I am setting up API Apps within ASE, and I was having some difficulties understanding the usage of access levels.
I noticed that if the API App access level is set to “Internal” it’s not accessible publicly, however, I do not get an internal endpoint, just a public one – so I am unable to access this application internally (for example – browsing to it from a VM in the same network).
How can I access the API App from say a virtual machine hosted on Azure? How can I get an internal endpoint for an API App?
My goal is to be able to access the API App from my VNet, and to have public access blocked.
How can I accomplish this?
Thanks,
Turns out API Apps only have a single end-point which is a public VIP.
Need to create a network security group on the subnet and add explicit rules for public VIP's of back-end machines that require access to the API. This will block internet traffic to the app when it is on public anonymous.
Related
I have an OData V4 Web API( .NET Framework 4.6.1) hosted on On-Prem IIS. Instead of making it Internet Facing, I want to host it on Azure. What are my options here? What are the best practices to host it? Do I have to create a new Web API Project inside Azure? What Services do I need to subscribe to?
This web service will be consumed by Virtual Entities under MS CRM
https://learn.microsoft.com/en-us/dynamics365/customer-engagement/customize/virtual-entity-walkthrough-using-odata-provider
Deploy it to Azure App Service, The web app type should not make a difference but Web API should be the most correct.
If you don't want to expose it to everyone, you can use Access Restrictions on your azure web app by adding a rule that allows specific IP range to access the API URL
You have two options
using Azure Relay service - Hybrid connection (Relay Service link)
S2S VPN - Another option, which helps to expose the service to a particular Azure Virtual Network.
(Reference link)
Can you tell me what are the services going to consume the service, so that I can provide accurate solution
I have a ASP.Net WebAPI service that is used by my AngularJS front end and I am making use of Owin and bearer token.
Now there is a need that we need to install an agent on the few of the client machines (developed in .Net core mostly) that is able to connect to our application and make similar calls. I can create a separate controller for this need, but want to host it in the same website.
How can I create a secure connection between this agent and the ASP.Net server hosted on Azure?
Currently I am looking at generating a Token during the agent installation based on the client MAC address and giving it with each call, but I am checking if there are any better way to address this need.
Any help in this direction is welcome.
Regards
Kiran
It seems that you’d like to enable only valid “agents” that installed on the client machines to communicate with your server, if that is the case, Azure AD provides Native Application to Web API authentication scenario (a native application that runs on a phone, tablet, or PC needs to authenticate a user to get resources from a web API that is secured by Azure AD), you could refer to it.
I've seen some cast on //Build 2015 that uses microsoft azure application insights to trace site/application's wealth..I was wondering if there's a way of doing so on a intranet application with restricted internet access.
is there a way of installing insights service on a windows server?
Or does a similar tool exists?
Thanks
Out of the box you won't be able to use ApplicationInsights on a server with restricted internet access because ApplicationInsights needs to send the collected telemetry over to ApplicationInsights service for analysis and aggregation.
However if you would like to configure a an intermediary endpoint on a server that has internet connection you can replace the endpoint address in ApplicationInsights.config. Inside TelemetryChannel node set the value for EndpointAddress property to your custom endpoint:
<TelemetryChannel>
<EndpointAddress><your custom endpoint></EndpointAddress>
</TelemetryChannel>
Then in your intermediary endpoint route the traffic to http://dc.services.visualstudio.com/v2/track
I am creating an ASP web form hosted on a public Microsoft web host. I need it to access a SQL database located locally on our internal network. I have developed a web service that talks to the ASP web form, but I don’t know where the web service should be located and how to get the data from the ASP web form to the local SQL database on our network.
So it's really two questions:
Where should the web service be located? On the public Microsoft host or on the internal network host?
How would the web service get the information from the public ASP web form to the internal SQL database?
Regarding the first question:
I guess you mean that the web server contacts the web service, not the other way around.
My guess would be to have the service at your company network if you want to contact the database for more than one application.
If there is no need for the database over there, i would place the service, database and web server to the cloud you are using, since this is better for availability and performance.
Regarding the second question:
You could look into some basic database interaction code like in ADO.NET or Entity Framework. Use MSDN as a starting point.
Do you mean Azure, when you say MS web host? Azure (and other cloud services) allow you to create a site to site virtual network e.g on Azure: https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-site-to-site-create/
If not Azure, but something like Rackspace they often have similar functionality: http://www.rackspace.com/knowledge_center/article/configure-a-site-to-site-vpn-using-the-vyatta-network-appliance
With this network configured, you could connect securely to your local SQL instance.
Latency and line speed will limit performance, obviously. You would need to experiment. Ultimately it would probably be better as suggested in the other answer to host your database in the cloud too.
Really simple (possibly stupid) question for the Azure experts out there.
I am currently in the process of building an application which uses web and worker roles and in the back end connects to WCF services. So in other words my web/worker roles call the WCF backend to obtain whatever data they need, currently they use certificate based authentication.
What I would like to understand is if WCF services hosted on Azure require security even if the endpoint will never be exposed publicly? Is there any reason to implement authentication on these private WCF services or is it safe to just set <security mode="None" />?
While your Worker or Web Roles are able to have private endpoints that are available to other instances within the same Hosted Service, please keep in mind that those private endpoints are NOT load-balanced.
You can check out this article to see how you can go around this issue: http://msdn.microsoft.com/en-us/magazine/hh148149.aspx
If you want load-balanced WCF endpoints, they need to be publically accessible through Azure's load balancer and thus you may want to (but do not have to) put security on top
Microsoft has been promising private load-balanced endpoints but nothing has come out yet.
HTH