VB Magic


Connecting an Azure Web Role to an existing Virtual Network connected to company WAN

Filed under: Azure — Tags: , , , , , , — vbmagic @ 3:34 pm

I’ve just been trying to deploy an Azure web role so that it would be available on our company WAN. This is easy for a VM as you just need to specify the Virtual Network when you create the VM. But for a Cloud Service it’s not so straight forward. It turned out to be pretty simple though once I had done some research. The first thing that needs to happen is a small change to the ServiceConfiguration.Cloud.csfg file.

    <VirtualNetworkSite name="myVirtualNetwork" />
      <InstanceAddress roleName="myWebSite">
          <Subnet name="MySubNet" />

The VirtualNetworkSite name is the name of your Virtual Network.
InstanceAddress roleName is the name of the Web Role in your Cloud Service (Usually the name of your website in your solution).
Subnet name can be found on your Virtual Network Address Spaces section on the Configure tab of your virtual network.

Once that is done and you deploy your website (Make sure you deploy in the same datacentre as the virtual network), you should be able to access your site on the internal network.

In my case there was still a problem. This was an internal site but by default, it was accessible via the Cloud Service’s cloudapp.net address. I did the following things to fix this:

First Double click the role in the Cloud Server project of your solution in Visual Studio. Select Endpoints and change the default end point from External to Internal. Then 80 in the private port.

If you deployed now you would no longer be able to access the website via the external cloudapp.net address. But there is a problem, the Cloud Service’s internal firewall will block port 80 making it impossible to connect to via the internal network as well.

To get around the firewall issue, I created a .bat file and added it to the website project and set “Copy to Output Directory” to “Always”. The bat file contained one command:

netsh advfirewall firewall add rule name="HTTP IN" dir=in action=allow service=any enable=yes profile=any localport=80 protocol=tcp

I then modified the ServiceDefinition.csdef file to add an elevated task just after the WebRole element. (It has to be elevated as netsh will require admin privileges)

  <WebRole name="myWebSite" vmsize="Small">
      <Task commandLine="fwrules.bat" executionContext="elevated" taskType="simple" />

Once this was deployed the site was blocked from the internet but available on the internal network.

Blog at WordPress.com.