I know that Azure Service Bus is secure while in transit because of SSL, but I'm unable to find any information about if it's encrypted while at rest.
If the content of the message is sensitive in nature, can Azure be relied on to keep messages private while within the Azure infrastructure - or should we implement message security?
As of 4/25/2018, the page that #tyler-pollack referenced, has been updated to specify that encryption at rest is provided at all tiers.
https://learn.microsoft.com/en-us/azure/security/azure-security-encryption-atrest
You can see the update in this github commit: https://github.com/MicrosoftDocs/azure-docs/commit/66214db8a21eefcece6441ae566041b90b2615fa#diff-f55bddd3fba462832c4a2d0e7918f750
You will have to encrypt the data yourself. There are currently no facilities built into the service bus for data at rest.
Service Bus Premium currently supports encryption at rest - https://learn.microsoft.com/en-us/azure/security/azure-security-encryption-atrest#azure-resource-providers-encryption-model-support
Related
With KAFKA one can use SSL certificates. I am familiar with this approach https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/20.0.x?topic=emitter-preparing-ssl-certificates-kafka and that a REST API producer or JAVA program producer can implement this as well for writing KAFKA topics.
From the AZURE docs on Event Hub I cannot determine if, when sending a message to Event Hub with KAFKA API approach, whether this is also possible. I find the stuff hard to follow on AZURE.
I see this https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-for-kafka-ecosystem-overview, but:
The section on Shared Access Signature (SAS) https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-for-kafka-ecosystem-overview#shared-access-signature-sasstating SASL_SSL is that the same as SSL certificates
And what does PLAIN mean?
Note this all pertains to a small account in AZURE with no AD Grouping applied.
My take is that SASL_SSL amounts to the same as SSL that I note at the top of the article and that no AD Groups are needed. Please confirm.
No, you cannot use SSL certificates to authenticate to the Kafka Endpoint of Azure Event Hub. See here for the two possible auth options:
Azure Event Hubs provides multiple options to authorize access to your secure resources.
OAuth 2.0
Shared access signature (SAS)
The latter is basically a password. SASL_SSL is just the protocol and you use it no matter which of the two options you choose. The connection must always be made with SSL encryption enabled but that is different than using certs for auth.
I have a local machine that reads RabbitMQ queue messages.
I wish to move it to cloud. Which Azure service can be used in this case?
I went through event hubs, but I am not sure, if it would read messages from rabbitMQ continuously.
Any suggestions for the service that should be put to use.
You should take a look at Azure Service Bus. It has got FIFO queues as well as publish/subscribe capabilities. However if using Azure managed service is not a strict requirement you can use RabbitMQ on a VM (or a cluster for high availability) as well.
UPDATE: Your response means you want a managed service. There are 2 options - if you want to go with RabbitMQ but do not want to manage the infrastructure you can go for 3rd party service provider like CloudAMQP who will manage it on your behalf. The other option is to go for Cloud native messaging - meaning if you are on Azure you change your messaging service to Azure Service Bus. This would mean changing you code as well.
I have implemented a Proof of Concept in Azure Service fabric that uses Azure Service Bus as a message queue. I'm using nServiceBus within the application to send and respond to messages which makes it very easy to change from one queuing technology to another.
I'd like to know if it's possible to use MSMQ instead of Service Bus in Azure Service Fabric as the nodes that are created are just windows 2016 servers and I'm not sure I need something like Service Bus. It's a question I want to answer with my POC.
Does anyone know whether MSMQ is included in an Azure Service Fabric node or how I could turn it on and if it's a viable solution?
Short answer - MSMQ is not suitable for Azure Service Fabric.
MSMQ is store and forward technology. It's using local file system to persist messages and then forward to another machine. When Service Fabric is going to move service from one node to another, it will not move the file system along. Meaning you'll lose messages.
I would recommend to stay with Azure Service Bus unless there's a good reason you're looking for an alternative.
The way I see it, Azure Service Fabric would maintain the cluster of microservices, and NServiceBus would facilitate the communication between services. I see next to no documentation online about this combination, so I am curious if I am fundamentally mistaken in how these two things work.
You can perfectly run nservicebus inside service fabric, just use the self hosting approach together with the Azure Service Bus transport and potentially the azure storage persistence for sagas.
I've taken note of your request to document this here: https://github.com/Particular/docs.particular.net/issues/2328
We are looking to use Windows Azure to host our existing SaaS platform and extend our functionality and capability. WE will be taking adavantage of both the data storage and application and web service functionality of Azure.
My question is as follows:
Some of our clients will not want Public CLoud access. Since our datastore stores sensitive client data many of them will require our whole system to be hosted internally on their own network and servers.
If we setup a full Azure setup of database and connected applications and processes how difficult is it to be able to duplicate that system for a specific client on their own servers and network using existing Microsoft technologies?
I know its a vague question and I also have a liminted understanding of Azure so whatever information you can provide here would be most appreciated.
Thank you
It sounds like you need the flexibility of a hybrid cloud/on-prem solution. Likely the best solution is the Windows Azure Service Bus. Essentially, you configure a WCF web service in the cloud (SOAP, REST, etc) that performs asynchronous brokered messaging between your on-premise application and your web application. This can be performed using queue messages, for example:
The web application (cloud) requests resources from the brokering service (cloud) by sending a queue message
The service handles the queue message and makes it available to the consuming (on-prem) service
On-prem service checks for new messages from the brokering service, gets the request for data, and returns desired data from DB
On-prem service sends message to brokering service with desired data
Web app (cloud) checks for new messages from the brokering service, then uses the data from on-prem service
Service bus is secure, asynchronous, fault-tolerant, and ensures that both components are decoupled.
Another method is to use Windows Azure Connect, which is a VPN solution that sets up network-level connnectivity. I recommend Service Bus because it promotes a more robust and scalable architecture, and fault-tolerance is high.