I had success setting up an app for AWS Client VPN in Azure but I can't add another one due to the Entity ID must be unique Entity ID
I had success with other apps adding #1 at the end of the URL but here I am dealing with this URN
How to overcome this, obviously I am a huge noob with SAML.
Thanks in advance.
I have tried adding #1 at the end and other simbols
I am expecting having another app for the same purpose.
I can get away with a solution that would allow using one app in Azure but redirecting to separate Client VPN.
Related
I want to limit the access to one of my app services to Azure API Mangement. In order to be independent from a single IP I created the following setting using service-tag-based restriction:
However if I test my API using the Developer Portal I still receive 403 messages.
If I now add a restriction-rule to allow the IP address of the API Management it will work.
The documentation claims that service tags are adding the IP ranges for the provided Azure services to the restrictions. This is exactly what I want to achieve but it does not seem to work.
After I contacted the MS support I know can tell an answer to this.
On central message in the answer was
Unfortunately, there is no tag for all of the API Management outbound IP addresses.
The support highlighted that the documentation for service tags points out that
This enables customers to perform management operations on the APIs, Operations, Policies, NamedValues configured on the API Management service.
What this means is that the service tag is only for backend operations. Problem with this is that it doesn't help you at all. I already noticed that after I switched on the service tag rule I could not update an API using the direct OpenAPI endpoint via the portal which is the documented way. This is because the explorative request against the OpenAPI would be performed using the local browser as a XHR-request. This means I would have to add my local IP to the restriction list every time.
The supports suggests to put everything inside a VNET and configure the access using this technique. I had this solution in place and then considered it as too clumpsy. I guess I have to do it now.
I am pretty new to Azure API Management so hopefully I am just missing the obvious and there is an easy solution.
I work in a regulated environment where strict validation and code separation is enforced.
For that reason an API that I wrote is implemented on four separate app services each representing a specific environment sandbox, dev,qa, and production
I am trying to set all these up in API Management using custom domains, but it just doesn't seem to work.
Here is where I am at.
API Management has been deployed to its own subnet in a vnet.
I created an internal client certificate, and uploaded it to a vault. This certificate had multiple subject name alternatives to represent each environment.
Ex. api.contoso.com
api-sand.contoso.com
api-dev.contoso.com
Etc
I then created custom domains using this certificate in APIM ...each set as a "gateway" type domain
I then created an Api based on api-dev.contoso.com and a suffix "external" based on the dev app service. This will host the dev operations that can be exposed to the internet through app gateway
I then created a second api, again using the api-dev.contoso.com custom domain, and specified a suffix of "internal", to host all the internal operations from this api.
I ran into trouble when I tried to create a third API. This one was supposed to target the sandbox version of the api, but when i started filling out the new api panel, I found that the base url was grayed out and set to api-dev.contoso.com.....there was no way to change it to api-sand.contoso.com
What am I missing?? ...APIM let's you create these custom domains, but it seems to only let you use one...that doesn't seem right....there must be a different approach I need to use.
One option I thought of, but haven't tried yet is to have one custom domain, and implement the environments using different suffixes. For example api-nonprod.contoso.com/sand/external would link to my sandbox app service, and api-nonprod.contoso.com/dev/external would link to the development app service.
I'd still rather do it through custom domain names if it is possible.
My company developed a business suite which is not a SaaS platform now. We're in beta mode now and will launch V2 within next 2 months. Currently we are creating instance for interested clients (free for a year) but getting questions that their data is secured. Now, my question is, since we are creating their instances on our Azure platform,is there a way to make sure that we won't be able to access their data anyway?
Thanks in advance!
Some of the security setup you can configure and present are -
Configure firewall rules to restrict access to db based on the originating IP address of each request. You can share the firewall settings that only specific Virtual Machines/Computers have access to the client's database.
Authentication to the database. We can remove any SQL authentication(username/password based) and configure only Azure Integrated security for the applications accessing the database. Best practice would be using service accounts to access the db. You can showcase this too.
We need to develop integration between ERP (Dynamics Nav) and cloud-based telephony provider.
The provider needs to have an endpoint published and accessible from internet but for security reasons it is not possible for us to allow inbound connections to our network. I think it should be possible to solve this by hosting small application in Azure which will serve as endpoint for telephony provider and to which ERP will connect as outbound persistent connection. The app will just forward requests to ERP.
Since I'm new to Azure the question is what of azure capabilities I could use to solve the task aside from hosting actual VM with application there?
I've just implemented the same using Azure Service Bus.
The VOIP system is putting a small JSON with call details after the end of the call and I'll get the messages from the Service Bus Queue from NAV.
The code is not complicated at all the whole solution is simple and cheap!
Let me know if you want to know more (= you need the code).
Cheers!
Azure AD has the concept of an "application proxy" that will open internal applications up using a connector that runs on prem. This doesn't require inbound ports and is protected by Azure AD authentication.
It's intended more as a user-facing way to get access to Legacy applications, although I don't see why it couldn't be used for integration as well.
https://learn.microsoft.com/en-us/azure/active-directory/application-proxy-publish-azure-portal
Otherwise, you could link an Azure Site to Site VPN up and use a service like API gateway to manage connections though this is more complicated.
I created few web applications for the one app service plan. For all these apps I am seeing one FTP url. Issue is that when I go to the URL, I can see one "Site/wwwroot" folder which only shows one application.
Isn't is possible to access FTP of other web applications?
All applications works fine. I don't understand how this FTP is being created. If it's showing just one application in FTP, what criteria is based on that? I am seeing the 1st application based on the alphabetical order.
The FTP Url is same for all the sites in a stamp and will be same even if you create multiple app hosting plans as long as the hosting plans are in the same stamp. A stamp is a collection of servers and roles in a particular datacenter.
So how azure connects to the right site - the distinction here happens when you provide the user name for the site that you are trying to connect. The user name has the form sitename\$sitename when using publish credentials and has the form sitename\username when using deployment credentials and this name is used by app service to identify which site you are connecting to.
http://weblogs.asp.net/bleroy/azure-web-sites-ftp-credentials has more details.
Also read https://github.com/projectkudu/kudu/wiki/Deployment-credentials to understand difference between the two kind of credentials.
So just specify credentials in this way and you can connect to your sites using ftp.
Hope this helps