I have an application running on Bluemix CF and another (client) application running on Softlayer (but does not matter, it could be on any other external data center).
I need the two applications to communicate together (TCP/HTTPS) with bi-directional communication.
If I install the Secure Gateway client on the Softlayer data center, can I get a bi-directional channel?
Or should I use another service? I have a firewall on Softlayer so maybe I could use a firewall on Bluemix too to filter the entering IP addresses? But did not see any firewall service.
You probably want to have a look at the Vyatta service on Softlayer
http://www.softlayer.com/network-appliances
You should be able to use this as a secure gateway to limit what can talk to your Softlayer app to only traffic coming from Bluemix (it may take a little trial and error to work out the external range for Bluemix).
If your application on Softlayer is protected with a SSL/TLS connection then you should be able to have both directions protected by suitable level of encryption (Bluemix apps get HTTPS by default)
Related
My Azure setup involves two web apps and a PostgreSQL server. One of the web apps is a Node frontend, which should be available to the public. The other is a Python backend, which receives requests from the Node app and communicates with the Postgres database. The Python app contains HTTP endpoints that should not be available for anyone to access.
What is the recommended approach to protecting this Python app from unwanted traffic? Should I be blocking traffic outright through some sort of Azure configuration, or simply authenticating my HTTP requests?
I've tried only allowing the outbound IPs of the Node app to communicate with the Python app, via the Azure configuration. However, this seems to have left the Python app unable to communicate with the database, and additionally I can't even SSH or view its logs with this configuration.
It really depends on what your requirements are. If cost is no option, one way to protect the python app is to put it on an App Service Environment (ASE). This is an isolated instance of Azure Web Apps that you can protect behind an Internal Load Balancer. This solution will give you more security as you can enable a Network Security Group to block out Internet traffic and you could setup your Node App to communicate with your VNet with a VPN. This approach is also one of the more expensive approaches for a PaaS Web App.
Other options include setting up your "back-end" python as IaaS (but then you have to manage the updates), or you can use an App Gateway or 3rd party WAF device like KEMP (they have a 200 MBps device that is free) to protect you app.
Finally you can look at a scalability design where you put a queue or some other intermediary between your two web apps. This will allow for independent scaling and give you the opportunity to lock-down the Python app to only accept messages from the queue, not your front-end. A sample arch can be seen here (you can sub the function in this arch for your python app)
We are migrating our website on Azure platform in PaSS model. our website needs to communicate to our back office system using web services.
Currently the Back Office system is in a providers data center. and we have a firewall which enables web service communication for specific IP's
Now website going to be hosted on Azure with PaSS model, can some one please advice which IP address we need to add in whitelist of our Back office firewall.
Please note we want to set up our web app to be out-scaled to multiple instances.
will each instance will be able to communicate with out Back office ?
Regards
Umesh Deshmukh
can some one please advice which IP address we need to add in
whitelist of our Back office firewall. Please note we want to set up
our web app to be out-scaled to multiple instances. will each instance
will be able to communicate with out Back office ?
For a long-term, Hybrid Connection is much better. If you still want to know whitelist the outbound IP of web app service, you could find these possible outbound IP addresses in additional outbound IP addresses setting of the web app properties. You can't know beforehand which IP address a given app instance will use to make the outbound connection, so your back-end service must open its firewall to all the outbound IP addresses of your app. You could get more details about Inbound and outbound IP addresses in Azure App Service.
You could use Azure Service Bus Relay to connect your web app to your on-premises database that's behind the firewall. Azure service bus relay uses internet port 80 so there should be no firewall issues. Hope it helps.
Within an App Service is a feature called a Hybrid Connection, which can be found under the Networking section of the App Service you want to connect to your back office.
You will create a new Hybrid Connection via the Portal.
Complete the form with the information that pertains to the back office system you want to connect to. You should always use a Fully Qualified Domain Name for all your back office systems. If you are connecting to multiple back office systems, you will need one Hybrid Connection for each one.
A Hybrid Connection relies on a Service Bus Relay to communicate with your on-premises resources.
You will install the Hybrid Connection Manager in your on-premises systems and connect it to the Service Bus Relay you created in the portal.
Once the Hybrid Connection you create in the Portal has been connected to a Hybrid Connection Manager (called a Listener), the connection will show as Connected in the Portal.
Once connected, an application running in an App Service will be able to communicate with your on-premises resources as if they were sitting right next to each other. There is going to be some inherent latency involved with using a Hybrid Connection and this should be planned for. The latency we have seen using Hybrid Connections have been minimal and are usually barely noticeable. I have even heard that people are streaming media from on-premises systems using Hybrid Connections.
More information about Hybrid Connections can be found here.
I've made a couple of tests and, as far as I've understood, Azure Relay requires the listener to explicitly connect to the bus. In our scenario, we would like to use it from a VM in Azure (or a different system on Internet) to connect to an existing On-Premise resource that cannot be modified to support Hybrid connections. I've tested also the Hybrid Connection manager and I wasn't able to find any documentation on how to create a client that connects to a Hybrid connection that routes the traffic to the target system by using the Hybrid Connection manager. It works from an Azure Web app, but they are not a viable solution in our scenario.
Is it possible to use the Hybrid connection manager from outside an azure web app?
I've digged two days more to find an answer and from this article, it seems it's not possible:
https://learn.microsoft.com/en-us/azure/biztalk-services/integration-hybrid-connection-overview
Hybrid Connections provide an easy and convenient way to connect the
Web Apps feature in Azure App Service (formerly Websites) and the
Mobile Apps feature in Azure App Service (formerly Mobile Services) to
on-premises resources behind your firewall.
And it sounds correct since they requires some adjustments at network level that are made under the hood by Azure: the mobile app makes a specific dns query and the azure internal dns returns a 'ghosted' ip that offers an entrance to the hybrid connection tunnel at the requested port. The hybrid connection then 'forwards' the tcp stream to the on-premise hybrid connection manager that proxy the request toward the real ip of the service. In this way, hybrid connections does not breaks any SSL connections since the target dns host is the same of the final SSL endpoint.
However, digging a bit more, i've found two examples that offer a pre-elaborate that it's helpful in my scenario:
Hybrid Connections Reverse Proxy
https://github.com/Azure/azure-relay/tree/master/samples/hybrid-connections/dotnet/hcreverseproxy
Port Bridge
https://github.com/Azure/azure-relay/tree/master/samples/hybrid-connections/dotnet/portbridge
We need to develop integration between ERP (Dynamics Nav) and cloud-based telephony provider.
The provider needs to have an endpoint published and accessible from internet but for security reasons it is not possible for us to allow inbound connections to our network. I think it should be possible to solve this by hosting small application in Azure which will serve as endpoint for telephony provider and to which ERP will connect as outbound persistent connection. The app will just forward requests to ERP.
Since I'm new to Azure the question is what of azure capabilities I could use to solve the task aside from hosting actual VM with application there?
I've just implemented the same using Azure Service Bus.
The VOIP system is putting a small JSON with call details after the end of the call and I'll get the messages from the Service Bus Queue from NAV.
The code is not complicated at all the whole solution is simple and cheap!
Let me know if you want to know more (= you need the code).
Cheers!
Azure AD has the concept of an "application proxy" that will open internal applications up using a connector that runs on prem. This doesn't require inbound ports and is protected by Azure AD authentication.
It's intended more as a user-facing way to get access to Legacy applications, although I don't see why it couldn't be used for integration as well.
https://learn.microsoft.com/en-us/azure/active-directory/application-proxy-publish-azure-portal
Otherwise, you could link an Azure Site to Site VPN up and use a service like API gateway to manage connections though this is more complicated.
Hi We have a UI component deployed to Bluemix on Noedjs which makes REST service calls (JSON/XML) to services deployed in Data-center. These calls will go through the IBM Data Power gateway as a security proxy.
Data Power establishes an HTTPS Mutual Authentication connection (using certs that are exchanged offline) to the caller.
Although this method is secure it is time consuming to set up and if this connection is in setup for each service request it will create a slow response for the end user.
To optimize response time we are looking for any solution which can pool connections between nodejs app deployed on Bluemix and DataPower security proxy. Any one has any experience in this area?
In regards to "it is time-consuming to set up", in datapower you can create a multi-protocol gateway (MPGW) in front of your services to act as router. The MPGW will match services calls based on their URI and route them accordingly. In this scenario, you will only need to configure a single endpoint in the Bluemix Cloud Integration service in order to work with all your services. One downside to this approach is that it will be harder to control access to specific on-premise services because they will all be exposed to your Bluemix app as a single service.
In regards to optimizing response times, where are you seeing the bottleneck?
If the establishment of the tcp connections is causing too much overhead, you should be able to configure your Node.js app to use or re-use persistent connections via keepalive settings or you can look into setting up a connection pool that manages that for you (e.g. https://www.npmjs.com/package/generic-pool seems a popular choice).
On the datapower side, make sure the front/back persistent timeout is set according to your requirements:http://www-01.ibm.com/support/knowledgecenter/SS9H2Y_7.2.0/com.ibm.dp.doc/mpgw_availableproperties_serviceview.html?lang=en
Other timeout values in datapower can be found at http://www-01.ibm.com/support/docview.wss?uid=swg21469404