SSH port forwarding is a mechanism in SSH for tunneling application ports from the client machine to the server machine, or vice versa. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home.
Port forwarding lets you connect to virtual machines (VMs) in an Azure virtual network by using an Azure Load Balancer public IP address and port number.
In this tutorial, you set up port forwarding on an Azure Load Balancer. You learn how to:
- The port forwarding tester is a utility used to identify your external IP address and detect open ports on your connection. This tool is useful for finding out if your port forwarding is setup correctly or if your server applications are being blocked by a firewall.
- Only one port forward can exist for every instance of that port. For example, if you forward port 3389 (used by the Remote Desktop remote access program) to a computer with the IP address 192.168.1.115, that same router can't also forward port 3389 to 192.168.1.120.
- Create a public Standard load balancer to balance network traffic over VMs.
- Create a virtual network and VMs with a network security group (NSG) rule.
- Add the VMs to the load balancer back-end address pool.
- Create a load balancer health probe and traffic rules.
- Create load balancer inbound NAT port-forwarding rules.
- Install and configure IIS on the VMs to view load balancing and port forwarding in action.
If you don't have an Azure subscription, create a free account before you begin.
For all steps in this tutorial, sign in to the Azure portal at https://portal.azure.com.
Prerequisites
- An Azure subscription.
Create a Standard load balancer
First, create a public Standard load balancer that can balance traffic load over VMs. A Standard load balancer supports only a Standard public IP address. When you create a Standard load balancer, you also create a new Standard public IP address, which is configured as the load balancer front end and named LoadBalancerFrontEnd by default.
On the top left-hand side of the screen, click Create a resource > Networking > Load Balancer.
In the Basics tab of the Create load balancer page, enter or select the following information, accept the defaults for the remaining settings, and then select Review + create:
Setting Value Subscription Select your subscription. Resource group Select Create new and type MyResourceGroupLB in the text box. Name myLoadBalancer Region Select West Europe. Type Select Public. SKU Select Standard. Public IP address Select Create new. Public IP address name Type myPublicIP in the text box. Availability zone Select Zone redundant. Note
Make sure to create your Load Balancer and all resources for it in a location that supports Availability Zones. For more information, see Regions that support Availability Zones.
In the Review + create tab, click Create.
Create and configure back-end servers
Create a virtual network with two virtual machines, and add the VMs to the back-end pool of your load balancer.
Virtual network and parameters
In this section you'll need to replace the following parameters in the steps with the information below:
Parameter | Value |
---|---|
<resource-group-name> | myResourceGroupLB (Select existing resource group) |
<virtual-network-name> | myVNet |
<region-name> | West Europe |
<IPv4-address-space> | 10.3.0.016 |
<subnet-name> | myBackendSubnet |
<subnet-address-range> | 10.3.0.024 |
Create the virtual network and subnet
In this section, you'll create a virtual network and subnet.
On the upper-left side of the screen, select Create a resource > Networking > Virtual network or search for Virtual network in the search box.
In Create virtual network, enter or select this information in the Basics tab:
Setting Value Project Details Subscription Select your Azure subscription Resource Group Select Create new, enter <resource-group-name>, then select OK, or select an existing <resource-group-name> based on parameters. Instance details Name Enter <virtual-network-name> Region Select <region-name> Select the IP Addresses tab or select the Next: IP Addresses button at the bottom of the page.
In the IP Addresses tab, enter this information:
Setting Value IPv4 address space Enter <IPv4-address-space> Under Subnet name, select the word default.
In Edit subnet, enter this information:
Setting Value Subnet name Enter <subnet-name> Subnet address range Enter <subnet-address-range> Select Save.
Select the Review + create tab or select the Review + create button.
Select Create.
Create VMs and add them to the load balancer back-end pool
On the upper-left side of the portal, select Create a resource > Compute > Windows Server 2016 Datacenter.
In Create a virtual machine, type or select the following values in the Basics tab:
- Subscription > Resource Group: Drop down and select MyResourceGroupLB.
- Virtual machine name: Type MyVM1.
- Region: Select West Europe.
- Username: Type azureuser.
- Password: Type Azure1234567.Retype the password in the Confirm password field.
Select the Networking tab, or select Next: Disks, then Next: Networking.
Make sure the following are selected:
- Virtual network: MyVNet
- Subnet: MyBackendSubnet
Under Public IP, select Create new, select Standard on the Create public IP address page, and then select OK.
Under Network Security Group, select Advanced to create a new network security group (NSG), a type of firewall.
- In the Configure network security group field, select Create new.
- Type MyNetworkSecurityGroup, and select OK.
Note
Observe that by default, the NSG already has an incoming rule to open port 3389, the remote desktop (RDP) port.
Add the VM to a load balancer back-end pool that you create:
- Under LOAD BALANCING > Place this virtual machine behind an existing load balancing solution?, select Yes.
- For Load balancing options, drop down and select Azure load balancer.
- For Select a load balancer, drop down and select MyLoadBalancer.
- Under Select a backend pool, select Create new, then type MyBackendPool, and select Create.
Select the Management tab, or select Next > Management. Under Monitoring, set Boot diagnostics to Off.
Select Review + create.
Review the settings, and when validation succeeds, select Create.
Follow the steps to create a second VM named MyVM2, with all the other settings the same as MyVM1.
For Network Security Group, after selecting Advanced, drop down and select the MyNetworkSecurityGroup that you already created.
Under Select a backend pool, make sure MyBackendPool is selected.
Create an NSG rule for the VMs
Create a network security group (NSG) rule for the VMs to allow inbound internet (HTTP) connections.
Note
By default, the NSG already has a rule that opens port 3389, the remote desktop (RDP) port.
Select All resources on the left menu. From the resource list, select MyNetworkSecurityGroup in the MyResourceGroupLB resource group.
Under Settings, select Inbound security rules, and then select Add.
In the Add inbound security rule dialog, type or select the following:
- Source: Select Service Tag.
- Source service tag: Select Internet.
- Destination port ranges: Type 80.
- Protocol: Select TCP.
- Action: Select Allow.
- Priority: Type 100.
- Name: Type MyHTTPRule.
- Description: Type Allow HTTP.
Select Add.
Create load balancer resources
In this section, you inspect the load balancer back-end pool, and configure a load balancer health probe and traffic rules.
View the back-end address pool
To distribute traffic to the VMs, the load balancer uses a back-end address pool, which contains the IP addresses of the virtual network interfaces (NICs) that are connected to the load balancer.
You created your load balancer back-end pool and added VMs to it when you created the VMs. You can also create back-end pools and add or remove VMs from the load balancer Backend pools page.
Select All resources on the left menu, and then select MyLoadBalancer from the resource list.
Under Settings, select Backend pools.
On the Backend pools page, expand MyBackendPool and make sure both VM1 and VM2 are listed.
Select MyBackendPool.
On the MyBackendPool page, under VIRTUAL MACHINE and IP ADDRESS, you can remove or add available VMs to the pool.
You can create new back-end pools by selecting Add on the Backend pools page.
Create a health probe
To allow the load balancer to monitor VM status, you use a health probe. The health probe dynamically adds or removes VMs from the load balancer rotation based on their response to health checks.
Select All resources on the left menu, and then select MyLoadBalancer from the resource list.
Under Settings, select Health probes, and then select Add.
On the Add health probe page, type or select the following values:
- Name: Type MyHealthProbe.
- Protocol: Drop down and select HTTP.
- Port: Type 80.
- Path: Accept / for the default URI. You can replace this value with any other URI.
- Interval: Type 15. Interval is the number of seconds between probe attempts.
- Unhealthy threshold: Type 2. This value is the number of consecutive probe failures that occur before a VM is considered unhealthy.
Select OK.
Create a load balancer rule
A load balancer rule defines how traffic is distributed to the VMs. The rule defines the front-end IP configuration for incoming traffic, the back-end IP pool to receive the traffic, and the required source and destination ports.
The load balancer rule named MyLoadBalancerRule listens to port 80 in the front-end LoadBalancerFrontEnd. The rule sends network traffic to the back-end address pool MyBackendPool, also on port 80.
Select All resources on the left menu, and then select MyLoadBalancer from the resource list.
Under Settings, select Load balancing rules, and then select Add.
On the Add load balancing rule page, type or select the following values:
- Name: Type MyLoadBalancerRule.
- Protocol: Select TCP.
- Port: Type 80.
- Backend port: Type 80.
- Backend pool: Select MyBackendPool.
- Health probe: Select MyHealthProbe.
Select OK.
Create an inbound NAT port-forwarding rule
Create a load balancer inbound network address translation (NAT) rule to forward traffic from a specific port of the front-end IP address to a specific port of a back-end VM.
Select All resources in the left-hand menu, and then select MyLoadBalancer from the resource list.
Under Settings, select Inbound NAT rules, and then select Add.
On the Add inbound NAT rule page, type or select the following values:
- Name: Type MyNATRuleVM1.
- Port: Type 4221.
- Target virtual machine: Select MyVM1 from the drop-down.
- Network IP Configuration: Select ipconfig1 from the drop-down.
- Port mapping: Select Custom.
- Target port: Type 3389.
Select OK.
Repeat the steps to add an inbound NAT rule named MyNATRuleVM2, using Port: 4222 and Target virtual machine: MyVM2.
Test the load balancer
Port Forward For Ppsspp Windows 10
In this section, you'll install Internet Information Services (IIS) on the back-end servers, and customize the default web page to show the machine name. Then, you'll use the load balancer's public IP address to test the load balancer.
Each back-end VM serves a different version of the default IIS web page, so you can see the load balancer distribute requests between the two VMs.
Connect to the VMs with RDP
Connect to each VM with Remote Desktop (RDP).
In the portal, select All resources on the left menu. From the resource list, select each VM in the MyResourceGroupLB resource group.
On the Overview page, select Connect, and then select Download RDP file.
Open the RDP file you downloaded, and select Connect.
On the Windows Security screen, select More choices and then Use a different account.
Enter username azureuser and password Azure1234567, and select OK.
Respond Yes to any certificate prompt.
The VM desktop opens in a new window.
Install IIS and replace the default IIS web page
Use PowerShell to install IIS and replace the default IIS web page with a page that displays the name of the VM.
On MyVM1 and on MyVM2, launch Windows PowerShell from the Start menu.
Run the following commands to install IIS and replace the default IIS web page:
Close the RDP connections with MyVM1 and MyVM2 by selecting Disconnect. Don't shut down the VMs.
Test load balancing
In the portal, on the Overview page for MyLoadBalancer, copy the public IP address under Public IP address. Hover over the address and select the Copy icon to copy it. In this example, it is 40.67.218.235.
Paste or type the load balancer's public IP address (40.67.218.235) into the address bar of your internet browser.
The customized IIS web server default page appears in the browser. The message reads either Hello World from MyVM1, or Hello World from MyVM2.
Refresh the browser to see the load balancer distribute traffic across VMs. Sometimes the MyVM1 page appears, and other times the MyVM2 page appears, as the load balancer distributes the requests to each back-end VM.
Note
You may need to clear your browser cache or open a new browser window between attempts.
Test port forwarding
With port forwarding, you can remote desktop to a back-end VM by using the IP address of the load balancer and the front-end port value defined in the NAT rule.
In the portal, on the Overview page for MyLoadBalancer, copy its public IP address. Hover over the address and select the Copy icon to copy it. In this example, it is 40.67.218.235.
Open a command prompt, and use the following command to create a remote desktop session with MyVM2, using the load balancer's public IP address and the front-end port you defined in the VM's NAT rule.
Open the downloaded RDP file, and select Connect.
On the Windows Security screen, select More choices and then Use a different account.
Enter username azureuser and password Azure1234567, and select OK.
Respond Yes to any certificate prompt.
The MyVM2 desktop opens in a new window.
The RDP connection succeeds, because the inbound NAT rule MyNATRuleVM2 directs traffic from the load balancer's front-end port 4222 to MyVM2's port 3389 (the RDP port).
Clean up resources
To delete the load balancer and all related resources when you no longer need them, open the MyResourceGroupLB resource group and select Delete resource group.
Next steps
Port Forward For Ppsspp Free
In this tutorial, you created a Standard public load balancer. You created and configured network resources, back-end servers, a health probe, and rules for the load balancer. You installed IIS on the back-end VMs and used the load balancer's public IP address to test the load balancer. You set up and tested port forwarding from a specified port on the load balancer to a port on a back-end VM.
Port Forward For Ppsspp App
To learn more about Azure Load Balancer, continue to more load balancer tutorials.