We have a set of microservices deployed on a Kubernetes cluster which serves API. Also we have a Single Page web app - which is accessed for both pre-logic and post-login scenarios. i.e. some of the requests coming to web app are anauthorized.
App the APIs go through Apigee which is deployed on a separate zone.
What are the security risks in exposing webapp (on Kubernetes cluster) to internet via WAF (please note that webapp servers unauthorised public pages as well)
Given #1 is a security risk, what if exposing a react-js SPA (html, css and js) via Apigee?
2A. Will that reduce/ eliminate the security risk in #1?
2B. Is it a valid architectural pattern to expose html, css and js via an API Gateway
like Apigee?
Related
I have a a server (.dontet) running on Azure Web Service App. And I have an SPA running on top of that that communicates with the REST APIs of said server. That SPA (JS, HTML, CSS) is being served by accessing the root url of said server. (something like https://my-server.azurewebsites.net)
Now I want to deploy an additional SPA (basically a more modern version) that talks to the same server and to the very same REST APIs as the "old" SPA.
How can I accomplish that?
Thanks for your help
I am getting to the point of my project where I am ready to deploy it online with my custom domain via Azure once I make the upgrade from my Free Subscription.
So a little context, I have 1 web app service and 4 api services and each one is hosted in a separate app service such as:
www.sitename.azurewebsites.net
www.sitename-api1.azurewebsites.net
www.sitename-api2.azurewebsites.net
www.sitename-api3.azurewebsites.net
www.sitename-api4.azurewebsites.net
And the above web app communicates to all 4 api's and some api's may or may not talk to another. (Would have loved an application gateway so hopefully I'll be changing this architecture later down the road).
So as I get ready to associate my domain to the services, the web container seems pretty straight forward to me as it just becomes www.sitename.com, but I am a little confused about the api services. The way I am thinking about this is that each api service will be in it's own subdomain, such as:
www.api1.sitename.net
www.api2.sitename.net
www.api3.sitename.net
www.api4.sitename.net
where I believe I can register my SSL and domain to each app service somehow, but this leaves me with a few questions.
Do I host each api in a subdomain using the same domain as the web
app, or is there a different way preferred like where I host them
all on the same domain with different exposed ports per API and web
listening 80/443, or maybe just use the IP address of the api app
service and allow www.sitename.com as the origin for CORS?
I am assuming that since I am associating my SSL cert to the web
service, I will need to do the following on the api services?
Would it be better (and still affordable) if I just had a VNET
associated to the app services and the domain only registered with
the web app?
Any insight into this would be greatly appreciated on how I can establish communication between my app services with my custom domain and SSL as I am fairly new to this part of the stack, but excited about learning!
As I known, on Azure cloud, there are two services can help to manage your APIs deployed on multiple app service containers: API Management and Application Gateway.
The Premium tier of API Management has the feature for multiple custom domain names, please see the offical document Feature-based comparison of the Azure API Management tiers as the figure below.
You can refer to the quick start tutorial of Create a new Azure API Management service instance and other related documents to kown how to.
"Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications." said in the introduce What is Azure Application Gateway?. And as the figure of its architecture below, "With Application Gateway, you can make routing decisions based on additional attributes of an HTTP request, such as URI path or host headers. For example, you can route traffic based on the incoming URL. So if /images is in the incoming URL, you can route traffic to a specific set of servers (known as a pool) configured for images. If /video is in the URL, that traffic is routed to another pool that's optimized for videos."
I recommended to use Azure Application Gateway which be a good choice to manage multiple app services and expose the unified urls of APIs.
Using the App Engine Flexible Environment, I'm preparing to deploy an Angular 4 client and am looking into Cloud Endpoints to handle my node.js/express microservices as it seems to simplify securing and authenticating endpoint requests, and I wanted to clarify a few things:
Do I use cloud-endpoints as an API Gateway which routes requests to the individual microservice backends or are the microservices supposed to be built as individual endpoints-apps themselves?
Do I host the Angular 4 app statically (server agnostic), and make endpoint requests directly to the Gateway/microservice from the ng client, or is the app hosted through a server framework (e.g. node.js/express) which then passes on the request along to the Gateway/microservice
Endpoints is an API gateway, but it currently only routes to a single backend. On Flex, it's whatever app you deploy. The Endpoints proxy sits in front of your backend, transparently to the client, and the client requests will pass through the gateway. See the docs for how to set up your Flexible environment.
In conjunction with a dispatch.yaml directive to handle routing, you can use GCE as a gateway to multiple microservices running as services in a given project.
You can call the services directly or proxy through a server.
In a typical 3-Tier web app, you run web servers in public subnet, while app tier lives in private subnet. Is it possible to run similar architecture with Azure Web apps and Api apps?
I guess you can run Asp.NET Core Web App in Azure Web App and Deploy AspNet Core Web Api to Azure Api App, then make Api end point private so only Web app can talk to it? I see options like Google, Facebook et. as auth providers. Is that what you have to do to make API private?
D.
If you want that level of isolation, one (although expensive) option is an App Service Environment (ASE). Link to docs: https://learn.microsoft.com/en-us/azure/app-service-web/app-service-app-service-environment-intro
App Service Environments are ideal for application workloads requiring:
Very high scale
Isolation and secure network access
The public environment where you deploy by default is public. Your endpoints will be accessible to anyone anywhere, and it is up to your app to do the filtering. This can be done, e.g. through static IP address security settings in Web.config. The problem with that is that even then you can't know for sure what IP address your front-end will use for communication. There are multiple possible addresses it may use for outbound traffic, and those are subject to possible change.
You can see an example of IP restrictions here: restricting IP security
Of course you should also have authentication set up on your API. Documentation links:
https://learn.microsoft.com/en-us/azure/app-service/app-service-authentication-overview
https://learn.microsoft.com/en-us/azure/app-service-api/app-service-api-authentication
In line with what #juunas said above and a slight variant is to introduce Azure API Management Gateway in between Azure web app and Azure Api app. In standard tier API Gateway the IP address is fixed and doesn't change and you can use the API Gateway address in Azure API App web.config to whitelist.
I have a rest service that I need to use in a browser web application using a JS MVC client framework like Backbone or Angular. But I need to ensure that my rest services are not exposed or anyone else may not be able to use my rest service to build apps on any device/client. Earlier I thought of protecting my web service using authentication credentials and hiding it behind a proxy and let the proxy serve html instead of service.
But I would like to know how can I secure my web service if I have to use it directly from front-end using ajax calls.