I've got a rather unwieldy legacy intranet app that does a lot of file manipulations across multiple network shares (file reads, moves, deletes, creates directories, etc) and I want to set up a preproduction instance. Currently the app pool is running under a domain account that has been granted access to all these scattered directories. I'm wondering if running a second instance of the site (different server) using the same domain account would be an issue.
This doesn't seem to be an easy question to formulate in a way to get a useful answer out of google. Anyone have any experience doing this? I would rather not have to create more accounts and track down all the locations that would require added permissions if I don't have to.
The aim to set different application pool identity for different application pools is to restrict the limit for application pool. Independent application pool will isolation NTFS permission from accessing the files that the web app shouldn't reach. Just in case the server are under vulnerability attack.
Of course, if you are hosting your web apps in a isolated network environment, you could share your domain account for multiple application pools.
As Lex said, consult your network administrator would get more practical answer.
Related
I have multiple App Services hosted on a single App Service plan (Basic Small), which is basically a fully managed VM with all it's resources reserved for me. These are all Asp.Net apps.
As I have plenty of resources still available I'm considering moving my WordPress applications to Azure (each to a new App Service within the same App Service plan.
WordPress unfortunately, has a tendency to get infected every now and then. Also the infection can spread to other websites if they are not properly isolated (infected website may change files of the other websites).
So my question is:
If one of my WordPress websites gets infected are other websites from different App Services, but the same App Service plan also in danger?
The answer to this greatly depends on how you trust Microsoft and their claims.
All Azure Web Apps (as well as Mobile App/Services, WebJobs and
Functions) run in a secure environment called a sandbox. Each app runs
inside its own sandbox, isolating its execution from other instances
on the same machine as well as providing an additional degree of
security and privacy which would otherwise not be available. The
sandbox mechanism aims to ensure that each app running on a machine
will have a minimum guaranteed level of service; furthermore, the
runtime limits enforced by the sandbox protects apps from being
adversely affected by other resource-intensive apps which may be
running on the same machine.
So it should be secure.
https://github.com/projectkudu/kudu/wiki/Azure-Web-App-sandbox
To who it may concern,
I am looking to move more of our applications that the company uses to azure. I have found that Remote App will allow people to us the apps I have allowed via the Remote App. The application which will be used is linked to a database which is on site, I am just worried about people being able to access this database as it will contain important data which cant be leaked. I am trying to work out what are some security precautions which could be taken to prevent the data from being viewed by the wrong people. I have seen app locker to stop applications on the virtual machine from being accessed. Any other security suggestions would be greatly appreciated.
You should be fine. Remote app is running remotely - meaning that theres no way of getting to the connection string (reverse engineering). Access to the app is also ensured by AAD login. The database should be protected as well with AD credentials. Also, adding a service tier that fronts the database would provide a facade.
I'm looking to set up two web roles or websites on my Azure Cloud Service.
The websites need to share the same database schema. I use NHibernate ORM, so I have to make sure that both projects are always using the same data model, or else it will cause major problems.
I've researched setting up multiple websites on a single web role (which seems odd to me, can't I just run multiple web roles, each with a single site)?
http://msdn.microsoft.com/en-us/library/windowsazure/gg433110.aspx
Like any good developer, I use a staging server. If I have to manually set the domain name is configuration files, how will azure know not to be sending people who visit that domain to the staging server?! I.E. If they visit blah.foo.com and I have two deployments (staging and production), is IIS going to be able to know only to send people to the production environment?
Please advise on the best way to go about doing this.
First, you can certainly have multiple web roles, each with a single site; however, each role instance will be deployed to different virtual machines. For example, if you do set up two web roles when you deploy this with one instance each then there are two virtual machines you'll be paying for. If you want the SLA to apply to your deployment you'd need to actually set the instance count to 2 for each web role, which now means you have four virtual machines running. By combining web sites onto the same web role you'll cut down on the number of instances you need to run and still get the SLA; however, that option is not without some considersations. The link you provided is how you can set up multiple websites to run on the same virtual machine when deployed. Note that there are some gotchas with using that method. I'd suggest reading Michael Collier's Tips for Publishing Multiple Sites in a Web Role.
Second, if you do NOT need to have a lot of control over the virtual machine (such as registering special components, etc.) you might want to look at Windows Azure Web Sites as an option. You can elect to take one of the paid levels of Web Sites and still have dedicated machines, but you can deploy the websites separately. I will say though, that your requirement of having both sites in lock step because they share the underlying database schema means that it will be less likely you will want to deploy separate changes, but it is still possible.
Finally, regarding the staging server. If you are testing locally you'll want to modify your hosts file to get the host names to point to your local address. Wade Wegner has a post on Running Multiple Websites in a Windows Azure Web Role. Once you deploy to Windows Azure you'd want to change your hosts file back, or comment them out. If you are using the actual idea of the Staging deployment slot you can use the same trick with the hosts file to point to the IP address of the staging deployment when testing.
I am new to Azure and website deployment, and I am trying to make sure I understand how things work. As far as I understand, once I create a website, a web application is created and begins to run in the cloud before publishing my own site even.
I know that the cloud provides scalability, load-balancing (among multiple datacenters), ease of publishing/testing, etc...things that don't exist in traditional web hosting.
So my question is since my website is in the cloud/Azure now, would my website be replicated globally in MS datacenters? If yes, is it something different from load-balancing? in other words, is the idea behind it is to get my site replicated to provide faster access from all over the world. And if all these are correct, I suppose traditional web hosting doesn't support replication.
Sorry for the simple questions, but I really need to understand, and I would appreciate any details you could provide.
Q: So my question is since my website is in the cloud/Azure now, would my website be replicated globally in MS datacenters?
A: Your website won't be automatically replicated globally to all MS datacenters. Each azure service, whether it is an cloud-service, sql-azure, storage, website or VM is located at a location of your choice. Within a location you can scale some of the services to run in multiple instances. If you spawn a new instance your website gets replicated. But it still runs at the same geo-location.
Q: If yes, is it something different from load-balancing?
A: In Azure you need to distinguish between load-balancing and traffic-management. If you run multiple instances within one location, there is only one external URL to reach it. The load-balancer distributes traffic equally to every running service instance.
The Traffic Manager allows you to control the distribution of user traffic to Windows Azure hosted services. The hosted services can be running in the same data center or in different centers across the world. Traffic Manager works by applying an policy engine to the Domain Name Service (DNS) queries on your domain name(s).
So in general, if you want to spread your application all over the world, you have to do it by yourself.
Create your service on all the location of your choice and use Traffic Manager to connect them.
After working with Azure since one year still i didn't find any real scenario about multiple webroles under one application.
when we'll create hosted service at that time we need to select region as well URL of application so in our solution if we have created multiple projects(webroles/wrokerroles) then this URL map to which webrole/wrokerrole application?
As a end user webrole is a application but in Azure under one application we can host mutiple webrole applications!
Can anyone explain this Azure terminology and purpose of this also please give me some real scenario/example where we require this type of terminology?
Thanks in advance.
Multiple Roles are useful when your application is complex and you need to scale different things in different ways.
Different Web Roles might handle two different sites that make up one application, but that scale at different patterns (for example some BusinessAppWebRole and a AdministrationAppWebRole). Both of the apps are a part of one "system" and are deployed together and maybe even share some .DLL's or some such, but the BusinessAppWebRole might need to scale between 9am and 9pm and needs to be performing super fast for users, while AdinistrationAppWebRole might be doing some complex math or reports and needs its own scale pattern that should not impact the BusinessApp
Alternatively, you may choose to have a Website on one web role and a WCF service on another web role. Once again, both would be a part of the same "system" and deployed together, but have different usages and scaling strategies where a need would be to keep them on separate servers
Worker Role vs. WebRole is also a great example. Workeroles typically are background processors. Their goal is to scale based upon amount of work left to do. Customer-facing WebRoles need to have a different scaling strategy and must not be impacted by typically heavy/busy worker roles...
HTH
About your question having "multiple webroles" in one Windows Azure application, I personally do not see any specific reason for having two or more webroles in a single Application. Having two webrole in one web role will cause one role to use port 80 and some other port (8080 default) for other role. Because you will have one single VIP to handle two web role, you can not setup port 80 on both role. In some cases you can have such functionality plugged into one single web role configured on port 80 and 8080. I can think of one example of having two or more web roles in one application where user wants to serve hundreds of users from one specific web role which is configured to port 80 with several instances however other web role which is configured on port 8080 (other non 80) to admin site with 1-2 instances. I haven personally seen rare use of having multiple web roles in one Azure application however others might have some other view on this regard.
Having web role and worker role in one Windows Azure application is very common scenario in which you can serve content through a web server configured over HTTP/HTTPS and have a worker role to do background processing without suffocating resources on web server. You can also configure internal endpoints by defining specific ports in Web and Worker role to communicate between Web role and worker roles internally over TCP endpoints. In this scenario you can have number of web role instances to handling web traffic and several instances of worker role for background processing separately. The best example for such scenario is like having a web site where users upload video content from a web server and once the content is upload, worker role star encoding the video and when the video is encoded the video is available on web server for users to enjoy. In real world scenario if you have 1,000,0000 users using such website, you might end up having 100s of instances of web and worker role to facilitate overall activity.