Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

NPM Azure SQL ports to open in firewall

ferose354

so i have NPM and i have multi-subnet HA. my SQL DB is Azure hosted SQL db service.

i also have a palo alto firewall.

i want to restrict outbound access in the firewall.

i tried the following:

1. allow TCP port 1433 and UDP 53 outbound.

2. allow the following application outbound.

with this, it works find under steady state but everytime i do failover, services are going crazy and the webage starts giving menu failures.

note: when i access the web console, i use the localhost address on the current active machine (not the virtual hostname). so, its not related to DNS /caching for sure. and it just works find if i dont restrict like below.

is there anything else to be allowed? anyone have this kind of setup working?

Find more posts tagged with

Accepted answers

All comments

neomatrix1217

Have you looked at the port requirements for HA?

https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/HA_Requirements.htm

mesverrum

Are you sure you aren't chasing issues with local dns getting cached on your machine during a failover? The website service stays running on the inactive host but if you have that ip cached it just causes tons of errors until the dns entry expires.

shuth

Per @mesverrum , this is the most common problem I see with the multi-subnet HA implementations. The client browser is still looking at the cached DNS entry to server 1 even though SolarWinds has failed over to server 2 and updated DNS.

https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/HA_Failover_conditions.htm

Failovers with virtual hostnames

When your HA pool uses a virtual hostname, failovers may not appear to work due to caching issues. The client DNS cache can take up to one minute to redirect traffic to the new active pool member.

However, your browser's DNS cache does not respect the DNS Time to Live (TTL) value, and the DNS cache retention varies between browsers from 60 seconds to 24 hours. You must flush your browser's cache be successfully redirected to the new active pool member.

ferose354

i know for sure its not related to DNS as i RDP to the active machine and access the webconsole using the local hostname (and not the virtual hostname)

ferose354

yeah. its not related to DNS. i just updated those details in the Original post.

ferose354

i did. the only component thats residing on the internet is Azure SQL. Thats the only factor i am trying to allow by blocking everything else.

the doc says port 1433 but Azure SQL, i am wondering if it uses more than that.

shuth

Few other places to check:

Windows Event Log
- Windows Logs - Application
- Applications and Services Logs - SolarWinds.Net and SWI Logs

Will usually see database connectivity issues in here.

Try looking inside the OrionWeb.log file to see why the resources might be failing to load.
- Found in: C:\ProgramData\SolarWinds\Logs\Orion\

ferose354

yes. i do see database connectivity issues but wondering why since i allowed all the services i need to. wondering what else i need to permit to make this work when it comes to Azure hosted SQL.

shuth

Sounds like you might need to talk to Palo Alto.