Editor’s Note: As of January 2022, iland is now 11:11 Systems, a managed infrastructure solutions provider at the forefront of cloud, connectivity, and security. As a legacy iland.com blog post, this article likely contains information that is no longer relevant. For the most up-to-date product information and resources, or if you have further questions, please refer to the 11:11 Systems Success Center or contact us directly.
To continue with my hard-learned lessons that not all clouds are the same, I’m back to report on another feature that I was shocked to find absent in Microsoft’s Azure cloud: remote console access.
As in my prior blog post about Azure’s lack of large disk support, this post follows the adventures of a friend of mine who was attempting to build an application stack atop Azure. Let’s call this friend Jim.
Jim builds his applications with security baked in. Immediately after booting a VM, Jim configures the host-based firewall with very restrictive rules. By host-based firewall I’m referring to the built-in Windows Firewall in Windows Server and later and iptables in Linux.
There are two reasons you might want to configure host-based firewalls. First, a host-based firewall provides an additional layer of defense should there be a configuration error or breach at the perimeter firewall. Second, a host-based firewall can help prevent lateral movement within your environment. A host-based firewall can be configured to prevent a compromised VM from accessing other VMs on the same network segment.
Host-based firewalls configured to limit communication between VMs on the same network segment is a precursor to data center micro-segmentation. I don’t want to digress too far from the current topic, so I’ll save a full discussion of micro-segmentation for another blog post. For now, I will just say it is possible to use the virtual firewall that comes standard with 11:11’s Cloud to reduce the effort of configuring host-based firewalls and glean some of the benefits of micro-segmentation.
Now, back to Jim: He configues a standard firewall rule he configures limits the source IP addresses that can access the remote desktop or SSH services. By limiting management access to a few trusted IPs, Jim reduces the risk of a remote attacker accessing his systems’ management interfaces. Mistakes in the host-based firewall configuration or unplanned IP address changes can leave the VM in a state where it is blocking all incoming remote desktop or SSH clients. Although Jim is diligent in making changes to his firewall configurations, mistakes do happen.
Normally, when you accidentally isolate the VM due to a host-based firewall rule misconfiguration, you can remote console into that VM, fix the mistake, and move on. But in Azure, you cannot turn to the remote console. There are some tools Azure provides that can potentially correct errors within your VM to restore remote access. If the provided tools and workarounds do not work, you are left with two options: Delete the VM and start over, or download the VM, load it up into your Hyper-V environment, fix the error, and upload the VM back into Azure. I am not surprised by the angry comments regarding Azure’s lack of support for remote console access.
What happened to poor Jim? He had to delete his VM and start over. It is good that Jim thoroughly documents his server build process and keeps local copies of all his configuration files just in case. He only lost a few hours rebuilding his VM and putting all the configuration files back in place. It’s also fortunate that this disruption happened before Jim’s servers were in production. If Jim’s servers been in production, then deleting the VM would not have been an option. He would have been left with no solution other than downloading the VM to his local system, installing Hyper-V since his local data center is built upon VMware, fixing the issue, and uploading the fixed VM back to Azure.
At 11:11 Systems, we recognize remote console access as a critical feature for cloud. Our developers built remote console access for your VMs into the 11:11 Cloud Console. Our console does not even require you to install a browser add-on. If you’re using a modern web browser, you’ve got remote console access to your VMs.
If the 11:11 Cloud Console is not enough to get your VM working, the 11:11 Support team is a phone call away to help you with troubleshooting. We also provide daily VM backups with seven-day retention at no additional charge. If a VM were in such a state that it was effectively unrecoverable even with the remote console, you’d be able to go back to a prior VM state and get your application services restored. Don’t learn your lessons the hard way like Jim had to – remote control access is just one of the features that can mean the difference between a cloud that delivers value and one that causes admin headaches and untold frustrations.