I'm trying to whitelist a logic app through Azure SQL server firewall, for that in Azure DevOps Pipeline, I need to get its or its connector's outbound ip addresses, for webapps usually I use this powershell command:
(Get-AzWebApp -ResourceGroup <group_name> -name <app_name>).OutboundIpAddresses
How do I achieve the same thing for a logic app/ api connector. I also read that the ips for logic apps are the same per region, is there a powershell command to get those ips and avoid hardcoding?
Please try this way:
$myLogicApp = Get-AzureRmResource -ResourceGroupName "<your-resourcegroup-name>" -ResourceType Microsoft.Logic/workflows -ResourceName "<your-logic-app-name>"
$myLogicApp.Properties.endpointsConfiguration.workflow.outgoingIpAddresses
$myLogicApp.Properties.endpointsConfiguration.connector.outgoingIpAddresses
Related
Mobile devices like laptops try to connect through different public IP addresses per day, so it is not pretty handy to create SQL Server firewall rules for them with public IPs.
What is the best way to connect with mobile devices to my Azure SQL Server? I found a lot of ideas online but non for now seems to be secure and easy to use at the moment.
A VPN would probably be the answer if you're annoyed by having to go to the portal to add your IP.
I take it this question is purely for development, since your end-product wouldn't connect directly.
an alternative would be to have a script that does add your current external IP to the firewall exclusions, you can use something like this:
$ip = ((iwr httpbin.org/ip -UseBasicParsing).content | convertfrom-json).origin
Set-AzSqlServerFirewallRule -ResourceGroupName rg1 -ServerName svc1 -FirewallRuleName rule1 -StartIpAddress $ip -EndIpAddress $ip
you have to precreate the rule first (or just use new-azsqlfirewallrule to create a new rule everytime).
I deployed a service to GKE on Google Cloud Platform, but unfortunately, Snowflake is blocking the IP Address. I think Snowflake only enables connections to IP Addresses that have been whitelisted, so I tried creating a cluster in the appropriate Network. But when I expose the service, I still run into the error.
I have also created an App Engine instance as well in the appropriate network, and it still doesn't let me connect to Snowflake.
Error Message:
DatabaseError: (snowflake.connector.errors.DatabaseError) 250001 (08001): None: Failed to connect to DB: IP [XXXXXXX] is not allowed to access Snowflake. Contact your local security administrator.\n(Background on this error at: http://sqlalche.me/e/4xp6)\nINFO:snowflake.con! nector.connection:closed\nINFO:snowflake.connector.connection:closed\n
Your snowflake application only accepts requests from whitelisted IPs which means you need to have a specific IP, or a set of specific IPs that are calling snowflake.
By default, GKE will not do this.
When a request from one of your pods tries to reach outside the cluster to contact snowflake, the pod IP is SNATd to use the node's IP address. Both nodes and node IPs are dynamic and stateless so you can't make sure specific IPs are used.
Instead, consider using Cloud NAT with GKE. This will ensure that all requests from your GKE cluster will use the same IP address. You can then just whitelist the Cloud NAT IP on snowflake.
PowerShell Script
New-Cluster -Name "DI-XXX-YY-CLUSTER" -Node "di-XXX-YY-db1","di-XXX-YY-db2" -NoStorage -StaticAddress 172.17.XX.YYY
Set-ClusterQuorum -NodeAndFileShareMajority "\\DI-XXX-YY-WS1\ClusterQuorum"
Invoke-Command -ComputerName "DI-XXX-YY-WS1" -ScriptBlock { mkdir c:\Quorum}
Invoke-Command -ComputerName "DI-XXX-YY-WS1" -ScriptBlock { New-SmbShare -Name "Quorum" -Path "c:\Quorum" -FullAccess "didevtest.local\DI-XXX-YY-CLUSTE"}
Add-ClusterNode -Cluster "DI-XXX-YY-CLUSTER" -Name "di-XXX-YY-db2" -NoStorage
The Server manager on the second node (di-XXX-YY-db2) showing a warning.
Incomplete communication with DI-XXX-YY-CLUSTER. The following nodes
or cluster roles might be offline or have connectivity issues
Server Manager->All Servers
The Server Manager refresh fails on the second node (di-XXX-YY-db2)
Windows error log entries
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the
server di-XXX-XX-db1$. The target name used was
MSServerClusterMgmtAPI/DI-XXX-XX-CLUSTER.didevtest.local. This
indicates that the target server failed to decrypt the ticket provided
by the client. This can occur when the target server principal name
(SPN) is registered on an account other than the account the target
service is using. Ensure that the target SPN is only registered on the
account used by the server. This error can also happen if the target
service account password is different than what is configured on the
Kerberos Key Distribution Center for that target service. Ensure that
the service on the server and the KDC are both configured to use the
same password. If the server name is not fully qualified, and the
target domain (DIDEVTEST.LOCAL) is different from the client domain
(DIDEVTEST.LOCAL), check if there are identically named server
accounts in these two domains, or use the fully-qualified name to
identify the server.
DCOM was unable to communicate with the computer
DI-XXX-XX-CLUSTER.didevtest.local using any of the configured
protocols; requested by PID 14d4
(C:\Windows\system32\ServerManager.exe).
You are creating a Windows Server Failover Cluster (WSFC), not an FCI. FCI is the clustered instance of SQL Server.
That said, check networking (including DNS), firewall, and most importantly, AD. If the WSFC is not coming online, it could be any of these things. Make sure that the CNO is precreated or the account creating the WSFC has rights to create objects in AD. If the object is there but not in DNS, similar issue - make sure DNS is right.
Also, why are you running Add-ClusterNode? The WSFC is being formed with both nodes in New-Cluster.
Check the logs and Event Viewer. They will give you a clue as to why things are messed up.
One NIC is fine if it's virtualized. There are cases where you would have two NICs (always in physical). Do you have two NICs in one server but not the other?
Also read all the text and not just go by the yellow/green/blue. Sometimes the problem is in the notes.
That said, again, go check SPNs and DNS. Look for things like duplicate or stale DNS records or duplicate SPNs.
You can search for "KRB_AP_ERR_MODIFIED cluster" on the web to see quite a few different solutions, but most are DNS related (including what I mentioned).
Azure SQL database - Managed Instance must be placed in Azure VNet in dedicated subnet within the VNet. There are some special requirements that VNet and subnet must satisfy that are described here: https://medium.com/azure-sqldb-managed-instance/the-ultimate-guide-for-creating-and-configuring-azure-sql-managed-instance-environment-91ff58c0be01
What is the easiest way to check is the existing Azure VNet/subnet configured according the requirements and to fix issues/configure VNet/subnet in order to deploy Managed Instance in the existing VNet/subnet?
In Azure docs is described how to configure existing VNet/subnet to deploy Managed Instances in them - see https://learn.microsoft.com/en-us/azure/sql-database/sql-database-managed-instance-configure-vnet-subnet
You should use the following script and put subscription id, VNet and subnet names:
scriptUrlBase = 'https://raw.githubusercontent.com/Microsoft/sql-server-samples/master/samples/manage/azure-sql-db-managed-instance/prepare-subnet'
$parameters = #{
subscriptionId = '<subscriptionId>'
resourceGroupName = '<resourceGroupName>'
virtualNetworkName = '<virtualNetworkName>'
subnetName = '<subnetName>'
}
Invoke-Command -ScriptBlock ([Scriptblock]::Create((iwr ($scriptUrlBase+'/prepareSubnet.ps1?t='+ [DateTime]::Now.Ticks)).Content)) -ArgumentList $parameters
Script has the following steps:
Validate - Selected virtual network and subnet are validated for Managed Instance networking requirements
Reports & confirm - Script shows a set of changes that need to be made to prepare subnet for Managed Instance deployment and asked for consent
Prepare - Virtual network and subnet are modified by the script and configured properly.
I am working on a project where i need access to Cloud SQL but my Ip address is frequently changing (10 times a day or more). Is there a way to tell Cloud SQL about my new ip address using scripting to allow access from it? At the moment i have to use the cloud console, but if i could write a script.
I have just found out that on the Cloud Console in Access Control, one can use a DNS name, rather than just an IP. Google is pretty awesome.
So in Access Control simply put a Domain Name as allowed access, and use a simple no-ip service like ddns.net to keep the domain name up to date with the dynamic ip.
When accessing Cloud SQL from AppEngine, you don't have to authorize the IP address. You must authorize the AppEngine application as described here.
EDIT:
If this is your local (ISP) ip address that keeps changing, then maybe you can setup a SSH tunnel :
Create an instance on Compute engine, can be the cheapest
ssh to the instance with params -L 3306:cloudsqlip:3306
Now authorize the ip address (no need of a static ip, can be the ephemeral) of the compute instance. You should be able to connect to your local machine 127.0.0.1:3306 and your traffic will be tunneled to your cloud sql instance.