We have some dedicated LOB application on-premise applications. Access to these apps is through the public Internet. Active Directory Domain Services is used to authenticate users.
In Azure, there are multiple ways to create high-availability; is there something similar for on-premise apps using Azure? By this I mean if one on-premise system is down, traffic is routed to another app.
I know there are some options such as Application Gateway, Traffic manager and Front-door including Azure LB, my question is - are these the right services we should use in an on-premise setting?
For your on premise environment, you can use Network Load balancing(NLB) feature of Windows Server. See details here, it has an Azure inspired feature too.
Related
we have configured azure active directory pass-through authentication . Need to access on premise resources from the azure deployed application. can we do this by configuring application proxy?. so that on premise application authenticated with azure AD. so the communication between azure application and on premise application be seamless. Is it possible?
I'm not entirely sure if I understand you correctly but what you want is probably possible by using Azure Hybrid Connections: https://learn.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections
You install the Hybrid Connector on-prem, e.g. on a VM, and then for instance an Azure App Service can access certain resources on-prem.
Or for anything more advanced you might want to look at Azure VPN (or ExpressRoute in the long run).
Right now we have AD set up so access to our App Service is authenticated. But we need the website to have local access to some special applications. Since we can't install applications on an App Services, I THINK that means we need to run the website on a VM.
If that's the case, I'd like to not lose the ability for Azure AD to authenticate access to our VM. I'm sure we can use Azure AD to authenticate us while we RDP to the server, but can it also be used for when we expose our Web Application over HTTPS from the server?
Since we can't install applications on an App Services, I THINK that
means we need to run the website on a VM
Even though a VM is the simplest one, you do have other options to at least consider. Here is Microsoft's documentation comparing the various options along with scenario based recommendations.
Azure App Service, Virtual Machines, Service Fabric, and Cloud Services comparison
Quick Note:
Amongst the options discussed, avoid Cloud Services (classic) as far as possible, as they are legacy and on their way out. Also, if you still choose Virtual machine, do consider Virtual Machine Scale Sets for better scale and management options.
I'm sure we can use Azure AD to authenticate us while we RDP to the
server, but can it also be used for when we expose our Web Application
over HTTPS from the server?
Yes, it can be used even when you expose your web application over HTTPS from the server. Exposing over HTTPS would only involve opening up the port through NSG rules and SSL settings for your application in IIS. This will not impact you ability to RDP into the VM.
I have a web app that is currently deployed in an App Service Environment. One of the advantages of this is the security offered by the VNet within which the ASE resides.
Unfortunately this is a very expensive option for a low traffic solution (currently costing approx. £1500 a month). Is there an alternative solution that offers the same level of security as the ASE solution, e.g. is it possible to deploy a standard Web App to a VNet?
Yes and no.
A way to do that would be to use VNet integration of a WebApp. Unfortunately, it doesn't isolate the WebApp from the internet (that can be done via the webconfig). The other problem is that it only allows the webapp to access resources inside the VNet, not vice-versa. For that you would have to allow resources to access WebApp from the internet.
No other way currently.
It is not possible to deploy an Azure web app to a VNET (allowing for 2-way communication) without using App Service Environment (ASE). If you want your web app to only be available to internal systems, you'd have to rely on IIS ipSecurity config (https://www.iis.net/configreference/system.webserver/security/ipsecurity).
Essentially, whitelist all allowed public IPs (from the systems accessing the website). This might get difficult to maintain, so you might want to investigate a reverse proxy type solution either deployed in IaaS, or use AppGateway, or use a 3rd party such as incapsula/silverline.
As it has already been mentioned, Azure Web App cannot be added to your VNET. There is a VNET integration option which allows it to act as a P2S client, however it may not be acceptable in all scenarios. Here are the alternate options:
Azure Cloud Services (PaaS)
Azure Virtual Machines (IaaS)
App Service Environment (Expensive)
I think the best option would be cloud services as it can sit inside a VNET and provide some benefits of being a PaaS based service. Refer here: https://learn.microsoft.com/en-in/azure/cloud-services/
My company has several RESTful services that are behind a firewall. I would like to be able to access these services from the Azure cloud with a client app as if the service is located in Azure.
For example, if I have an on-premises url like:
https://onpremiseservice/Customers/1
I would like to be able to access it from Azure like
https://mycompany.azurewebsite.net/Customers/1.
Is this possible? Can I do some kind of URL forwarding?
Updated 26th September 2022
You have many options, here they are in order of ease of configuration vs performance (ExpressRoute being the hardest to configure but with the best performance).
Use Azure API Management it was designed for this use case.
Configure the on prem firewall so that your Azure web app outbound IP's can connect to the on prem API. Then create a Web API in the Azure web app that proxies calls using HttpClient to your on perm API.
Use a Hybrid Connection
Use Point-to-Site VPN
Use Site-to-Site VPN
Use ExpressRoute
More information on your options in depth
It is possible. Use Azure Service Bus Relays.
We are having multiple web apps running on Azure using PaaS offering.
The requirement is, though all the hosted applications(web apps) are accessible all over the internet, still only a specific number of users (say IPs) will only be allowed to do FTP on the Azure cloud environment.
I need some advise on how to achieve that.
Azure offers NSG for complete isolation and full control over managing inbound / outbound traffic to the Web apps but we believe to implement NSG, we need to implement Virtual Network and ASE before that.
but then, if all the web apps resides under the VNET, then whoever will access the applications will be needing to have VNET client in their local machines.
Kindly guide me on this.