I have questions around Azure ML Service with regards to web service deployment / security. Can you please help me with these questions:
By default, published web service URIs are public addressable without any requirement for authentication. What are the best practices for securing these web services?
When authenticating from unattended processes such as web services, DevOps, etc, what are the options / best practices for authenticating?
Managed Identity does not seem to be supported by Azure ML Service.
App registrations?
Other?
To the first question, the best approach would be to deploy the services to Azure Kubernetes Services. This way, there are two authentication keys that get generated. There might be other approaches to that are being worked on but this is one that I know works for some scenarios. You can also, I believe with certain decorators, retrieve the http headers etc. in your score.py function that might be leveraged by ACI (Azure Container Instances) where it's deployed without keys introduced by the SDK. This might be changing in the future.
For the 2nd question, if we're talking about how to train a network for example unattended, then it would be to use App registration, AFAIK.
Related
In AWS we can define a Serverless App within a VPC. Need not be the case but is considered obviously a good practise.
Can the same be done for an AZURE App Service? I.e. can an AZURE App Service be defined as part of a VNET?
There are a couple of segments to answer your question. Here goes ...
VNet integration
Yes, you can Integrate your app with an Azure virtual network.
With Azure Virtual Network (VNets), you can place many of your Azure resources in a non-internet-routable network. The VNet Integration feature enables your apps to access resources in or through a VNet. VNet Integration doesn't enable your apps to be accessed privately.
Azure App Service has two variations:
The multitenant systems that support the full range of pricing plans except Isolated.
The App Service Environment, which deploys into your VNet and supports Isolated pricing plan apps.
If you're looking for restricting access to the App Services, the article linked in silent's comment is a good read. Especially the Access restrictions chapter.
Access restrictions let you filter inbound requests. The filtering action takes place on the front-end roles that are upstream from the worker roles where your apps are running. Because the front-end roles are upstream from the workers, you can think of access restrictions as network-level protection for your apps.
Infrastructure as Code
The blueprint (or 'cloud template') you're talking about in the comments feels like you need Infrastructure as Code to build/maintain resources for customers that all have the same structure. And while Azure has a service that's called Azure Blueprints, I think that would be overkill for the requirements you're giving.
Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements. Azure Blueprints makes it possible for development teams to rapidly build and stand up new environments with trust they're building within organizational compliance with a set of built-in components, such as networking, to speed up development and delivery.
I think you could implement what you're looking for by creating a (parameterizable) Bicep file to enable you to create/update the resources in a repeatable way as needed.
Bicep is a domain-specific language (DSL) that uses declarative syntax to deploy Azure resources. It provides concise syntax, reliable type safety, and support for code reuse. We believe Bicep offers the best authoring experience for your infrastructure-as-code solutions in Azure.
Team,
I have a complete running cloud service application upgraded to latest Azure SDK version and unfortunately need to dump this into a CSP subscription. But I came to know that Azure CSP supports only the Azure Resource Manager model, the cloud service is a classic deployment model. So we cannot create a cloud service within a CSP subscription.
Is there any other alternative within Azure CSP to using "cloud service" so that we can migrate with minimal changes. Please help
Firstly, here are some good reads on Microsoft Docs to help comparing the options available and make decisions based on your requirements:
(I mean requirements like Hosting features, Service Limits, 3rd party software installation and RDP access is required or not, Network isolation to a separate VNET is required or not, Cost considerations, minimum SLA, Regions available, instant deployment and auto-scaling, state management etc.):
Azure App Service, Virtual Machines, Service Fabric, and Cloud Services comparison
Decision tree for Azure compute services (This one covers a big spectrum.. simple virtual machines, Batch, Functions, Containers, AKS, ServiceFabric)
Criteria for choosing an Azure Compute Service
Also know that when looking for alternatives, it's not uncommon to make use of multiple compute or other Azure service options by breaking up an older solution into parts at the time of such migration (for e.g. A serverless compute option like Azure Function + Service Fabric + something else if needed).
Generally speaking (and without knowing much about your application from your question currently), Azure App Service and Service Fabric could be considerations IMHO when migrating from an existing Cloud Service, but this is exactly where detailed requirements help you in decision making.
On a side note, here is a list of Azure Services available in CSP - Available Azure services in Azure CSP
I am looking for scalable hosting for an API but I am getting a little confused with Azure. Ideally I want something that means I don't have to manage OS updates and security, just deploy my API code.
Is this possible with Azure? What do I need to sign up for?
In general, you are looking for the Platform as a service offer. Check What is PaaS?. For the API deployment you should check the Azure App Services. Azure API Management is for advanced API management or when you want to expose multiple APIs using a single gateway.
We plan to use Windows Azure Mobile Services for several of our commercial apps and would like to create a single data store for users instead of creating it for every mobile service. We don't want to use Microsoft or Facebook... providers due to this issue Multiple apps using a single Azure Mobile Service for Live Authentication?
This way, the user data for all our apps is stored in single separate Custom_Auth database and the users won't need to Register again for our other apps. Should we create a separate mobile service that basically enables custom authentication and acts as a provider for other apps?
Do you see any pitfalls with this approach and what steps would I need to take for creating this custom provider as a separate mobile service?
Basically, we want to create our own provider so that user of one our apps can login to the other apps using the same credentials.
I have read through the following links. Posting them here as they may be useful for others starting out with Authentication and Azure Mobile Services.
http://www.thejoyofcode.com/Generating_your_own_ZUMO_auth_token_Day_8_.aspx
http://www.thejoyofcode.com/Fetching_a_basic_user_profile_in_Mobile_Services_Day_9_.aspx
http://www.thejoyofcode.com/Exploring_custom_identity_in_Mobile_Services_Day_12_.aspx
http://chrisrisner.com/Authentication-with-Windows-Azure-Mobile-Services
Thanks in advance
Hope this helps you
http://chrisrisner.com/Authentication-with-iOS-and-Windows-Azure-Mobile-Services
Someone created a custom authentication API using AZURE
with Parse.com, you are limited to their backend and unfortunately it doesn't have all the nice features as Azure
MS really messed us around with this
I'm looking to setup AD for our company. We have developed a cloud based app that needs robust permissions abilities, which AD easily can handle. The app is bases out of Heroku which runs on AWS. I really need AD to manage logins and organizational hierarchy.
I'd like to use a cloud based service to act as the primary Domain controller and in the future, setup on-premise servers to provide local authentication to manage file/print and computer services. This is a secondary need to the authentication needs for our app.
Does anyone know if this architecture is possible? That is, a AD's DC in Azure with replicated services to other on-premise servers, at a later time? This seems to be the reverse of most setups in Azure. I'm ok with using other cloud services than Azure. It just seems they have the most documentation for cloud AD setups.
Any thoughts or help would be greatly appreciated.
Thanks,
AT
Although I wouldn't go for Cloud to be my primary DC, here are some guidelines which might help you:
Guidelines for Deploying Windows Server Active Directory on Windows Azure Virtual Machines
Install a new Active Directory forest in Windows Azure
In order to fully validate your scenario, how do you think to join the Heroku computers to your domain controller? Because joining the server where your application runs will make the total sense of what you are trying to achieve.
If you just want to provide LDAP access from your application to the primary DC, and your app is not part of the Domain, then it makes no sense to install AD in Azure.
If you plan to just query the AD for organizational structure, I highly suggest that you take a look at the Windows Azure Active Directory and its Graph API. this is what you need, in the case you will not join any computers to the domain, because Windows Azure Active Directory is not a Domain Controller.
UPDATE
Please update your question with better description of simply to allow our Heroku based app to pull in the directory structure and login information to allow our users to authenticate to it. - I am afraid I can't really understand the application architecture and user login flow here.