ServiceInsight Azure Connecting to VM

Question

I was wondering if it was possible to connect to a Service Insight hosted on a Virtual Machine locally? What I mean is:

• I have Service Insight installed on a VM in the cloud
• Can remote into it via Remote Desktop
• Can launch Service Insight on the box to view message traffic

However, I have Service Insight installed locally and when I attempt to connect to the Service Control hosted on my VM not sure how to do this. Looking at the Particular website can't find much documentation either. Service Control expects a URL which I believe should be http://serviceins.cloudapp.net:33333/api/ however this resolves to nothing.

The name of my VM is called serviceins.

I have made changes to ServiceControl.config:

<appsettings>
    <add key="ServiceControl/Hostname" value="serviceins.cloudapp.net"/>
        <add key="ServiceControl/HoursToKeepMessagesBeforeExpiring" value="24"/>
</appsettings>

ServicePulse.config

service_control_url: 'http://serviceins.cloudapp.net:33333/api/'

I guess my question is how can I access Service Insight without having to remote onto the VM? Can I access to this via simply providing a URL to Service Insight?

Thanks, DS.

Answer 1

Security Warning

ServiceControl has no built in security layer so if you exposing the API URL to the Internet then all of the messages stored in ServiceControl will be accessible by anyone who can connect to port 33333. This is why it's restricted to localhost by default.

I can't stress enough that it should not be done on a production system

For Azure a more secure method would be to use something like a point to site VPN connection. (See: https://msdn.microsoft.com/en-us/library/azure/jj156206.aspx) but this may require a bit of reconfiguration.

If you are still keen to expose the URL in an insecure way here is how you would go about it:

1. Set the hostname in the App.config to a wildcard:

<add key="ServiceControl/HostName" value="*" />

2. Update the URLACL to respond to the wildcard.

You can view the URLACL settings by issuing this command at cmd prompt:

netsh http show urlacl 

If you have an existing setting for port http://localhost:33333/api/ or http://serviceins.cloudapp.net:33333/api/ remove them using:

netsh http delete urlacl URL=http://localhost:33333/api/
netsh http delete urlacl URL=http://serviceins.cloudapp.net:33333/api/

Add the wildcard URLACL

netsh http add urlacl URL=http://*:33333/api/ User=Users

Check it via the show command and it should have an entry like this

Reserved URL            : http://*:33333/api/
User: BUILTIN\Users
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;BU)

3. Windows Firewall

Add an inbound rule to the Windows Firewall. By default the port 33333 will be blocked for incoming connections. You can do this via an Admin Powershell using the following command (I'm assuming you're VM is Win2012)

New-NetFirewallRule -Name ServiceControl -Direction Inbound -Protocol TCP -LocalPort 33333  -Action Allow -Enabled True

4. Add an Azure Endpoint

You'll also need to open up an Azure Endpoint connection to allow connection to port 33333. This is essentially another firewall. Rather than document this I'll refer you to Microsoft's own doco here: http://azure.microsoft.com/en-us/documentation/articles/virtual-machines-set-up-endpoints/

As part of the endpoint configuration you can add some security by limiting the IP range that is allowed to connect to the port. This is really only useful if you've got a static IP.