question

gaur-5993 avatar image
0 Votes"
gaur-5993 asked GitaraniSharmaMSFT-4262 commented

Traffic manager for SFTP services (external end points)

we need to configure Traffic Manager for services like SFTP ,VPN (that belongs to non azure environment ),and we have CName and A record value of these services , Can you please guide me the steps, how we can configure these(Below) in the END points , or any other DNS related changes required in AZure or On prem.


example of existing SFTP service(TCP=22)

SFTP.xyz.abc.com CNAME
SFTP1.xyz.abc.com A record
SFTP2.xyz.abc.com A record

azure-traffic-manager
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered GitaraniSharmaMSFT-4262 commented

Hello @gaur-5993 ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Azure Traffic Manager is a DNS-based traffic load balancer. Traffic Manager uses DNS to direct the client requests to the appropriate service endpoint based on a traffic-routing method. Traffic manager also provides health monitoring for every endpoint. The endpoint can be any Internet-facing service hosted inside or outside of Azure for any service such as HTTP, HTTPS, FTP, SFTP, etc.

Traffic Manager supports adding endpoints using three ways to refer them – as a DNS name, as an IPv4 address and as an IPv6 address. If the endpoint is added as a DNS name, then the query response will be of record type CNAME.

When a query is received against a profile, Traffic Manager first finds the endpoint that needs to be returned as per the routing method specified and the health status of the endpoints. It then looks at the record type requested in the incoming query and the record type associated with the endpoint before returning a response based on the table shown here.

You can choose HTTP, HTTPS, or TCP as the protocol that Traffic Manager uses when probing your endpoint to check its health.
When the monitoring protocol is set as HTTP or HTTPS, the Traffic Manager probing agent makes a GET request to the endpoint using the protocol, port, and relative path given. An endpoint is considered healthy if probing agent receives a 200-OK response, or any of the responses configured in the Expected status code *ranges.
When the monitoring protocol is TCP, the Traffic Manager probing agent creates a TCP connection request using the port specified. If the endpoint responds to the request with a response to establish the connection, that health check is marked as a success.

So your endpoint monitoring for VPN will be:
- Click Configuration.
- Select TCP from the Protocol drop-down list.
- Enter 443 in the Port field.
- Update any additional settings, such as DNS TTL, probing interval, tolerated number of failures, and probe timeout, as required.
- Click Save.

And for SFTP will be:
- Click Configuration.
- Select TCP from the Protocol drop-down list.
- Enter 22 in the Port field.
- Update any additional settings, such as DNS TTL, probing interval, tolerated number of failures, and probe timeout, as required.
- Click Save.

To add VPN/SFTP endpoints to the Traffic Manager profile:
- Click Endpoints.
- Click Add.
- Select External Endpoint from the Type drop-down list.
- Enter a descriptive name for the endpoint.
- Enter the Fully Qualified Domain Name (FQDN) or the IP address of your VPN server or SFTP server.
- Select a geography from the Location drop-down list.
- Click OK.

References :
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-endpoint-types#external-endpoints
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-monitoring
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-how-it-works
https://directaccess.richardhicks.com/2018/07/30/always-on-vpn-multisite-with-azure-traffic-manager/

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you Geetarani Sharma.

1 Vote 1 ·

Thank you for the detailed response .

IIn the Traffic Manager profile -for below point --

Enter the Fully Qualified Domain Name (FQDN) or the IP address of your VPN server or SFTP server.--- In my case , we can use "A record " value for end points (Primary and secondary end point for Priority based Routing).

SFTP1.xyz.abc.com A record
SFTP2.xyz.abc.com A record

Also we need to change CNAME value of SFTP/VPN to point to traffic manager domain name value . This needs to be done in On prem DNS management service. No need to create any DNS zone or point this in Azure .

Please correct me if I am wrong.

0 Votes 0 ·

Hello @gaur-5993 ,

You can create a CNAME mapping to point to the traffic manager domain in your on-premise DNS setup.

But DNS standards do not allow you to create a CNAME at the 'apex' (or root) of a domain. Thus you cannot create a CNAME for 'contoso.com' (sometimes called a 'naked' domain). You can only create a CNAME for a domain under 'contoso.com', such as 'www.contoso.com'. In case you need to create a CNAME for a root/apex domain, we recommend hosting your DNS domain on Azure DNS and using Alias records to point to your traffic manager profile. Alternatively you can use a simple HTTP redirect to direct requests for 'contoso.com' to an alternative name such as 'www.contoso.com'.

Reference : https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-how-it-works

Thanks,
Gita

0 Votes 0 ·
gaur-5993 avatar image gaur-5993 GitaraniSharmaMSFT-4262 ·

in this case ,we need to create a CNAME mapping for SFTP service(on prem), to point to the some other domain(example -contoso.trafficmanager.net).

but I have CNAME of SFTP service(on prem) which is used by users to connect to SFTP server.
CNAME -SFTP.abc.com(used by users)

so in this case ,Pointing one CNAME record to another CNAME is not recommended. without
redirecting to http is there any way we can point SFTP service to other domain as CNAME.?

0 Votes 0 ·
Show more comments