I have a mobile app, that I want to use to securely consume an API endpoint that is located on premise server.
Is it possible to do it using Azure Application Gateway and VPN? And what VPN? is it site to site or point to site?
Yes it is possible to do it using Azure Application Gateway and point to site VPN. You can use Open VPN protocol to connect from Android, iOS (versions 11.0 and above). You can follow this blog for any additional details on implementation, which uses Point Site VPN to connect using a android device. You can also refer to the official documentation for additional help on making this decision.
Related
I have a scenario regarding web apps on Azure that I can't wrap my head around.
I have a Web App (not ASE) that is connected to a VNET/Subnet and I have setup access restrictions on the Web App so that only traffic from that specific VNET/Subnet is allowed. This works as expected and a 403 is thrown when trying to access the web app from the internet.
My problem is that the Web App is no longer accessible from the on-premises setup anymore either, and I am unsure how to facilitate that. I don't like to use IP whitelisting to enable access, but I don't know the alternatives.
Anybody with experience on how to access a restricted Web App from an on-premises system? All the examples I could find are about accessing on-premise data from a VNET, not the other way around.
Illustration of setup:
On-premises server --> VPN Gateway in Azure --> VNET --> Web App in VNET -x-> Internet
Private Endpoints are your friends :)
I see you wanna set a S2S connection using vpn to allow access to your on-premises networks(subnets)
You should create a local network gateway representing your on-promises and also you should verify your firewall devices is supported by azure to make sure that the configuration works. Supported Vpn Devices by Azure
We need to develop integration between ERP (Dynamics Nav) and cloud-based telephony provider.
The provider needs to have an endpoint published and accessible from internet but for security reasons it is not possible for us to allow inbound connections to our network. I think it should be possible to solve this by hosting small application in Azure which will serve as endpoint for telephony provider and to which ERP will connect as outbound persistent connection. The app will just forward requests to ERP.
Since I'm new to Azure the question is what of azure capabilities I could use to solve the task aside from hosting actual VM with application there?
I've just implemented the same using Azure Service Bus.
The VOIP system is putting a small JSON with call details after the end of the call and I'll get the messages from the Service Bus Queue from NAV.
The code is not complicated at all the whole solution is simple and cheap!
Let me know if you want to know more (= you need the code).
Cheers!
Azure AD has the concept of an "application proxy" that will open internal applications up using a connector that runs on prem. This doesn't require inbound ports and is protected by Azure AD authentication.
It's intended more as a user-facing way to get access to Legacy applications, although I don't see why it couldn't be used for integration as well.
https://learn.microsoft.com/en-us/azure/active-directory/application-proxy-publish-azure-portal
Otherwise, you could link an Azure Site to Site VPN up and use a service like API gateway to manage connections though this is more complicated.
I'm new to Azure and have set up an Asure web site which will connect to a SOLR instance on an Azure VM. The web site cannot communicate with SOLR (port 8080) unless I create an endpoint. In order to create an endpoint I need to provide an internal and external port, however I do not want to allow external/remote access to SOLR, other than from the web site itself. Can anyone tell me how I should allow the web site to communicate with my VM, without making the VM publicly accessible?
Thank you,
JP
As #hhaggan stated, you cannot create a virtual network connection, or secure an endpoint, from Web Sites to a Virtual Machine. One option to consider is the use of SSL+certificate to secure the endpoint.
If you instead deploy your web application to a web role (in a cloud service) or a virtual machine, you can then take advantage of a brand new feature called Endpoint ACL. In essence, you can whitelist / blacklist a set of IP address ranges that may access your SOLR external endpoint. You can read about ACL'd endpoints, and how to configure them, here.
Now: You might be asking yourself why this doesn't work with Web Sites. That's because Web Sites runs on a server farm, and sites don't get unique IP addresses (unlike Cloud Services).
if you are talking about Windows Azure Websites, I am not sure if this can be done but if you are talking about Web roles in Windows Azure Cloud service, here is something that I hope it can be beneficial.
Connect ASP.NET application to SQL Server in Windows Azure via Virtual Network http://msdn.microsoft.com/en-us/library/windowsazure/jj823135.aspx
you might also would like to have a look on this http://www.windowsazure.com/en-us/services/virtual-network/ I don't think you will need it but I am just sharing it with you, it is for WIndows Azure Virtual Network.
let me know if this solved your problems or if you need anything else.
Currently I am designing a solution for connecting Smart devices that are hosted behind a Router using NAT. The Central service etc are hosted on Azure. One idea is to join all devices and the Azure components in a VPN using the Point to Site solution. The smart devices do not have a Windows based operating system. In the portal the configuration for the Windows standard VPN client is available. I now would like to find out if it is posible to Connect to the Azure VPN using other clients and so how to configurate these(Setting the GateWay, attachint the client cetificate etc.)
If your client architecture permit it, you may put in place on the client side a Windows (or Linux) machine having a gateway role. You will either:
connect this machine to Azure via Point-to-Site SSTP VPN and expose a service acting as proxy from the cloud service to the local devices
use Azure IoT Gateway SDK for all this: https://azure.microsoft.com/fr-fr/blog/introducing-the-azure-iot-gateway-sdk-beta/
In any case this architecture is more robust. But works only if it possible from your client architecture point of view.
We have a corporate web services with back end SAP, CRM etc. We would like to expose this web service (java web service) so that azure web role can connect to corporate intranet web services.
Could someone please suggest which of below technologies will fit and why:
1. Windows Service Bus
2. Windows Azure Connect
or 3. VPN (Virtual Network).
Service bus will require some effort to get working, but is a good solution if your corporate network overlords are very picky about exposing endpoints. Windows Azure Connect creates a VPN-like tunnel, but requires that specific software be installed, configured and maintained. I have an app that successfully uses virtual networking and utilises existing VPN gateways and skills - very understandable to the security and networking people.