We are planning to rent have two VMs (one for Web Server and another for Database server) on Azure. I would like to know what would be the best way to communicate Database server from web server.
Direct communication using DNS.
Keep both the VMs in Cloud service and use host name to communicate.
Form a virtual network and use the persistent virtual machine IP address to connect to.
Thanks In Advance
you don't want to use the Clud Service host name to communicate between the VMs.
If you want to use DNS, you have to provide DNS - you don't need that too.
For that particular scenario, I would recommend something even simpler:
Put the VMs in the same Cloud service
Do not go for any Virtual Network or DNS Solutions
Use VM Name to connect between the machines.
when the VMs are deployed in the same Cloud Service and not in Virtual Network, Windows Azure provides automatic name discovery. The simplest approach is usually the best.
For more information on name resolution scenarios in Windows Azure, read this paper.
Related
I have created a Virtual Network, when deploying a VM in it, it's unavailable from Internet, and available when I connect via VPN. (And that's what it's supposed to do).
But when I deploy a Cloud Service (and the Cloud Service is correctly deployed in the Virtual Network as I can see it in the VN resources list), it's still available from Internet.
How can I secure the access of a Cloud Service ? I don't want it to be accessible by every one, just by VPN and from dedicated IPs.
Finally I found that by default Cloud Services have EndPoints configured. By adding ACLs to it (http://blogs.msdn.com/b/walterm/archive/2014/04/22/windows-azure-paas-acls-are-here.aspx) I can isolate them into the Virtual Network.
If you do not want the cloud service to be accessible from the Internet, the better way to protect is to remove the endpoints. If you want to ACL the instances at the Virtual Network/Subnet level consider using this article
I have an Azure Cloud Service (Worker Role) that needs to connect to my Azure SQL database and also connect to an external database.
In development the external database was on the public Internet and connectivity was not a problem.
However, the solution now needs to be deployed in a production environment and access to the external database is to be restricted by setting up a Virtual Network.
The Cloud Service, when deployed in the Virtual Network, gets an IP from the subnet, but seems to become inaccessible to the outside world, and is not connecting to the Azure SQL database (I also cannot RDP to it).
This seems to be beyond my level of understanding of networking, but I don't see why it should lose access to its neighbours in the Azure environment.
What am I missing? Do I need to get involved with Endpoints? Is the Virtual Network misconfigured?
Thanks in advance.
Your question is quite vague, in terms that it does describe the whole picture in the best possible way. Let me put my answer based on my understanding about your issue.
First of all - Azure virtual Network is Virtual Network. It is designed to enable secure cross-premisses connectivity with Windows Azure Data Center.
When you deploy a proper PaaS Cloud Service (Worker Role / Web Role) in a Virtual Network, the role instances get IP Addresses allocated from the defined DHCP pool (the VNet Definition).
When you deploy any service in an Azure Virtual Network you have to take care of Name Resolution! Meaning that, if you do not provide a proper DNS Server, your cloud instances will not be able to resolve any address. That includes Azure SQL Database servers. More on Name Resolution can be read here.
Next, but not less important - Azure SQL Database servers are not part of, and, as of March'2013, cannot be added to Azure Virtual Network!
The last statement means that in order for your Worker Role to access Azre SQL Database server, you need to provide a proper DNS server in your Azure Virtual Network.
And lastly, when you deploy a PaaS service into a Virtual Network, in order to access it via Remote Desktop need to:
* Properly enable and configure RDP extension. it will anyway create Input Endpoint. But this is the only way to enable RDP on PaaS right now;
* You could probably enable RDP via PowerShell startup script and access RDP via the VPN tunnel for the Virtual Network - say you configured a Site-to-Site or Point-to-site VPN for your Azure VNet.
Check the building cross-premises Virtual Network guide here.
How to create 2 connected virtual machines in Windows Azure to be able to deploy Two-Tier-Architecture solution ?
Let me clarify the scenario, Currently I am using 1 virtual machines in Windows Azure where I have the SQL Server 2008 DB installed AND the ASP.NET solution.
However, I want to create a very simple Two-Tier-Architecture where the SQL Server 2008 DB is installed on Server1, and the ASP.NET solution is deployed on Server2.
So, How to accomplish that? I mean, How to connected those two separate virtual machines? And how they can work together to run one single solution?
Could you please help me out in this scenario ?
Thanks !
Seems like a lot of attention being given to Virtual Networks. That's fine, but... if all you're trying to do is create a multi-tier app with a handful of VMs working in conjunction with each other, you can simply create multiple VMs within the same cloud service (that is, they all live in xyz.cloudapp.net).
They'll all sit behind a single public IP address, but consider your case where you have a web server and a database server:
Expose ports 80 and 443 specifically for the web server(s) (you can have multiple, and load-balance the ports across these VMs
Don't expose any public ports for the database server
Once deployed to the same cloud service, each VM in the cloud service can talk directly to any other VM in the cloud service, using the host name you assigned to it.
You can also deploy your web and database tiers to different cloud services, and still communicate between them without a Virtual Network. If you open, say, port 1433 on your database server, now your web tier can simply open a connection to yourdb.cloudapp.net:1433. Of course, this means the entire world can do the same, but... you can apply an endpoint ACL (access control list) on yourdb.cloudapp.net port 1433, and allow only the public VIP of your web tier's cloud service.
You'd need a Virtual Network if your web and database tiers are in separate cloud services and you don't want any exposed ports on your data tier, and you don't want to go through the built-in load balancer.
You should utilise Virtual Networking (http://www.windowsazure.com/en-us/services/virtual-network/). Additionally you can configure the two machines as part of a single Cloud Service to ensure they are encapsulated together and available publicly via a single cloudapp.net address. Note that to benefit from the Azure SLA you should run two instances of each tier (web / DB).
Note that you can't add an existing VM to a new Virtual Network.
You can create a virtual network and then add both servers in the same network if they are on different cloud services (which is the default when using quick create). But you can't do this to servers that have been created so you will need to detach your disks create 2 new servers in the new network and then reattach your disks to the new servers.
If you are planning on using a DC then create 2 subnets in your virtual network and put your DC in one and the servers in the other as you don't want your DC getting a different IP.
I'm new to Azure (strike 1) and totally suck at networking (strike 2).
Nevertheless, I've got two VMs up and running in the same virtual network; one will act as a web server and the other will act as a SQL database server.
While I can see that their internal IP addresses are both in the same network I'm unable to verify that the machines can communicate with each other and am sort of confused regarding the appropriate place to address this.
Microsoft's own documentation says
All virtual machines that you create in Windows Azure can
automatically communicate using a private network channel with other
virtual machines in the same cloud service or virtual network.
However, you need to add an endpoint to a machine for other resources
on the Internet or other virtual networks to communicate with it. You
can associate specific ports and a protocol to endpoints. Resources
can connect to an endpoint by using a protocol of TCP or UDP. The TCP
protocol includes HTTP and HTTPS communication.
So why can't the machines at least ping each other via internal IPs? Is it Windows Firewall getting in the way? I'm starting to wonder if I've chose the wrong approach for a simple web server/database server setup. Please forgive my ignorance. Any help would be greatly appreciated.
If both the machines are in the same Virtual Network, then just turn off Windows Firewall and they will be able to ping each other. Other way is to just allow all incoming ICMP traffic in Windows Firewall with Advanced Settings.
However there is a trick. Both the machines will see each other by IP Addresses, but there will be no name resolution in so defined Virtual Network. Meaning that you won't be able to ping by name, but only by direct IP address. So, if want your Website (on VM1) to connect to SQL Server (on VM2), you have to address it by full IP Address, not machine name.
The only way to make name resolution within a Virtual Network is to use a dedicated DNS server, which you maintain and configure on-premises.
This article describes in details name resolution scenarios in Windows Azure. Your particular case is this:
Name resolution between virtual machines and role instances located in
the same virtual network, but different cloud services
You could potentially achieve name resolution, if you put your VMs is same cloud service. Thus you will not even require dedicated virtual network.
If your VMs are inside a Virtual Network in Azure, then you have to make sure two things.
Required Port is enabled.
Firewall is disabled on the server.
I was trying to connect to one VM where SQL Server DB was installed, from another VM. I Had to enable 1433 port in the VM where SQL was installed. For this you need to add an MSSQL endpoint to the VM on the azure management portal. After that i disabled windows firewall. Then i was able to connect to the VM from another.
Here is my scenario:
I have three Windows VMs on Windows Azure (which is at its preview stage right now) and all the VMs are connected to each other, in other words they are under the same cloud service. What I need to do now is that I will use one VM only for Redis and the other two VMs need to talk to it. I don't wanna open up the redis to the whole World for several reasons and one of them is that I don't want to talk to it through the load balancer. I want my VMs to talk to it directly (as explained here: Bypass the load balancer when communicating servers between each other).
I consider using MSOpenTech implementation of Redis. Any I idea how I can configure a structure like this?
Running Redis on A Windows Azure Virtual Machine (Windows or Linux) is exactly same as any other machine so I don't think you will met any problem there.
If you have one instance of Virtual Machine it is not configured through Load Balancer and you can see that when you will add endpoint to your VM. Only if you have more then 1 instances of a virtual machine, and then you add endpoint, then you will have a chance to configure the load blanacer for that specific endpoint. In your case as you want to run Redis on one single VM, you are really not behind load balancer.
IF you want to have your all 3 machines talking to each other you can create a virtual network and provision all 3 machines withing this VNET so they can talk to each other the way you want.
I figured this out by trying it out. Here is the solution:
SignalR with Redis Running on a Windows Azure Virtual Machine