Nginx fails to start when Centos/Plesk migrated to Azure

There is a small issue where a Plesk/CentOS 7 system is migrated to Azure and nginx fails to start.
This is the error in the nginx log


# cat /var/log/nginx/error.log
2018/06/14 22:11:41 [emerg] 9341#0: bind() to 10.144.114.11:443 failed (99: Cannot assign requested address)

If so then to edit:


# /etc/sysctl.conf

And add:


# net.ipv4.ip_nonlocal_bind = 1 

Then Run:


# sysctl -p /etc/sysctl.conf

start Nginx:


#service nginx start

Set Up RDNS in Azure for a public IP

When setting up an Azure VM that will have mail functions, you may need to set up a rDNS record. The Azure portal at this time does not have that capability but you can set this up in with the Azure CLI or PowerShell.

Guide for creating Reverse DNS records: https://docs.microsoft.com/en-us/azure/dns/dns-reverse-dns-for-azure-services

Here’s a PowerShell script that can set PTR records:
Set the variables appropriately.

$TenantID = "insert_tenant_id" # Customer Tenant ID
$SubscriptionID = "insert_subscripton_id" # Customer's CSP Subscription ID
$UniqueName = "exampleIP" # A Unique Name to associate with the IP, doesn't really matter
$RealFQDN = "mail.example.com." # The actual PTR/rDNS record to set on the IP Address
$IpAddress = "insert_ip" # Insett he IP you are settingthe rDNS for. 

$ProvisioningCredentials = Get-Credential -Message "Enter Your @CoderoHosting or @Coderosandbox Azure Account Credentials"
    try {
    Write-Host "Checking Credentials" -ForegroundColor Green
    Login-AzureRmAccount -Credential $ProvisioningCredentials | Out-Null
    
    $context = Get-AzureRmContext
    if ($context.Account -eq $null) {throw "Error"}
    Write-Host "Credentials are valid.  Continuing..." -ForegroundColor Green
    $validcredentials = $true
    $context = $null
    }
    
    catch {
    Write-Host "Invalid Azure login credentials.  Please try to enter your credentials again." -ForegroundColor Red
    $validcredentials = $false
    $context = $null
    }

Try {
    Write-Host "Logging in to Customer Azure Subscription..." -ForegroundColor Green
    Login-AzureRmAccount -TenantId $TenantID -Credential $ProvisioningCredentials
    Select-AzureRmSubscription -SubscriptionId $SubscriptionID
}
Catch {
    Write-Host "Not able to log in to Customer Azure Subscription.  Check that your Azure credentials are in the AdminUsers AAD Group in the coderohosting or coderosandbox tenant. Exiting script. Error message is:"
    Write-Host $PSItem.tostring() -ForegroundColor Red
    Break
}

$pip = Get-AzureRmPublicIpAddress | Where-Object {$_.IpAddress -like $IpAddress}

$pip.DnsSettings = New-Object -TypeName "Microsoft.Azure.Commands.Network.Models.PSPublicIpAddressDnsSettings"

$pip.DnsSettings.DomainNameLabel = $UniqueName

$pip.DnsSettings.ReverseFqdn = $RealFQDN

Set-AzureRmPublicIpAddress -PublicIpAddress $pip

Azure/AWS Mail blocked on Port 25

This issue revolves around Azure and AWS outbound SMTP from their virtual machines / EC2 instances.

AZURE

Azure: https://blogs.msdn.microsoft.com/mast/2017/11/15/enhanced-azure-security-for-sending-emails-november-2017-update/

For Pay-As-You-Go or Microsoft Partner Network subscriptions created after November 15, 2017, there will be technical restrictions blocking e-mail sent directly from VMs in these subscriptions. Customers that need the ability to send e-mail from Azure VMs directly to external e-mail providers (not using an authenticated SMTP relay) can make a request to remove the restriction.

Requests will be reviewed and approved at Microsoft’s discretion and will be only granted after additional anti-fraud checks are performed. To make a request, open a support case with the issue type Technical –> Virtual Network –> Connectivity –> Cannot send e-mail (SMTP/Port 25).

Be sure to add details about why your deployment needs to send mail directly to mail providers instead of going through an authenticated relay.

AWS

AWS: https://aws.amazon.com/premiumsupport/knowledge-center/ec2-port-25-throttle/
Note: If you want AWS to create a reverse DNS record for you, you must first create a corresponding DNS A record before submitting this form.
1. Sign in and open the Request to Remove Email Sending Limitations form.
2. In the Use Case Description field, provide a description of your use case.
3. (Optional) Provide the AWS-owned Elastic IP addresses that you use to send outbound email, as well as any reverse DNS records AWS needs to associate with the Elastic IP addresses. AWS will use this information to help reduce the chance that email sent from the Elastic IP addresses is marked as spam.
4. Choose Submit.

You can replicate a sending error by attempting to connect to an external email server. E.g. smtp.gmail.com on 25/tcp.

For plesk, you can use port 587. See: https://support.plesk.com/hc/en-us/articles/213372829

Azure PowerShell Script Sample – Create a Linux VM

This script creates an Azure Virtual Machine with an Ubuntu operating system. After running the script, you can access the virtual machine over SSH.

If needed, install the Azure PowerShell module using the instructions found in the Azure PowerShell guide, and then run Login-AzureRmAccount to create a connection with Azure. Also, you need to have an SSH public key named id_rsa.pub in the .ssh directory of your user profile.

# Variables for common values
$resourceGroup = "myResourceGroup"
$location = "westeurope"
$vmName = "myVM"

# Definer user name and blank password
$securePassword = ConvertTo-SecureString ' ' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ("azureuser", $securePassword)

# Create a resource group
New-AzureRmResourceGroup -Name $resourceGroup -Location $location

# Create a subnet configuration
$subnetConfig = New-AzureRmVirtualNetworkSubnetConfig -Name mySubnet -AddressPrefix 192.168.1.0/24

# Create a virtual network
$vnet = New-AzureRmVirtualNetwork -ResourceGroupName $resourceGroup -Location $location `
  -Name MYvNET -AddressPrefix 192.168.0.0/16 -Subnet $subnetConfig

# Create a public IP address and specify a DNS name
$pip = New-AzureRmPublicIpAddress -ResourceGroupName $resourceGroup -Location $location `
  -Name "mypublicdns$(Get-Random)" -AllocationMethod Static -IdleTimeoutInMinutes 4

# Create an inbound network security group rule for port 22
$nsgRuleSSH = New-AzureRmNetworkSecurityRuleConfig -Name myNetworkSecurityGroupRuleSSH  -Protocol Tcp `
  -Direction Inbound -Priority 1000 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * `
  -DestinationPortRange 22 -Access Allow

# Create a network security group
$nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName $resourceGroup -Location $location `
  -Name myNetworkSecurityGroup -SecurityRules $nsgRuleSSH

# Create a virtual network card and associate with public IP address and NSG
$nic = New-AzureRmNetworkInterface -Name myNic -ResourceGroupName $resourceGroup -Location $location `
  -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id -NetworkSecurityGroupId $nsg.Id

# Create a virtual machine configuration
$vmConfig = New-AzureRmVMConfig -VMName $vmName -VMSize Standard_D1 | `
Set-AzureRmVMOperatingSystem -Linux -ComputerName $vmName -Credential $cred -DisablePasswordAuthentication | `
Set-AzureRmVMSourceImage -PublisherName Canonical -Offer UbuntuServer -Skus 14.04.2-LTS -Version latest | `
Add-AzureRmVMNetworkInterface -Id $nic.Id

# Configure SSH Keys
$sshPublicKey = Get-Content "$env:USERPROFILE\.ssh\id_rsa.pub"
Add-AzureRmVMSshPublicKey -VM $vmconfig -KeyData $sshPublicKey -Path "/home/azureuser/.ssh/authorized_keys"

# Create a virtual machine
New-AzureRmVM -ResourceGroupName $resourceGroup -Location $location -VM $vmConfig

Connect to Azure Database with Mysql with mysql command line

Azure Mysql database in encrypted by default. The mysql connection fails when trying to login:

ERROR 9002 (28000): SSL connection is required. Please specify SSL options and retry.

Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against “man in the middle” attacks by encrypting the data stream between the server and your application.

Here is how to set up the connection to use SSL.

Download the certificate needed to communicate over SSL with your Azure Database for MySQL server from https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem and save the certificate file to your local drive.

Connecting to server using the MySQL CLI over SSL


# mysql -h mydemoserver.mysql.database.azure.com -u Username@mydemoserver -p --ssl-ca=BaltimoreCyberTrustRoot.crt.pem