I have a multi-tenant azure application. Inside a resource group, there is a webapp and an azure sql server with one database per tenant. There is also a database which holds all the informations for each tenant.
Each tenant access its application with a subdomain of the application (e.g. client1.myapp.com, client2.myapp.com...). There is a single version of the application for all the tenants.
When I publish a release, I disable the application so nobody can connect, publish a new version to a web app slot, update all the databases of all the clients, test and swap the web app slot and reactivate everything.
The issue is that with every new client, the down time increases for all the clients because all the databases needs to be updated.
What is the best strategy so a tenant can access its application as soon as its own database is updated ?
I was thinking 2 web app, one with the old version and the other with the new version, and an application gateway to redirect the updated clients to the new web app but I don't know how to script that.
Maybe there is a simpler solution ?
Related
We have written some code (I hesitate to use the term "application") in .NET Core using Visual Studio 2019. This concept is relatively simple; when a user opens a "proprietary" Excel workbook (an Excel file that calls our code) the code goes out to a hosted (by us) Azure SQL Managed database and returns data based on the parameters passed in by the user.
In Azure, we have a single production App Service plan with an App Service dedicated to each client (company). My question is about security: I'd like to tie each App Service to the related company's Azure AD. I do NOT want to create an account on my Azure AD for each user, although I can certainly do this through the "invitation" process using B2B. Can each App Service be "pointed" to a specific external instance of Azure AD so that only users from that company can access the related data?
Thanks.
You may use two different flows:
Each WebApp will authenticate users from only one specific Azure AD tenant
One WebApp will authenticate users from multiple Azure AD tenants
Both solution can be achieved with Azure AD multi-tenant authentication application pattern.
Here are steps you need to implement:
Update App registration to be multi-tenant
Update your code to send requests to /common
Update your code to handle multiple/single issuer values
Here is a picture that describes the flow
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant
At the end of Nevember 2018 I have created an Azure Web-App. For a static HTML page. Complete with app service and app service plan. And I created FTP access data for the site back then.
Now I want to activate an authorization by Azure AD. Only users from my Azure AD should be allowed to view the page. And for this I have to change settings in the App Service. The app still exists. In Azure Active-Directory I can still see it under App-registrations. The HTML page is still available at the URL created at that time (https://[name-of-app].azurewebsites.net). The FTP access data still works.
But the app service created back then and the app service plan used have disappeared. I cannot configure the app anymore. I cannot change the App Service Plan anymore. The app does not appear in any resource group either. I also do not remember deleting the App Service.
How do I get the App Service and the App Service Plan of the Web App back?
I am the owner of the Azure Subscription and I am the Global Admin of the associated Azure AD.
In Azure Active-Directory I can still see it under App-registrations.
The first thing I want to clarify is that applications under App registrations is not the same thing as azure web app.
If you can still access https://[name-of-app].azurewebsites.net, the webpp should exist. Please check if you have select the correct subscription if there are more than one.
Then try to search the webapp again in the search box.
I have created an Xamarin Android App with an Azure App Service back end. When I looked at securing the connection, I don't really care about individual users, but I want to make sure that only someone running my app can access the database. Is there a way to authenticate the app itself rather than individual users? What is the best practice in this scenario?
If you don't care about user, there are a few approaches and the security level may vary. If you want to simplify integration and deployment among Azure services, you should consider using Azure AD as an identity and access management in your entirely system. That said, your back-end and Xamarin app are authorized and authenticated via Azure AD. You need to register your native app in Azure AD which you can refer here https://learn.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-native-client
Another approach is to use certificate-based authorization against Azure Active Directory, which is more controlled and security rather than client secret. In this case, persons installing your app must also install certificate before sending request to Azure App Service and retrieve database from Azure SQL Database. The level of authorization is free of choice, but the first gateway is always Azure AD.
I have a Azure Enterprise subscription, I am developing a Asp.Net MVC Web app and have following questions
My Web app will maintain user store, & authenticate users against it, It will also check user access rights and accordingly pull azure resources available for him. I just have one Azure subscription and the user logged in is not configured on Azure.
Is it possible to impersonate user i.e. I have azure subscription for Mr X. my Application user store has users A, B, C (they dont have azure subscription) - User A logs in to my web App and my web app invokes Billing and Usage API using mr X credentials. pulls the data and display only mr A specific usage data.
I know this is bit off tract requirement but my client is looking out for this scenario. they want user management on Custom App and not on azure. Please guid.
Your MVC webapplication hosted in azure has normally nothing to do with the users on your azuresubsciption. In your case you just need a the application to access the data in your subscription with the rest API. You can find more info on how you can authenticate your application to the API Management REST. Then you can use the API to get information out of azure.
I've deployed a multi tenant Orchard application in Azure and have noticed that when adding a tenant via the host site it is only available immediately on the same web instance as the host. If I have a few web role instances then my request fails when I am routed to a different instance. Is there a mechanism for synchronising the loaded tenants on each web role instance? If not, I will make us of a Service Bus topic and publish a tenant refresh on each instance (I note the "_tenantsToRestart" collection in the DefaultOrchardHost).
Second question, does the warmup module work with blob storage? It seems to be doing something in app data but I'm not sure whether this is backed by blob storage.
Thanks
Matt