Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 5 years ago.
Improve this question
Can you confirm if the connection between a Azure Web App and Azure SQL DB needs to cross the internet if both the Azure Web App and Azure SQL DB would be hosted in the same Azure Region ( such as West US)? I understand that each region is covered by multiple data centers.
Is there some internal network connectivity within the data centers?
I know that we need to use Encrypt=True and TrustServerCertificate=False in the connection string to keep the data encrypted in transit.
Is there any documentation available on the network security between data centers within a region?
The traffic between different data centers within a region is done over a private Microsoft network. In fact, even if both services were hosted in completely different regions, the connection does not go over the public Internet:
Source: https://azure.microsoft.com/en-us/blog/how-microsoft-builds-its-fast-and-reliable-global-network/
Azure traffic between our datacenters stays on our network and
does not flow over the Internet. This includes all traffic between
Microsoft services anywhere in the world. For example, within Azure,
traffic between virtual machines, storage, and SQL communication
traverses only the Microsoft network, regardless of the source and
destination region. Intra-region VNet-to-VNet traffic, as well as
cross-region VNet-to-VNet traffic, stays on the Microsoft network.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
Improve this question
Azure DR strategy what to use Traffic Manager , App Gateway , Load balancer or Azure Front door in terms for HA and high resilience.
Microsoft Azure services like Application Gateway, Front Door, Load Balancer and
Traffic Manager can be divided into two categories:
Global load-balancing services such as Traffic Manager and Front Door distribute traffic from your end users across your regional backends, across clouds and even your hybrid on-premises services.
Regional load-balancing services such as Load Balancers and Application Gateways provide the ability to distribute traffic to virtual machines (VMs) within a virtual network (VNETs) or service endpoints within a region.
When choosing a global load balancer between Traffic Manager and Azure Front Door for global routing, you should consider what’s similar and what’s different about the two services.
https://learn.microsoft.com/en-us/azure/frontdoor/front-door-lb-with-azure-app-delivery-suite#choosing-a-global-load-balancer
Here is an example of Microsoft Azure DR architecture with Application Gateway, Front Door, Load Balancer and Traffic Manager.
https://learn.microsoft.com/en-us/azure/frontdoor/front-door-lb-with-azure-app-delivery-suite
https://learn.microsoft.com/en-us/azure/architecture/framework/resiliency/backup-and-recovery
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 years ago.
Improve this question
Simple question: supposing I have several backend microservices, which are only ever accessed by application software, is it best practice to:
point the application software directly to an IP address? or
Assign a subdomain to the services?
My assumptions are that (1) avoids DNS lookup latency whereas (2) makes it easier to update the system if the IP ever changes. Is there anything else that affects this?
Assigning a subdomain or directly accessing with IP address is not a scalable approach.
I would suggest, point your client application software to an API gateway, which would be the single entry point to these microservices and there should be a service discovery mechanism so that the API gateway can reach to these individual Microservices.
please refer to the following sample diagram.
Client application requesting for data from a specific service and it reaches API gateway
API gateway requests discovery server for the latest reachable address for that specific service
Discovery Service is giving back the latest reachable address
API gateway using that address which it got from the Discovery server to reach the specific service for the resource requested by the client.
All the microservices should be registered with the Discovery server when it spins up.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 2 years ago.
Improve this question
My setup without any geo-replication is pretty simple. I have two VNets. One has my application servers. The other has my managed SQL Instance. They are connected with Azure VNet Peering.
Now, I'm trying to create another managed SQL instance in a different region to setup geo-replication for disaster recovery. This is possible with managed SQL instances.
One of the requirements to enabled geo-replication is to create a Network Gateway with the VNet of the primary database and another Network Gateway with the VNet of the secondary database and create a "Connection" resource between these gateways.
But since I already have a Network Peering setup, I am unable to add a Network Gateway to the VNet of the primary database. It fails with the error code ParentVnetAlreadyUsesRemoteGateways and with the message
Virtual network gateway can not be created since the virtual network primary-db-vnet already uses remote gateways over peering peer-to-app-servers.
This setup of having the database in a different VNet than the App Servers seems like a pretty standard way. If this prevents geo-replication, then seems like I'm missing something.
So, my question is: how do I enable geo-replication while allowing my application servers and database to be in different VNets?
Different phrasing for the question: how do I create a Network Gateway along with VNet Peering on the same VNet?
PS: I've contacted support but they are taking time to get back. If I'm able to resolve it, I'll make sure to post the answer here.
As far as I know from some document, it's impossible to create another managed SQL instance in a different region with VNet peering to set up geo-replication for disaster recovery because
Active geo-replication is not supported by Azure SQL Managed Instance. For geographic failover of instances of SQL Managed Instance, use Auto-failover groups. Read here.
The virtual network peering scenario for SQL Managed Instance is limited to the networks in the same region due to the constraints of global virtual network peering. Read here.
Thus, in this case, you can remove the VNet peering, and instead, you can set up a VNet-to-VNet VPN gateway connection to connect two VNets in this scenario.
Microsoft now provides global peering support for managed instances: https://azure.microsoft.com/en-in/updates/global-virtual-network-peering-support-for-azure-sql-managed-instance-now-available/
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
How do I change my Azure website from using a dynamic IP address to a static IP address?
I want a static IP address that never changes.
I evidently do not have a virtual machine, as illustrated below.
App Service is a PaaS (Platform as a Service) Offering. In PaaS, you don't have access to the server.
The Virtual Machine screenshot that you have shared in of Infrastructure as a Service (IaaS) type. So, App Services will not have IaaS - Virtual Machines and that's the reason why the VMs listing (in your question) is empty.
Now, coming to you question of a Static IP for your app. You can find it in the Custom Domains section of App Service as shown below.
And, this IP Address will change ONLY when you change (especially degrade from a higher tier to lower tier) the App Service Plan. If it doesn't change then you are lucky enough. But, Microsoft doesn't guarantee that it retains the IP Address if you change the App Service Plan's tier.
Another point to note is that you might see the same IP Address for another App Service too. that's completely fine and it works well even if you want to map your own domain to this App Service.
Update:
When the App Service makes calls to another external end point, then it uses altogether another set of IP Addresses called Outbound IP Addresses which could be found in the Properties blade as shown below.
So, you need to share ALL the IP Addresses that are under Additional Outbound IP Addresses to the external WebService team for whitelisting. This way, your problem will be resolved.
Let me know of it makes sense now.
Update2:
For App Service, We can't create & assign a separate Static IP explicitly. If you need a static IP for some reason, then you have to choose Virtual Machines and then assign a Static IP Address to that VM and use the VM to deploy the Website.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
Here is what I am trying to achieve:
I created two Linux VMs in same virtual network (same subnet)
These two VMs don't any public IP address. For security, I don't want to have any public IP associated with them.
However, I need ssh into those VMs. Since, they just have private IP and not public IP addresses, I am setting up a load balancer with public IP.
Now I am using inbound NAT rules to redirect SSH traffic to those VMs.
When I add first NAT rules, it gives me a choice to choose VM to where I want to redirect the traffic to. So all is good so far.
However, when I try to add one more NAT rule, portal UI doesn't provide me any option to choose other VM. It adds the rule against the same VM.
Is there anything am I missing? Is it supposed to work differently? I also tried add multiple virtual machines to backend pool. That also doesn't let me add more than one VM.
Should I put two VMs in VM Scaleset or Availability set?
In Azure, we can use Load balancer with a single standalone VM, also we can use Load Balancer with multiple VMs in an availability set.
If you want to use Load Balancer NAT to multiple VMs, we should re-create VMs in same availability set.
In Azure Resource Module, we can delete VMs and keep the VHD, then use PowerShell to create VMs in the same availability set. (Re-create)