I'm currently developing a Mobile application, which leverage on Azure Mobile Service as the server side.
However, due to some constrain of our cooperate network, I'm not able to get my SQL database data from Mobile Service. I have 2 questions here in order to solve the problem.
which exactly port Azure Mobile Service uses?
By default which port does it the Mobile Service use to talk to Azure SQL database? Is that port 1433 as well?
http://blogs.msdn.com/b/brunoterkaly/archive/2012/02/07/azure-ports.aspx
I found this article "Outbound ports that have to be opened for Azure development" but it doesn't talk about Azure Mobile Service.
Please kindly help me.
Azure Mobile Services is essentially a web api and so app->backend communication is done over port 443.
mobile backend -> database communication is governed by the connection string used; by default port 1433 will be used.
To access on premises databases consider using Hybrid Connections
Related
We are migrating our website on Azure platform in PaSS model. our website needs to communicate to our back office system using web services.
Currently the Back Office system is in a providers data center. and we have a firewall which enables web service communication for specific IP's
Now website going to be hosted on Azure with PaSS model, can some one please advice which IP address we need to add in whitelist of our Back office firewall.
Please note we want to set up our web app to be out-scaled to multiple instances.
will each instance will be able to communicate with out Back office ?
Regards
Umesh Deshmukh
can some one please advice which IP address we need to add in
whitelist of our Back office firewall. Please note we want to set up
our web app to be out-scaled to multiple instances. will each instance
will be able to communicate with out Back office ?
For a long-term, Hybrid Connection is much better. If you still want to know whitelist the outbound IP of web app service, you could find these possible outbound IP addresses in additional outbound IP addresses setting of the web app properties. You can't know beforehand which IP address a given app instance will use to make the outbound connection, so your back-end service must open its firewall to all the outbound IP addresses of your app. You could get more details about Inbound and outbound IP addresses in Azure App Service.
You could use Azure Service Bus Relay to connect your web app to your on-premises database that's behind the firewall. Azure service bus relay uses internet port 80 so there should be no firewall issues. Hope it helps.
Within an App Service is a feature called a Hybrid Connection, which can be found under the Networking section of the App Service you want to connect to your back office.
You will create a new Hybrid Connection via the Portal.
Complete the form with the information that pertains to the back office system you want to connect to. You should always use a Fully Qualified Domain Name for all your back office systems. If you are connecting to multiple back office systems, you will need one Hybrid Connection for each one.
A Hybrid Connection relies on a Service Bus Relay to communicate with your on-premises resources.
You will install the Hybrid Connection Manager in your on-premises systems and connect it to the Service Bus Relay you created in the portal.
Once the Hybrid Connection you create in the Portal has been connected to a Hybrid Connection Manager (called a Listener), the connection will show as Connected in the Portal.
Once connected, an application running in an App Service will be able to communicate with your on-premises resources as if they were sitting right next to each other. There is going to be some inherent latency involved with using a Hybrid Connection and this should be planned for. The latency we have seen using Hybrid Connections have been minimal and are usually barely noticeable. I have even heard that people are streaming media from on-premises systems using Hybrid Connections.
More information about Hybrid Connections can be found here.
I've made a couple of tests and, as far as I've understood, Azure Relay requires the listener to explicitly connect to the bus. In our scenario, we would like to use it from a VM in Azure (or a different system on Internet) to connect to an existing On-Premise resource that cannot be modified to support Hybrid connections. I've tested also the Hybrid Connection manager and I wasn't able to find any documentation on how to create a client that connects to a Hybrid connection that routes the traffic to the target system by using the Hybrid Connection manager. It works from an Azure Web app, but they are not a viable solution in our scenario.
Is it possible to use the Hybrid connection manager from outside an azure web app?
I've digged two days more to find an answer and from this article, it seems it's not possible:
https://learn.microsoft.com/en-us/azure/biztalk-services/integration-hybrid-connection-overview
Hybrid Connections provide an easy and convenient way to connect the
Web Apps feature in Azure App Service (formerly Websites) and the
Mobile Apps feature in Azure App Service (formerly Mobile Services) to
on-premises resources behind your firewall.
And it sounds correct since they requires some adjustments at network level that are made under the hood by Azure: the mobile app makes a specific dns query and the azure internal dns returns a 'ghosted' ip that offers an entrance to the hybrid connection tunnel at the requested port. The hybrid connection then 'forwards' the tcp stream to the on-premise hybrid connection manager that proxy the request toward the real ip of the service. In this way, hybrid connections does not breaks any SSL connections since the target dns host is the same of the final SSL endpoint.
However, digging a bit more, i've found two examples that offer a pre-elaborate that it's helpful in my scenario:
Hybrid Connections Reverse Proxy
https://github.com/Azure/azure-relay/tree/master/samples/hybrid-connections/dotnet/hcreverseproxy
Port Bridge
https://github.com/Azure/azure-relay/tree/master/samples/hybrid-connections/dotnet/portbridge
I have multiple web apps on Azure that I want to put behind an Application Gateway in order to use a single domain name with path routing.
However, my web apps needs to connect to a db outside of Azure. So I wonder what will the IP of the requests from these web apps to the db would be? I hope it will be the gateway public IP so I only have to authorize one IP at my db provider but I don't find any docs to confirm it (or not).
So I wonder what will the IP of the requests from these web apps to
the db would be?
If you want your web apps to connect a database outside Azure, you may need App service Environment. Because the Web Apps need VNet to connect other resources. Also, due to the date base is outside Azure , you need to create VPN gateway to connect it. This connection is between the Web App and the database, not Application Gateway and Database.
So, the IP of requests from those Web Apps is not the IP of Application Gateway, It depends on the VNet in App Service Environment.
This picture explains how this environment works:
I hope it will be the gateway public IP so I only have to authorize
one IP at my db provider but I don't find any docs to confirm it (or
not).
Also, if you still want to use one IP to connect other resources, you can also add Internal Loadbalancer to achieve that.
You can see more details about Integrating your ILB ASE with an Application Gateway to help your deploy resources.
Please let me know if this answer helps.
I would suggest using the Azure Web App's Hybrid connection. This provides a TCP tunnel in a secured fashion between your azure web app and your SQL db. There is a service bus in between and you have to install the relay agent in your network that does the outgoing communication to this service bus.
Hybrid connection diagram
Details are at:
https://learn.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections
The app gateway's public IP address can't be leveraged nor is it necessary to manage connections between Azure Web Apps and databases outside of Azure. The web apps have their own IP addresses.
On another note, my blog post may be useful to understand how the architecture and configuration between app gateway and azure web app.
I am doing mobile development on Xcode and using hosted database from Microsoft Azure.
I noticed there is firewall settings on Microsoft Azure in order to add clients.
How will this work when the mobile app is deployed? Should all ports be opened on the database? Or do I need to use Web Services?
How will this work when the mobile app is deployed? Should all ports
be opened on the database? Or do I need to use Web Services?
You should definitely NOT open all ports and direct connectivity to the database from mobile apps is strongly discouraged.
Recommended way would be to use some kind of service layer sitting between your mobile app and the database. All the requests from the app should go to this service layer which will perform database operations. This service layer could be deployed as Azure Mobile App Service, Azure API App Service or a Web API hosted in Azure Web Apps Service.
We have a corporate web services with back end SAP, CRM etc. We would like to expose this web service (java web service) so that azure web role can connect to corporate intranet web services.
Could someone please suggest which of below technologies will fit and why:
1. Windows Service Bus
2. Windows Azure Connect
or 3. VPN (Virtual Network).
Service bus will require some effort to get working, but is a good solution if your corporate network overlords are very picky about exposing endpoints. Windows Azure Connect creates a VPN-like tunnel, but requires that specific software be installed, configured and maintained. I have an app that successfully uses virtual networking and utilises existing VPN gateways and skills - very understandable to the security and networking people.