We currently have a large array of customers (1000 different on-premises installations).
We use a single server to host our sites which communicates with on-premises WebAPI's.
Currently we limit the traffic to the local servers in the router to allow only our server to access the local API's.
However we are considering moving alot of these webservices/sites to Azure which in turn means limiting on the IP's addresses becomes not feasible.
What approach would you recommend to allow the Azure servers to access the on-premises servers?
Best case scenario would of course be that no ports needed to be open in the routers (limit maintenance) however this seems very hard to accomplish if we still would like the ease of development that WebAPI gives us.
Otherwise we have thought about opening for public access to the API's but securing with https and authentication.
Does anyone have any alternative solutions?
Note: The on-premises WebAPI services are hosted with selfhost inside a Windows Service.
You could try using 'Azure Hybrid Connections' to access your on-premises Web API.
You could host your websites as 'Web Apps' in Azure App service and access your Web API.
You do not need to open any firewall ports or change your network perimeter configuration to allow any inbound connectivity into your network
Related
I was hoping someone may be able to explain how I would setup a multi-tiered web application. There is a database tier, app tier, web server tier and then the client tier. I'm not exactly sure how to separate the app tier and web server tier since the app tier will be in a private subnet. I would have the client send the request directly to the app server but the private net is a requirement. And having the app server separated from the web server is a requirement as well.
The only idea I have had was to serve the content on the web server and then the client will send all requests to the same web server on another port. Like port 3000, if a request is captured on that port, a node app using express will forward the request to the app tier since the web server can speak to the app server.
I did setup a small proof of concept doing this. The web server serves the content, then I have another express app setup to listen on port 3000, the client sends the request on port 3000 and then it just sends the exact same thing back to the app server.
This is my current setup with the web servers hosting two servers. One to serve the frontend on port 80 and one to receive requests on port 3000. The server listening on port 3000 forwards all requests to the app server ALB(It's basically a copy of all the same routes on the app server but it just forwards the requests instead of performing an action). But is there a way to not have this extra hop in the middle? Get rid of the additional server that is listening on 3000 without exposing the internal ALB?
To separate your web servers and application servers, you can use a VPC with public and private subnets. In fact, this is such a common scenario that Amazon has already provided us with documentation.
As for a "better way to do this," I assume you mean security. Here are some options:
You can (and should) run host based firewalls such as IP tables on your hosts.
AWS also provides a variety of options.
You can use Security Groups, which are statefull firewalls for your hosts
You can also use Network Access Control Lists (ACLs), which are stateless firewalls used to control traffic in and out of subnets.
AWS would also argue that many shops can improve their security posture by using managed services, so that all of the patching and maintenance handled by AWS. For example, static content could be hosted on Amazon S3, with dynamic content provided by microservices leveraging API Gateway. Finally, from a security perspective AWS provides services like Trusted Advisor, which can help you find and fix common security misconfigurations.
I Need to create a centralized DNS server or LDAP for All the cloud platform ..AWS, GCP, Alibaba.
Need a tools name and what is the approach to get this done?
If you run DNS and LDAP servers in real VMs you can use any DNS server and any LDAP server product provided the products support replicating the data over TCP and you set up network connection between all the different public cloud deployments.
Personally I prefer my Æ-DIR for user-management and PowerDNS Authoritative Server with LDAP backend with PowerDNS using Æ-DIR for access control. Being Æ-DIR's author I'm biased of course.
Is there a 'quick and dirty' way of funnelling calls to a web service via a certain IP address? Possibly in code (C#)?
I'm working on this Azure website (PaaS no VM) that's got it's own domain secured by SSL.
e.g. myapp.azurewebsites.net -> https://myapp.com
The system is using a 3rd party web service that uses whitelisted IPs for access control. Unfortunately they are not happy whitelisting the standard Azure egress IPs.
So what I need to do is find a way to call that web service via our own IP address (the one that came with the domain name package).
If possible, only that traffic, not all outgoing.
I've come across several solutions but I’d rather not want to compromise the stability of the production website by experimenting with App Service Environment.
I think the scenario being asked about is outbound calls from an app running on Azure App Service (aka Azure Websites), to an external endpoint.
In that scenario, the outbound calls from the web app are NAT'd using a pool of IP addresses allocated for the App Service scale unit that is running your app.
Using the "preview" portal (portal.azure.com), drill into the website blade for your app and click through "All settings" --> "Properties". In the properties blade that appears, there is a textbox called "OUTBOUND IP ADDRESSES". Those are the values you need to give to the third party provider to whitelist.
Does anyone know whether it is possible to route network traffic from an azure mobile service through a VPN to an on premise web service? None of the documentation I have read precludes that, but neither does it say we can. So far we have had no success though we can access the web service using a web browser VM in the same subscription. We can't run any new software at the site hosting the web service, so it would seem like Service Bus Relay cant be used and the web service can't have a publicly exposed ip address.
have a look at Mobile Services with an Azure Hybrid Connection. The walkthrough talks about exposing an on-premise database, but i think you can use the same steps to expose a different TCP port for your on-premise web service
We have developed a RESTful Web Service which requires access to a Network share in order to read and write files. This is a public facing Web Service (running over SSL) which requires staff to log on using an assigned user name and password.
This web service will be running in a DMZ. It doesn't seem "right" to access a Network Share from a DMZ. I would venture a guess that the "secure" way to do this would be to provide another service inside the domain which only talks to our Web Service. That way, if anyone wanted to exploit it, they would have to find a way to do it via the Web Service, not through known system API's.
Is my solution "correct"? Is there a better way?
Notes:
the Web Service does not run under IIS.
the Web Service currently runs under an account with access to the Network Share and access to a SQL database.
the Web Service is intended only for designated staff, not the public.
I'm a developer, not an IT professional.
What about some kind of vpn to use the internal ressources? There are some pretty solutions for this, and opening network shares to the internet seems too big a risk to do.
That aside, when an attacker breaks into your DMZ host using those webservices, he can break into your internal server using the same API unless you can afford to create two complete different solutions.
When accessing the fileservers from the DMZ directly, you would limit theses connections using a firewall so even after breaking your DMZ Host the attacker cannot do "everything" but only read (write?) to those servers.
I would suggest #2