Aspnetcore.docs: Clarify Azure NSG and VM/server firewall port config

Hello @porschiey ... Did you open the ports for the Network Security Group for the VM in the Azure portal? It's not enough to only open ports in the VM's firewall, the ports must also be open in the NSG.

https://docs.microsoft.com/azure/virtual-machines/windows/nsg-quickstart-portal

Yes, ports are open on the nsg as well for 80 and 443.

Cool ... and you're running the app using an account with admin privileges?

... and I guess u looked at Event Viewer and nothing is showing following a request to the app?

Yup, running the app in PS as Admin:

I didn't check event logs, one moment...
Event logs show no requests making it to the app, not even the local IP ones. No errors, either. The only thing I can find is the System \ HttpEvent logs showing from netsh. Let me know if I should be looking for something and in a specific place.

The console output from running the app in PS shows local IP requests coming in, but remains idle when attempting public IP. I noticed that IP forwarding was Disabled on the IP configurations for the VM, and enabled it, but I'm still getting timeouts.

PS: Thanks for troubleshooting this with me.

I didn't work the process in Azure ... unfortunately!

AFAIK, when the local IP is registered, the public IP should work.

Just _for a second (this is a security risk!)_, set the UrlPrefixes to a wildcard ...

options.UrlPrefixes.Add("http://*:80/");

Recompile ... redeploy ... rerun. Just curious to see if this is more of a "the requests aren't reaching the app" or a "the app isn't listening for requests" problem.

Attempting....
Console read out:

Result: 502
Fiddler screenshot:

System.Net.Sockets.SocketException A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond

Sounds like it's "requests aren't reaching the app" -- I'll keep fiddling with settings...

List the reserved URLs and confirm that the VM's local IP address and port are there ...

netsh http show urlacl

Example if http://10.0.0.4:80 and https://10.0.0.4:443 are registered ...

For the record, I'm not using 443 to simplify my test approach. I haven't made a cert, therefore I haven't bound one to a port. So my config is only using 80. Also, the vnet/ip forwarding on the VM gave me a different local IP address.

All that said, yes, I see the reserved URL after running that command:

I also found this one in the list - not sure if it matters:

Should I be using a different user to register the url with netsh other than Users ?

Should I be using a different user to register the url with netsh other than Users ?

Admins are Users, so that should be ok.

Since the app runs locally, rubber :duck: says that this is going to be an IP registration problem.

I'm free now, so I'd like to repro this here. Can you wait an hour or two for me to try? I'm pretty good at beating a server and app into submission. 👊 If I can't get it to behave, then I know who to ping ... a super-engineer who I owe six cases of :beer:. We'll just make that a seven cases! I'm sure he won't care if it comes to that.

Sure thing @guardrex. Happy to zip up my code, as well, if you need it.

I'll ping u back in a bit ... an hour (or three) depending on repo activity. Let's me see what happens here. If it fails here, then engineering will give us a hand.

FYI - I got it to spit back 503, by going into the VM's firewall (via RDP, not via Azure Portal) and enabling traffic for port 80. Not sure why I'm getting "Service is Unavailable now" but I'll keep poking.

EDIT: Got it to work.
After adding that rule to the VM's firewall via RDP and changing the UrlPrefix back to my local IP instead of wildcard, I'm getting 200's.

So... this seems to be a bug with Azure somehow - opening up the port in portal for the VM didn't seem to actually open up the port.

Booyeah! .... :tada: 🎈 :beers:

I'm not happy with such brief coverage in the topic between:

• NSG (Azure)
• VM firewall ports

Leave this issue open. I'd like to flesh this out a bit more and clarify. Both are covered in the same list item, and that's not the most effective documentation approach. It also doesn't link to anything that helps clarify the difference/process between them. I'll ping u on the PR later to see the updates, and you can provide feedback on the PR. Thanks for opening this issue. Sorry u had to go thru all of that. Glad it had a happy :smile: ending.