How to route TCP traffic through a fixed IP in Azure during local development?

Question

How to route TCP traffic through a fixed IP in Azure during local development?

dough_boat 11

Hello community,

I'm working through a challenge related to accessing a third-party OPC UA server and am considering a solution using Azure's cloud infrastructure.

Background

Our team needs consistent access to a third-party OPC UA server. My understanding is that this server utilizes TCP for communication.
The dynamic IP addresses of our local development machines are causing access issues due to the third-party's firewall restrictions. In short: the firewall can only allow some IP addresses that we tell them, but we cannot ask them every couple of days to change them.

Previous Attempts

I attempted to use a Squid proxy for this purpose. However, I suspect that Squid may not be suitable for handling the TCP traffic required by OPC UA. See this post: https://squid-users.squid-cache.narkive.com/eEVOUnSk/how-to-use-squid-as-a-tcp-forward-proxy

Objective

Our goal is to configure our network so that all outbound requests from our local development machines consistently appear to originate from one static IP address. This single IP would then be whitelisted by the third-party firewall.
- To be clear, this is just about making the development process easier, because then we can debug from our own machines in our IDEs. Later, in production, the VM runs behind a fixed public IP address.

Specific Questions

Does Azure offer a capability to route our TCP traffic, making it appear to come from a fixed IP? If so, I would greatly appreciate specific guidance or links to relevant Azure documentation.
I am also open to non-Azure solutions. Are there tools or approaches specifically tailored for handling TCP traffic in scenarios like ours? Any recommendations would be highly valuable.

Thank you for your time and assistance!

Ravi Kanth Koppala 3,391 Reputation points Microsoft Employee Moderator

2023-12-19T01:22:31.4733333+00:00
@dough_boat

Azure offers a capability to route TCP traffic through a fixed IP address using Azure Load Balancer. You can create a public IP address and assign it to the Azure Load Balancer. Then, you can configure the load balancer to route traffic to the backend pool consisting of your local development machines. This way, all outbound requests from your local development machines will consistently appear to originate from the same static IP address. For more information, see the "Configure inbound NAT rules for a load balancer" section in the "Control outbound traffic with Azure Firewall" article. Additionally, you can use Azure Bastion to log into your virtual machines and avoid public internet exposure using SSH and RDP with private IP addresses only.

References:

Control outbound traffic with Azure Firewall

Azure services for securing network connectivity

AI Note: This solution is generated using the Microsoft Q&A AI Assist tool.
ChaitanyaNaykodi-MSFT 27,481 Reputation points Microsoft Employee Moderator

2023-12-29T04:25:16.7+00:00

@dough_boat

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

2 answers

Your answer

Ravi Kanth Koppala 3,391 Reputation points Microsoft Employee Moderator

2023-12-19T01:22:31.4733333+00:00

@dough_boat

Azure offers a capability to route TCP traffic through a fixed IP address using Azure Load Balancer. You can create a public IP address and assign it to the Azure Load Balancer. Then, you can configure the load balancer to route traffic to the backend pool consisting of your local development machines. This way, all outbound requests from your local development machines will consistently appear to originate from the same static IP address. For more information, see the "Configure inbound NAT rules for a load balancer" section in the "Control outbound traffic with Azure Firewall" article. Additionally, you can use Azure Bastion to log into your virtual machines and avoid public internet exposure using SSH and RDP with private IP addresses only.

References:

Control outbound traffic with Azure Firewall

Azure services for securing network connectivity

AI Note: This solution is generated using the Microsoft Q&A AI Assist tool.
ChaitanyaNaykodi-MSFT 27,481 Reputation points Microsoft Employee Moderator

2023-12-29T04:25:16.7+00:00

@dough_boat

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Answer 1

Hi dough_boat,

I understood you are looking for a way to whitelist your Azure VM on this 3rd party service. I think there are some services that you can test, but It will also depend on how this external service is dealing with the traffic :

You can use Azure NAT Gateway to let all instances in a private subnet connect outbound to the internet while remaining fully private. (https://learn.microsoft.com/en-us/azure/nat-gateway/), I think this could be the best option for you (https://learn.microsoft.com/en-us/azure/nat-gateway/quickstart-create-nat-gateway-portal)
This could be a second good option Azure Labs provides a way to find the specific public IP address used by a lab in Azure Lab Services. You can use these IP addresses to configure your firewall settings and specify inbound and outbound rules to enable lab users to connect to their lab virtual machines. (https://learn.microsoft.com/en-us/azure/lab-services/how-to-configure-firewall-settings)
Last option from my side is Azure Firewall that can help with outbound connectivity with specific public IPs. However, it’s not possible to NAT certain subnets through a specific public IP on the firewall. Azure Firewall randomly selects the source public IP address to use for a connection. (https://learn.microsoft.com/en-us/answers/questions/850707/azure-firewall-outbound-through-specific-public-ip)

These options will depend on how this 3rd party service whitelist the communication for TCP traffic. Besides that consideration and because It is a development environment I recommend you start with Nat Gateway for a quick win.

Cheers,

Luis

If the information helped address your question, please Accept the answer.

dough_boat 11 Reputation points

2023-12-20T09:03:27.8033333+00:00

Thanks, I will check it out. Right now I was suggested https://github.com/Azure/azure-relay-bridge by someone else and will try this out first, but then get back to your proposed solutions.

Answer 2

dough_boat 11

I solved it now by giving myself SSH access to the VM, then using the "Remote Debugging" functionality of Rider. Not optimal, but everything else was too much effort. But thanks for your input, I'll keep it in mind if this topic pops up again.

Share via

How to route TCP traffic through a fixed IP in Azure during local development?

Background

Previous Attempts

Objective

Specific Questions

2 answers

Your answer