I'm using the "App Service" to host my web application. However my application depends on a 3rd party service which requires a static IP. From my investigation I see that I have two options to obtain a static outbound IP.
1-) App Service Environment, which is an expensive premium service
2-) Creating a Virtual Machine
On Azure portal, when I try to create a virtual machine a large list of VMs is displayed. When I select one of them even more options are displayed. Which one is the best for a middle-size web application? What size would be enough?
You dont need to procure a VM to assign static IP for your Azure Website. You can get a static IP for your Azure Web Application. Steps are given below.
1) Make sure your Web App is in either Basic or Standard mode
2) Configure CNAME in DNS for your Web App
3) Create a self-signed SSL certificate
4) Upload an configure the certificate
for more details https://blogs.msdn.microsoft.com/benjaminperkins/2014/05/05/how-to-get-a-static-ip-address-for-your-microsoft-azure-web-site/
Related
Can you tell me whether the following scenario could be possible?
I want to access an Azure web app through a reverse proxy running on-premise.
The proxy will be responsible to authenticate the users, add a JWT (or SAML) to the request and forward it to my Azure Web App.
The Azure Web App will authorize (or not) the user to perform the request.
Potentially, there can be multiple reverse proxies on different sites.
Anybody has experience with such a setup?
Of course, this prevent the Web App to be globally available but that is not an issue.
Thanks,
An Azure Web App always has a public name and IP, therefor it is possible to bypass your reverse proxy and access directly the app using its public name, or IP.
However, if you need to make the traffic between your reverse proxy and the app private, you got a few options. You can either run your app in a VM or in an App Service Environment. Both offer private network access, i.e. can be added to a virtual network and a VPN tunnel be built to your on-premises network.
Difference between an ASE and a VM is that the VM you manage and maintain, while the ASE is a private PaaS service, i.e. private app service managed and maintained by Microsoft, thus more limited in capabilities than a VM.
Pricewise, a normal Azure Web App is the cheapest option. VM or an ASE are considerably more expensive.
I am planning on using an outsourcing team for data processing and want to avoid them downloading or storing client data on their local machines. To facilitate this, I want to create an Azure VM in which they can do all their work (msoft office, etc.) and access an ASP MVC app hosted as an app service in Azure. The MVC app is integrated with the corporate AD and for the outsourcing logins I want to see if the request is coming from my VM or the internet (the latter gets denied). So far I have:
Created a ASP MVC5 app and an Azure VM
Connected the two via VPN (point to site)
When I attempt to go to the public URL for the website on the VM, I get the "this page can't be displayed" thing, which leads me to believe I'm on the right track (now I have to update the hostfile of the machine to the private IP of the mvc app service app?). How do I do the following:
Connect to the app service via web browser (this needs to be over the vnet so that I can pick and choose in the app code who can login outside the network)
Get the network ip of the app service so I can update the VM hostfile
Am I on the right track here? Thanks in advance!
Your understanding of Azure App service is not accurate. Azure App service cannot be accessed via a private IP. They already sit inside a private vnet. They can be only accessed via public hostname with a common DNS name (azurewebsites.net)
Your scenario requires the Azure Web app and the VM to reside in the same VNET, which is not possible. There is another offering called ILB ASE, which allows you to do this. But it's a more elaborate setup. See this for more information: Using ILB with AN ASE
In your scenario you can restrict access to the web app via IP Restrictions module. See this article: IP & Domain Restrictions in Azure App Service
I understand this not the solution u wanted. What you want can be achieved via ILB ASE, but that is an expensive and elaborate set-up.
HTH
you may want to try using cloud service, though MS recommends App Service, you requirement doesn't fit into App service..
Official documentation from MS: https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-startup-tasks-common
Block a specific IP address
You can restrict an Azure web role access to a set of specified IP addresses by modifying your IIS web.config file. You also need to use a command file which unlocks the ipSecurity section of the ApplicationHost.config file.
I have a .NET Web Api project with several REST endpoints that I only want accessed by resources from within an Azure virtual network I have created. Resources such as Azure Functions and Azure Web Roles will access these endpoints only. In other words, I do not want the endpoints publicly available.
So, I configured the Web Api application with my virtual network but apparently I also need to add the Web Api application to an Application Service Environment (which are quite costly from what I have read). To quote the Azure documentation:
VNET Integration gives your web app access to resources in your virtual network but does not grant private access to your web app from the virtual network.
Do I indeed need to use an Application Service Environment and just deal with the costs or is there another way I can achieve what I want?
I do not want the endpoints publicly available.
Until now, Azure web app only supports for using an internal load balancer with the app service environment feature. If you want to make your Web API can only be accessed internally. An app service environment is required.
If you don't want to move your Web API to app service environment and your Azure function and web role have fixed ip addresses, you could configure the IP whitelist using ipSecurity configuration in your web API. For more information of ipSecurity, link below is for your reference.
IP and Domain Restrictions for Windows Azure Web Sites
I have purchased a Pay-As-You-Go Azure Subscription with the lowest resources (A0 Basic, shared core and 768 MB RAM) and automatically, four services were created for me: a Storage Account, a Virtual Machine, a Cloud Service and a Directory.
On the Virtual Machine I set up my own HTTP server software written in C# using HttpListener class. I added an HTTP Endpoint connecting the private and public port 80 on TCP. Once I've done that, I was able to access my Cloud Service address (Something.CloudApp.net).
I've created a separate Cloud Service on top of 4 service I already had and now I can't figure out how to make that service use the Virtual Machine so I can access the same HTTP server from both DNS names (Something.CloudApp.net versus SomethingElse.CloudApp.net).
The service status of both services is Created if I investigate in the Microsoft Azure Portal, however, only the first service says Running in Production column in Cloud Service list. The other one doesn't. None of the Cloud Services say anything in the Staging column.
I figure I have to set the other service to run in production too, but when I want to do that, the Portal says "You have nothing deployed to the production environment.", "Upload a new production deployment", which opens a dialog prompting me to provide details for a production environment to be newly created.
Is there a way I can make my other Cloud Service use the production environment of the first service?
Is there an alternative way to make my Virtual Machine accessible through two DNS names offered by Azure (CloudApp.net)?
The cloud service is the logical container for the VM and a VM can only be in one cloud service. There is no way to get 2 different *.cloudapp.net URLs to point to the same VM. What you can do is register 2 custom domain names (www.mydomain1.com, www.mydomain2.com) and use CNAME or A Record to point both of them to the same VM.
I'm new to Azure and have set up an Asure web site which will connect to a SOLR instance on an Azure VM. The web site cannot communicate with SOLR (port 8080) unless I create an endpoint. In order to create an endpoint I need to provide an internal and external port, however I do not want to allow external/remote access to SOLR, other than from the web site itself. Can anyone tell me how I should allow the web site to communicate with my VM, without making the VM publicly accessible?
Thank you,
JP
As #hhaggan stated, you cannot create a virtual network connection, or secure an endpoint, from Web Sites to a Virtual Machine. One option to consider is the use of SSL+certificate to secure the endpoint.
If you instead deploy your web application to a web role (in a cloud service) or a virtual machine, you can then take advantage of a brand new feature called Endpoint ACL. In essence, you can whitelist / blacklist a set of IP address ranges that may access your SOLR external endpoint. You can read about ACL'd endpoints, and how to configure them, here.
Now: You might be asking yourself why this doesn't work with Web Sites. That's because Web Sites runs on a server farm, and sites don't get unique IP addresses (unlike Cloud Services).
if you are talking about Windows Azure Websites, I am not sure if this can be done but if you are talking about Web roles in Windows Azure Cloud service, here is something that I hope it can be beneficial.
Connect ASP.NET application to SQL Server in Windows Azure via Virtual Network http://msdn.microsoft.com/en-us/library/windowsazure/jj823135.aspx
you might also would like to have a look on this http://www.windowsazure.com/en-us/services/virtual-network/ I don't think you will need it but I am just sharing it with you, it is for WIndows Azure Virtual Network.
let me know if this solved your problems or if you need anything else.