0

We have Azure Function configured with VNet integration to our private network. Also, we have Azure Container Instance with ClamAV application running in our private network.

Using my development machine that is connected to the private network I can connect to the ClamAV application. But when Azure Function tries to connect to the same ClamAV application it fails with this error: Exception: An attempt was made to access a socket in a way forbidden by its access permissions. [::ffff:172.16.195.196]:3310;

The code looks like this:

var clamAvClient = new TcpClient();
await clamAvClient.ConnectAsync("172.16.195.196", 3310); // <-- exception thorwn here
// send the file data to the tcp client stream

Some notes:

  • The exact same code works from the dev machine but fails in Azure Function.
  • Azure Function has access to the private network (it successfully connects to the Blob Storage in this private network).
  • Azure Function can connect to the different ClamAV application located in the public network:
await clamAvClient.ConnectAsync("<instance name>.azurecontainer.io", 3310); // <-- it works
await clamAvClient.ConnectAsync("172.16.195.196", 3310); // <-- it fails
Improve this question

3 Answers 3

Reset to default
4

Judging by the IPv4-mapped-IPv6-address i see here

Exception: An attempt was made to access a socket in a way
forbidden by its access permissions. [::ffff:172.16.195.196]:3310

your clamAvClient is trying to speak IPv6 to your remote endpoint. Look at the docs and find a way to persuade it to switch to IPv4, which will work nicely from an Azure Function. IPv6 won't.

Try this:

// InterNetwork -- Address for IP version 4.
// InterNetworkV6 -- Address for IP version 6.
TcpClient clamAvClient = new TcpClient(AddressFamily.InterNetwork);

(from learn.microsoft.com)

<instance name>.azurecontainer.io works because most probably its DNS name resolves to an IPv4 address.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you. That was exactly the issue we had.
1

I assume you are using the nClam library. This is a know issue. There is an open PR to fix your exact same issue here: https://github.com/tekmaven/nClam/pull/39 You might need to use the forked version from that PR since the PR doesn't seem to be looked at by the repo maintainer :(

Improve this answer

Comments

0

Seems to me problem is related to the port 3310 your clamav is listening to. Try changing to default 443 port or host clamav in a service fabric cluster / vm / worker role where you can control which ports to open / listen.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.