked to share what we did, at events like Microsoft’s PASS Summit 2015.

Awards & Certifications

Microsoft Partner   Denny Cherry & Associates Consulting LLC BBB Business Review    Microsoft MVP    Microsoft Certified Master VMWare vExpert
INC 5000 Award for 2020    American Business Awards People's Choice    American Business Awards Gold Award    American Business Awards Silver Award    FT Americas’ Fastest Growing Companies 2020   
Best Full-Service Cloud Technology Consulting Company       Insights Sccess Award    Technology Headlines Award    Golden Bridge Gold Award    CIO Review Top 20 Azure Solutions Providers