Connecting web and api application inside app runner inside VPC - amazon-web-services

My architecture is the following:
Web app that a user can connect via the internet and that connects to an API that retrieves the data for the application;
API that receives the request from the web app, retrieves the data from the database and sends it back to the web app.
I'm running both of them in AWS app runner but with all the configurations set to public, but this is not ideal since my API should be kept from the internet and accessed only by the web app.
What I tried to do is set the API with a VPC connector in the outgoing network and a VPC endpoint as incoming:
It, indeed, is not accessible via the internet, but it works from inside the VPC (I'm able to connect to it using my VPN).
For the web app, I set the incoming as public (so I can access it via the internet) and the outgoing as a VPC connector (the same as the API one):
But this doesn't work. I can connect to the web app, but it cannot connect to the API. What's more confusing to me is that when I set the incoming for the web app to be a VPC endpoint, I could access it from inside the VPC using the VPN, and it could connect to the API without problems.
Does anyone know what I'm doing wrong?

Related

AWS Load Balancing all of same websocket route to the same instance

I'm writing an application where multiple users connect to a websocket server with the following url as an example wss://example.com/ws/1234.
Multiple users may connect to the same one and I require them to all connect to the same ec2 instance. All that try to connect to wss://example.com/ws/1234 will go to the same server, and all users that connect to wss://example.com/ws/4325 will also go to the same server. These routes are generated dynamically.
If a client is the first client to connect to an endpoint, it will route them to the server with the least CPU load. If a client is connecting to an endpoint that has already been connected to, they will be sent to the same server.
I've tried going into the listener rules for my ec2 auto-scaling group. But, I couldn't find any settings that seemed like they would do the trick.
My attempt:

Can I listen to event hub from app service environment without service endpoint?

Basically can I have Azure Function or web job with App Service environment listening to event hub without service endpoint. This way I will be able to accept data over public internet and also listen to in vnet?
Adding probable Security architecture:
Service Endpoints saves your time by doing IP firewall and NAT and gateway configuration changes in your VNET. If you will do those changes on your own, then yes you can access any public endpoint from your VNET.

Private IP address of Azure VM being returned as address in WSDL file when accessing WSDL file from browser connected to an Azure Application Gateway

I have a SOAP Service running on tomcat that is deployed in an Azure Scaling Set. I have an Azure Application gateway that is font ending the scale set. When I try to access the wsdl (/service?wsdl) file via a web browser using the Application Gateway DNS, the wsdl that is returned has the private IP addresses of the VM that processed the file in it. This prevents the endpoints from being accessed since they are private. If I access the wsdl going directly to the back end VM's DNS name, the address returned contains the public host name of the VM that I sent the request to and can be accessed since its public. I don't have this problem when I deploy a similar deployment in the AWS environment using AWS ELB in front of the scaling group.
I am able to get this to work by configuring tomcat connector to use proxyName and proxyPort to specify the host name of the Azure Application Gateway. However, there are other SOAP clients that are required to access the back end VMs directly on that same connector, and by specifying the proxy parameters for the connector forces them to go through the Azure application gateway as well.
I realize that a different tomcat connector can be configured to address this, but this is not an optimal solution for the back end application.
So to the question. Is there some Azure Application gateway configuration setting that I can change, so I can make this work like AWS ELB and not have to use the proxyName tomcat parameter?
Thanks.

How to make Web Services public

i created an android application that requires use of web service
i want it to be able to access the app everywhere therefore i need
my web services to be public with an external ip so i can access
what is the best way to do it?
I have an Amazon Web Services account i dont know if created an instance and run the web services there will be the best solution
My big problem with Amazon instance is that it takes a while to show in the app the result of the web service
Any ideas in how to make my web service public?
It appears that your requirement is:
Expose a public API endpoint for use by your Android application
Run some code when the API is called
There are two ways you could expose an API:
Use Amazon API Gateway, which that can publish, maintain, monitor, and secure APIs. It takes care of security and throttling. A DNS name is provided, which should be used for API calls. When a request is receive, API Gateway can pass the request to a web server or can trigger an AWS Lambda function to execute code without requiring a server.
Or, run an Amazon EC2 instance with your application. Assign an Elastic IP Address to the instance, which is a static IP address. Create an A record in Amazon Route 53 (or your own DNS server) that points a DNS name to that IP address.

How can i set up a private web app on Azure using an App Service Environment

I have a web app and a web service (which will be uploaded to Azure as an web app). How can i make my web service private (not accessible to the public, only accessible by the web app). Apparently you're able to do it with an App Service Environment but there isn't much documentation on it.
Is it possible?
You can follow this article to set it up: https://azure.microsoft.com/en-us/documentation/articles/app-service-web-how-to-create-an-app-service-environment/
The main difference between App Service and App Service Environment (ASE) is that App Services run on a pre-built, shared tenant hyper scaled web farm, but ASEs are purpose built (on demand) web farms provisioned directly in your subscription that must be attached to a VNET. Because you can attach your ASE to a VNET, you can then apply Network Security Groups (NSG) to the VNET to prevent/allow traffic to flow to the ASE.
Here is the page describing how to add the layered security to your ASE once you've built it:
Layered Security Architecture with App Service Environments
So with ASE you get the deployment/monitoring/management features of App Services, but with the network layer control of a VM.
How can i make my web service private (not accessible to the public, only accessible by the web app).
Network Security Groups could be used to control network traffic rules at the networking level, we could apply Network security group to the subnet to let Network security group act as a firewall in the cloud. #Russell Young has shared us a good article about setting up Network security group, you could read it. And you could check this blog that explained securing network access using Network Security Groups.
Besides, it is easy to implement a custom authentication to prevent unauthenticated client from accessing to your Web service at application layer. For example, we could use SOAP headers for authentication. Web service client credentials would be passed within the SOAP header of the SOAP message when the client want to access to Web service, and then Web service will validate SOAP header, if it contains the authentication credentials, the client will be authorized to access to the Web service.
You could check Implement Custom Authentication Using SOAP Headers.