Am working to connect our onprem and cloud resources together using site to site vpn link,The question is , Do i have to setup point to side connection along side point to side connection? or just one works? Express route will be too expensive as we have a small footprint in Azure.
Migration of server from onprem to azure cloud is one of the reason why this is created & disaster
recovery back onprem is a condition as well. any solution with a good reason works,feel free to chip in.
Am concern about people that work remote, or if i travel and need to login into our network
just looking for information on best practices or any challenges that anyone that did similar work encountered
Related
I am creating a WebService with C# Core 3.0 that is using MySQL and Redis, but I am not so familiar with Azure so I need advice about configuring everything.
I had MySQL hosted on AWS, but I am transferring it to Azure because I think that performance (speed) will be better on Azure because they will be on same data center. Right?
But, on my MySQL page Host is like '*.mysql.database.azure.com'. That means that every connection will go out of Azure, and than come back? I don't have some local IP for connection? Same question for Redis.
Do I need to configure some local network on Azure and will that impact speed on the app? And, is MySQL a good choice for Azure or should I try with another one?
I am just reading about Azure Virtual Networks. But as I understand it, VN's sole purpose is to isolate elements from the outside network?
You will get better performance if your my-sql instance and your app service are in the same region (basically the same data centre).
The connection string is mysql.database.azure.com, but remember the connection will be a TCP/IP connection, so the DNS lookup will realise that this address mysql.database.azure.com is in the same region (same data center). Then the TCP/IP connection will go to an internal IP.
You could use tcpping in your app service's kudo console to try this and see the result.
The basic rule is that you should group your app and database in the same region for better performance and cheaper cost (as Microsoft doesn't charge traffic within the same region).
Azure Virtual network is for a different purpose. For example, if you have some on premise database servers and you want to call these servers from azure, then VM could be helpful. But for the scenario you described, it is not really needed.
The company I work for has Microsoft azure support included, and if you or your company have support contract with them, you can raise questions directly to them and get really quick responses.
I'm currently developing a mobile app which will be pushed world-wide across the app stores. This app uses a WebAPI REST service as the backend which I currently have running on MS Azure in Europe (which backs onto a database also in Europe).
My problem is, I'd like to create multiple Azure WebApi endpoints (i.e. Australia, US, etc for latency reasons), each with their own database which has geo-replication enabled.
Does anyone know a method/product/service I could use which allows me from the app to either:
Connect to a single domain which behind the scenes picks the closest server to the user.
OR
The app itself is able to determine based on a given list the closest server and connect to that?
I've looked at Azure CDN but this is for static content which is great but I need something for dynamic content.
What you're looking at is Traffic Manager. Traffic manager enables that exact scenario, of finding the closest service that hosts your REST API.
Keep in mind though, that the database replication is (for the time being) a thing you have to do yourself, although we do provide you with the tooling and guidance on how.
I am new to Azure and just trying to get my head around some things.
I have a web app running locally that now connects to a windows azure SQL database. I want to move my local web app into an azure web role. I have two questions:
Do I need to change my connection string or does it just work?
I am assuming windows azure is smart enough to now know that they are both hosted on azure so each request no longer needs to go over the internet?
Cheers
Do I need to change my connection string or does it just work?
No, this is still that same connection string.
I am assuming windows azure is smart enough to now know that they are both hosted on azure so each request no longer needs to go over the internet?
You're both web site and SQL Azure database will be in Azure data center. It depends in which region your web site and database will be. If they are in the same region you'll have low latencies because it will be in the same data center, however if they are in two different regions, then at one point it has to go through connections between data centers called backbones. Even if those are special very fast connections you'll notice higher latencies.
http://www.azurespeed.com/ web site allows you to check what are the latencies between Azure data centers. This gives you a kind of idea.
Answer 1 : Since you are already connecting to SQL azure from local,
you don't need to change the connection string.
Answer 2: If both your Web Role, and SQL azure are in same Geo
Location (say SoutCentral US) then there will not be much internet
traffic, but it will use azure's network to communicate.
We integrate with a third-party service where we can run queries which is right now secured using HTTPS encryption and username/password. We send our queries from a service running on the Windows Azure cloud.
The third-party provider wants to migrate towards better security and they have asked us to either
Setup a VPN - which is problematic because for we'd need to use Azure Connect and they'd have to install the client endpoint service on their part.
Provide some IP address where the queries will come from so they can filter out anyone else at the firewall level - which is problematic because AFAIK you cannot fix the IP addresses of the Windows Azure Compute nodes.
Suggest another secure alternative - the only thing I could think of is to set up the VPN with them on a non-Azure server and then tunnel the requests through using Azure Connect - which is obviously extra work for us and also defeats the point of hosting the service on a cloud if it depends on a non-cloud service.
Any ideas?
Can they install the Azure Connect endpoint on another server on their DMZ network? i.e. not the actual server which hosts their service?
Can we somehow provide them with static IPs for incoming queries?
Any other solution that is scalable?
Thanks
If I understand the scenario correctly, your Azure service is a client to a 3rd party service. This scenario may be solved through the use of the Windows Azure AppFabric Service Bus. You would need to install a proxy app in the 3rd party's datacenter that would be responsible for establishing the connection to the service bus. The connection comes from inside the 3rd party's datacenter, so no new incoming holes in the firewall. The connection can handle WCF connections with all its security strengths, and users can be authenticated with ACS.
Here is a starting point: http://msdn.microsoft.com/en-us/library/ee732537.aspx
There is a hands on lab in the Windows Azure Platform Training Kit that explains most of the details that you'll need.
IMHO, HTTPS is already very good; and I don't exactly see how a VPN would make the system any more secure. In particular, VPN is no silver bullet, if your VM is compromised then the VPN connection is compromised too (same for HTTPS). On the other hand, the IP restriction would indeed reduce the attack surface.
Then, using a server outside the cloud is a poor idea indeed. Not only it defeats most of the benefits of the cloud (been there, done that and suffered a lot), but also it also makes the whole thing less secure with more complexity and more attack surface.
Windows Azure does not provide anything that look like a static IP at this point. In our experience, IP addresses for a given service change once in a while even if the service is only upgraded (and never deleted). Static IP addresses have been an important feature request for a long time, Microsoft will probably provide it at some point, but it might still take many months.
is it absolute insanity to start hosting new intranet web apps in Azure using an on-premise sql instance and ADFS 2.0 (via Azure Connect)? My concern is that instead of the site being behind a firewall, being hosted in Azure has the side effect of anyone who discovers the URL can hack away at it.
Thoughts???
thanks
There's good news on the ADFS 2.0 front.
Authentication with ADFS 2.0 requires the client's browser to be able to communicate with the application server and the ADFS 2.0 server. There's no direct connection between Azure and ADFS 2.0.
If you make sure that your ADFS 2.0 server is only accessible from your corporate network or via VPN, you've already closed one of the major attack vectors; no brute force or dictionary attack is going to help a bad guy in if they can't connect to your authentication service.
As well as all-important security, take into consideration the bandwidth costs for your hybrid cloud solution. You'll be paying for every byte to and from your SQL Server.
Do their trial.... and see how fast you can get up to speed with locking the security down. Hey, at least your not asking about Amazon's Cloud. Don't do it because it is the cool thing to do. Research the pro's and con's. Gmail is a cloud based Email service that I and many have used for years. All in all it works pretty well. The future is more cloud, where more businesses have dumb terminals with virtual use of cloud services. The personal pc is bound to become make less important.
Microsoft has invested a lot into Azure, if you follow their security guidelines you should be just fine.