On October 8th I wrote about Create a Site-to-Site VPN between your network and Azure. and someone contacted me through LinkedIn and asked why I created 2 subnets in my Virtual Network? What was the point? Well, like I said in that post it was to separate front-end or Internet accessible servers and back-end or intranet servers.
To try this for yourselves, use the info in an earlier post on Windows Azure Trials and consume the following MVA modules (they’re full of great info you can access at your convenience.)
- Introduction To Windows Azure Training
- Introduction to Private, Hybrid and Public Cloud
- Introduction to the Microsoft Private Cloud
- Windows Azure Security Overview
Anyways the way you can allow VM to be accessed from the internet is by defining endpoints. All virtual machines that you create in Windows Azure can automatically communicate using a private network channel with other virtual machines in the same cloud service or virtual network. However, other resources on the Internet or other virtual networks require endpoints to handle the inbound network traffic to the virtual machine.
When you create a virtual machine in the Management Portal, you can create these endpoints, such as for Remote Desktop, Windows PowerShell Remoting, or Secure Shell (SSH). After you create the virtual machine, you can create additional endpoints as needed or remove them as I did for the machines on my AZR-Lab-Infra subnet.
Each endpoint has a public port and a private port:
- The private port is used internally by the virtual machine to listen for traffic on that endpoint.
- The public port is used by the Windows Azure load balancer to communicate with the virtual machine from external resources. After you create an endpoint, you can use a network access control list (ACL) to define rules that help isolate and control the incoming traffic on the public port. For more information, see About Network Access Control Lists. (we’ll covert that next week)
Like I said, my machine in the AZR-Lab-Infra subnet has no endpoints therefore Windows Azure will not assign an IP address to access this machine from the internet.
However my machines on the AZR-Lab-Public subnet, which is a test WordPress box has 2 endpoints defined.
and therefore Windows Azure assigned an external IP address and has mapped the ports.
This allows me to reach it from anywhere on the internet using the IP address or the DNS name.
How do I create an endpoint?
If you have not already done so, sign in to the Windows Azure Management Portal.
Click Virtual Machines, and then select the virtual machine that you want to configure.
Click Endpoints. The Endpoints page lists all endpoints for the virtual machine.
Click Add at the bottom.
The Add Endpoint dialog box appears. Choose whether to add the endpoint to a load-balanced set and then click the arrow to continue.
In Name, type a name for the endpoint or pick one from the drop-down list.
In protocol, specify either TCP or UDP.
In Public Port and Private Port, type port numbers that you want to use. These port numbers can be different. The public port is the entry point for communication from outside of Windows Azure and is used by the Windows Azure load balancer. You can use the private port and firewall rules on the virtual machine to redirect traffic in a way that is appropriate for your application.
Click Create a load-balancing set if this endpoint will be the first one in a load-balanced set. Then, on the Configure the load-balanced set page, specify a name, protocol, and probe details. Load-balanced sets require a probe so the health of the set can be monitored. For more information, see Load Balancing Virtual Machines.
Click the check mark to create the endpoint.
You will now see the endpoint listed on the Endpoints page.
As you can see it’s a great way to extend your network and still retain control of how those machines are accessed.