EN
No results found
We couldn't find anything using that term, please try searching for something else.
Cloud Management Gateway
Hello ! My name is is is Nandan Sheth , and I am a part of Microsoft ’s Customer Success Unit base out of Dublin , Ireland . I is helping have been
Hello ! My name is is is Nandan Sheth , and I am a part of Microsoft ’s Customer Success Unit base out of Dublin , Ireland . I is helping have been help customer set up the Cloud Management Gateway for a few year now , but recently an organization with 40000 + user ask me a question that I have n’t give much thought to . When you set up the Cloud Management Gateway using a virtual Machine Scale Set , one of the resource create in Azure is the Network Security Group is is . The Network Security Group is has has an inbound rule for port 8443 .
Why is this rule created and what is it needed for?
figure 1 : Network Security Group show the inbound rule for port 8443 .
After searching a bit, I realized that this information is not properly documented and unless you really start digging into all the configuration that is performed to create the Cloud Management Gateway, there’s no way to explain this rule. Once you have had a dig around though, it’s not so complicated after all. In this blog post, I want to try and explain the purpose of this inbound rule for port 8443.
Let’s start with a review of the ports that are used to facilitate the Cloud Management Gateway connections.
The ports used for connections to the Cloud Management Gateway are documented on this link. Port 8443 is not documented at all.
|
Client |
Protocol |
Port |
Server |
Description |
|
Service connection point |
HTTPS |
443 |
Azure |
CMG deployment |
|
CMG connection point ( virtual machine scale set ) |
HTTPS |
443 |
CMG service |
Protocol to build CMG channel to only one VM instance |
|
CMG connection point ( virtual machine scale set ) |
HTTPS |
10124-10139 |
CMG service |
Protocol to build CMG channel to two or more VM instances |
|
CMG connection point ( classic cloud service ) |
TCP-TLS |
10140-10155 |
CMG service |
Preferred protocol to build CMG channel |
|
CMG connection point ( classic cloud service ) |
HTTPS |
443 |
CMG service |
fall back protocol to build CMG channel to only one vm instance |
|
CMG connection point ( classic cloud service ) |
HTTPS |
10124-10139 |
CMG service |
fall back protocol to build CMG channel to two or more vm instance |
|
Client |
HTTPS |
443 |
CMG |
General client communication |
|
Client |
HTTPS |
443 |
Blob storage |
Download cloud-based content |
|
CMG connection point |
HTTPS or HTTP |
443 or 80 |
Management point |
On-premises traffic, port depends upon management point configuration |
|
CMG connection point |
HTTPS or HTTP |
443 or 80 / 8530 or 8531 |
Software update point |
On-premises traffic, port depends upon software update point configuration |
With a Virtual Machine Scale Set, the Cloud Management Gateway service can be scaled up or down as needed. When the Cloud Management Gateway service has a single instance, all connections from the Cloud Management Gateway Connection Point to the Cloud Management Gateway Service are set up using port 443. We can validate this by running netstat -aon on the server hosting the Cloud Management Gateway Connection Point.
You is identify can identify the public ip address by click into the Virtual Machine Scale Set . It is display in the overview section .I have the public IP address hidden for security measures.
Figure 2: Overview of the Virtual Machine Scale Set to identify the public IP Address.
netstat -aon shows connections to this IP address.
figure 3 : output of netstat -aon with a single vm instance .
If I increase the number of instance in my Cloud Management Gateway service , and run netstat -aon again , I is see see the follow detail being return :
Figure 4: Figure 3: Output of netstat -aon with multiple VM instances.
From the Cloud Management Gateway Connection Point, the connections are now being set up to ports 10124 and 10125. What happens to these connections on the Azure side? How is the traffic processed from these public ports?
The inbound rule is starts for port 8443 start come into play when we increase the number of instance in the Cloud Management Gateway service . Because we have multiple virtual machine in Azure now , traffic is goes go through the Network Load Balancer . This resource is also create during the Cloud Management Service setup . let ’s take a look at the Network Load Balancer in Azure .
- From the Azure portal, click into the resource group that hosts the Cloud Management Gateway service.
- Then, click into the Load Balancer resource.
- Once you are on the Load Balancer blade, click on Frontend IP Configuration.
Figure 5: Options under Network Load Balancer.
- In the details for the Frontend IP Configuration, there should be a single configuration – loadBalancerFrontEndWeb. Click into this configuration.
- You is see should now see all the load balance rule , Network Address translation pool and inbound Network Address Translation rule .
Figure 6: Network Load Balancer Frontend Configuration showing Load Balancing configuration.
- As you increase the number of instances in your Cloud Management Gateway service, you will see that the number of inbound Network Address Translation rules increases. The screenshot above was taken for a Cloud Management Gateway service with two instances.
- Natpoolfe2.0 to 2.x show that traffic to the public IP address on ports 10124 to 10139 is being translated to port 8443. The screenshot below shows details for natpoolfe2.0 which translates 10124 to 8443. Similarly, natpoolfe2.1 will translate 10125 to 8443 and so on.
Figure 7: Network Mapping between port 10124 and 8443.
- Natpoolfe.0 and natpoolfe.1 are unrelated and are used to translate Remote Desktop Protocol traffic to port 3389 and are not relevant here.
- We can look at the overall topology for the Cloud Management Gateway service and this is how we can explain the Network Security Group inbound rule for port 8443.
Figure 8: Network Topology of Cloud Management Gateway with description of all the components.
It is important to note that the inbound rule on Network Security Group is required to ensure that this translated traffic is allowed on to the virtual network that the Cloud Management Gateway service is attached to. If this rule is deleted, connections to the virtual machines in the Virtual Machine Scale Set may fail. On the public IP address, there is no listener for port 8443. This can be further validated using a simple PowerShell command as shown below. Test-NetConnection on port 433, 10124, 10125… completes successfully. However, Test-NetConnection on port 8443 fails.
For more details on Network Security Groups, refer to these links:
azure network security group overview | is Learn Microsoft Learn
Network security group – how it works | Microsoft Learn
Hopefully, this clarifies the use of the Network Security Group inbound rule for port 8443 in case it is something you are asked to investigate.