I have been working to get a Citrix Netscaler up and running in Azure. It has not been easy, as all the documentation is for ASM.
Our network configuration has IPSec tunnels going from OnPrem to Azure, and I have created two SubNets in Azure – a DMZ and a LAN. The DMZ has the following Outbound NSG rules (ACLs) for the NetScaler to talk to a LAN SubNet.
Get-AzureRmNetworkSecurityGroup -ResourceGroupName ResourceGroupName | Select SecurityRules -ExpandProperty SecurityRules | where {$_.Direction -eq "Outbound"} | Select Priority,Name,Protocol,SourceAddressPrefix,SourcePortRange,DestinationAddressPrefix,DestinationPortRange,Access | Sort-Object Priority|ft -AutoSize
DMZ Netscaler = 192.10.8.100
LAN DC = 192.10.9.10
Priority Name Protocol SourceAddressPrefix SourcePortRange DestinationAddressPrefix DestinationPortRange Access
-------- ---- -------- ------------------- --------------- ------------------------ -------------------- ------
101 LDAP_From_NSIP TCP 192.10.8.100 * 192.10.9.10 389 Allow
102 DNSUDP_From_NSIP Udp 192.10.8.100 * 192.10.9.10 53 Allow
103 DNSTCP_From_NSIP TCP 192.10.8.100 * 192.10.9.10 53 Allow
104 RADIUS_From_NSIP Udp 192.10.8.100 * 192.10.9.10 1812 Allow
4095 Subnet_To_Internet * * * Internet * Allow
4096 Deny_All_Outbound * * * * * Deny
As you can see, I add a DenyAll at the end even though there is one in the DefaultSecurityRules. I just like to see it there. I find it comforting.
I found that from then Netscaler, I could do a DNS lookup against my OnPrem DC. How can that be?
Rule 101-104 are only for the Azure LAN DC. Then I DenyAll with 4096.
How can the Netscaler look up via the OnPrem DC?
I am DenyingAll!
I was pulling my hair out.
I realized that I had never changed my DNS server settings for my Virtual Network in Azure (I needed it to join the domain for the local DC when I build it!). I forgot to switch it the local Azure LAN DC.
Therefore, even though there is a DenyAll in my NSG rules, there has to be a Hidden or UnDocumented rule that allows queries to the DNS servers listed in the Virtual Network settings.
As soon as I changed the DNS server settings to the local Azure LAN DC, I could no longer query the OnPrem DC.
I understand why it is there. If you put in a DenyAll (like I did), Windows Servers will panic. They do not like it if they can’t access a DNS server.
I think Azure needs to move the DNS server settings down to the SubNet level, since all VMs are DHCP (Reservations). If they do this, a DMZ and LAN can use different DNS server settings, or none at all.
Just something I ran across today.