Monitoring of Azure Hybrid Connections and OnPremise Data Gateway - azure

I'm using the Hybrid Connection Manager and also the On Premise Data Gateway for several projects hosted in the Azure cloud.
There are more and more use cases for those two components and I need to setup a clean monitoring to detect connection troubles (for example when there is a network issue or a reboot of the servers hosting the gateways).
For the HCM, there are Relays metrics I can rely on, but I saw that some of those counters are not reliable. I had issues with my connexion in the past few days, and when I check the ListenerConnections-ClientError or ListenerConnections-ServerError counters, they always equal to 0... this sounds very strange?
Regarding the OnPremise Data Gateway, I think that because it also relies on SBus Relay, I should probably use the same metrics?

Related

gRPC connection pooling on server side

I have a cluster of microservices to be hosted on Azure Kubernetes Service.
These microservices are .NET Core based and will
talk to on-premises services via gRPC
stream data using SignalR Core to client apps(Websockets)
The problem I can't find a good solution for is "How to persist gRPC" connections as pods are created and destroyed.
This seems like a very trivial problem for hosting microservices on a hybrid network. I would love to hear how others have addressed this issue.
Persistance of grpc would be difficult in such environment as pods are not persistant at all. I would suggest two approach to handle this scenario
Use/build a proxy between EKS and On Premises Service which can keep persistant connection open with on-premises service but connection to proxy can be added/removed as the pods are created/destroyed. This proxy can act as connection pool and provide higher throughput to on-premises service invocation.
Don't worry about the persistance of connection with on-premises services (treat this like a rdbms connection which can be created or destroyed on demand but has some cost in order to create new). This approach would work in case the pods are created or destroyed not too frequently.
I would suggest second approach in case the pods are not created/destroyed too frequently (few every hour) as it has less moving parts. But if pods are scaled up too frequently, approach one should be used.

Azure WebService - MySQL - Redis configuration

I am creating a WebService with C# Core 3.0 that is using MySQL and Redis, but I am not so familiar with Azure so I need advice about configuring everything.
I had MySQL hosted on AWS, but I am transferring it to Azure because I think that performance (speed) will be better on Azure because they will be on same data center. Right?
But, on my MySQL page Host is like '*.mysql.database.azure.com'. That means that every connection will go out of Azure, and than come back? I don't have some local IP for connection? Same question for Redis.
Do I need to configure some local network on Azure and will that impact speed on the app? And, is MySQL a good choice for Azure or should I try with another one?
I am just reading about Azure Virtual Networks. But as I understand it, VN's sole purpose is to isolate elements from the outside network?
You will get better performance if your my-sql instance and your app service are in the same region (basically the same data centre).
The connection string is mysql.database.azure.com, but remember the connection will be a TCP/IP connection, so the DNS lookup will realise that this address mysql.database.azure.com is in the same region (same data center). Then the TCP/IP connection will go to an internal IP.
You could use tcpping in your app service's kudo console to try this and see the result.
The basic rule is that you should group your app and database in the same region for better performance and cheaper cost (as Microsoft doesn't charge traffic within the same region).
Azure Virtual network is for a different purpose. For example, if you have some on premise database servers and you want to call these servers from azure, then VM could be helpful. But for the scenario you described, it is not really needed.
The company I work for has Microsoft azure support included, and if you or your company have support contract with them, you can raise questions directly to them and get really quick responses.

Difference Between Windows Azure Service Bus and Windows Azure Virtual Network

I want to connect to On-Premises database from Azure. Basically i will be hosting my web Application on azure and will be using Database from On-Premises.
According to www.WindowsAzure.com both Azure Service Bus and Windows Azure Virtual Network are used for connecting to On-Premises database. But what is the difference between these two and which of them should be used according to different situation ?
There is a big difference between both approaches:
Service Bus is connectivity on application or messaging level. Here you will have two options:
Service Bus Relay : here you have to expose a web service (that connects to your local database) over the Relay binding. This will
make a publically reachable service in a firewall friendly way. This
is mostly a synchronous approach.
Service Bus messaging: you will have to have a local process that listens on messages / events that you put on a queue or a
topic/subscription from your application. This is mostly an
asynchronous approach.
Virtual Networking: here you can set up connectivity on network level and you would be able to connect to your database as if he is on the same network as your cloud based application. The advantage here is that your code would not have to change, compared to a standard application (except for connectivity retries)
Both approaches are totally different, but can be valid, depending on your preference of architecture. (web service oriented, network level connectivity, or asynchronous processing).
Hope this helps.

Azure cloud service and web sites communication lock down

I have a azure cloud service (a server) where i host a Redis database. I also have a web site hosted in azure web sites. I want the web site to be able to talk to the Redis DB on port 6379. I know I can configure a public endpoint for that port on my server but that would open it for whole Internet. I want it opened only for azure web sites (or even better, only for my web site). How can i do this?
Windows Azure Web Sites is in an isolation bubble separate from your Cloud Services and there's no way to bridge that gap. Ideally you'd do this by connecting the web site machine to other Azure services via a Virtual Network, but this FAQ confirms you can't do that right now:
Can I use Windows Azure websites with Virtual Network?
No. We do not support websites with virtual networks.
Opening Redis up over the internet shouldn't even be considered as it doesn't have the kind of security you'd want out of the box to be opening up its port publicly as it is meant to be co-located with your application, so you really wouldn't want to do that. Never mind the added network overhead which will eat into the performance you expect to get by leveraging something like Redis anyway.
I believe your best bet given your current configuration is to add a Web Role that's part of the same Azure Cloud Service and run your web based application out of that so that it can communicate with worker role. It only requires a little bit of configuration to get this going (i.e. adding an InternalEndpoint to the Redis Worker Role). While I realize Web Roles don't offer as frictionless a development model as Web Sites, you have to choose the right tool for the job.
Another option, if you want to setup your Redis on a VM instead of tying it to the Cloud Service directly, is that you can setup a Virtual Network, put the Redis VM on the virtual network and then configure the Cloud Service so that it's part of the same affinity group and add the NetworkConfiguration/VirtualNetworkSite configuration section to the Cloud Service's .cscfg.
Which approach makes more sense all depends on how you leverage your Redis instance, but the main benefit of the latter approach is that the Redis instance is not recreated each time you deploy your Cloud Service and, so, any data that's in it will stay available between deployments. Another benefit is if you want to build and leverage a Redis cluster across multiple Cloud Services this enables you to do that.

Windows Azure VPN and IP restriction

We integrate with a third-party service where we can run queries which is right now secured using HTTPS encryption and username/password. We send our queries from a service running on the Windows Azure cloud.
The third-party provider wants to migrate towards better security and they have asked us to either
Setup a VPN - which is problematic because for we'd need to use Azure Connect and they'd have to install the client endpoint service on their part.
Provide some IP address where the queries will come from so they can filter out anyone else at the firewall level - which is problematic because AFAIK you cannot fix the IP addresses of the Windows Azure Compute nodes.
Suggest another secure alternative - the only thing I could think of is to set up the VPN with them on a non-Azure server and then tunnel the requests through using Azure Connect - which is obviously extra work for us and also defeats the point of hosting the service on a cloud if it depends on a non-cloud service.
Any ideas?
Can they install the Azure Connect endpoint on another server on their DMZ network? i.e. not the actual server which hosts their service?
Can we somehow provide them with static IPs for incoming queries?
Any other solution that is scalable?
Thanks
If I understand the scenario correctly, your Azure service is a client to a 3rd party service. This scenario may be solved through the use of the Windows Azure AppFabric Service Bus. You would need to install a proxy app in the 3rd party's datacenter that would be responsible for establishing the connection to the service bus. The connection comes from inside the 3rd party's datacenter, so no new incoming holes in the firewall. The connection can handle WCF connections with all its security strengths, and users can be authenticated with ACS.
Here is a starting point: http://msdn.microsoft.com/en-us/library/ee732537.aspx
There is a hands on lab in the Windows Azure Platform Training Kit that explains most of the details that you'll need.
IMHO, HTTPS is already very good; and I don't exactly see how a VPN would make the system any more secure. In particular, VPN is no silver bullet, if your VM is compromised then the VPN connection is compromised too (same for HTTPS). On the other hand, the IP restriction would indeed reduce the attack surface.
Then, using a server outside the cloud is a poor idea indeed. Not only it defeats most of the benefits of the cloud (been there, done that and suffered a lot), but also it also makes the whole thing less secure with more complexity and more attack surface.
Windows Azure does not provide anything that look like a static IP at this point. In our experience, IP addresses for a given service change once in a while even if the service is only upgraded (and never deleted). Static IP addresses have been an important feature request for a long time, Microsoft will probably provide it at some point, but it might still take many months.

Resources