I've been working through this tutorial to get started with cloud services in Azure.
The project has one web role and two worker roles, and they share similar code for accessing the storage tables. Could I have a common data access layer shared between them? Would I create a separate role for this? I'm not really sure where to start.
Yes you can, but is that what you want? Sharing the same access layer, all services will access the same database.
You just need to add a Nuget Package Windows Azure Storage and access your storage account / blobs, tables, queues...
Related
We are trying to migrate a VM in a private cloud to azure. This VM has multiple web applications and databases. We don't have access to the virtualization, just access to this single VM.
Can anyone suggest how we can do the migration to azure with just having access to the VM itself?
Regards
Anup
As far as I know and as per the document, we can't migrate Single VM without having access to Virtualization.
Because while processing Migration you need to generate Project Key where you need to have access Virtualization.
You can go through the Microsoft Document for further details.
An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
A mechanism very similar to AWS instance profiles is Managed Service Identity (MSI) for Azure, which was announced in September 2017, though at the time of this writing, it is still in preview. I didn't try it out yet, but it does work the same way as instance profiles on AWS do, by automatically authenticating the VM to a meta-data service and allowing you to query for additional credentials without having to hardcode it into your code or image.
Azure also supports IAM.
Microsoft Azure identity and access management solutions help IT protect access to applications and
resources across the corporate data center and into the cloud. This enables additional levels of validation,
such as multifactor authentication and conditional access policies. Monitoring suspicious activity through
advanced security reporting, auditing and alerting helps mitigate potential security issues.
More detailed information please refer to this link.
Update:
You do have the ability to create Signed Access Signatures for all three Windows Azure Storage services (BLOBs, Queues and Tables) as well as for Windows Azure Service Bus Brokered Messages (Queues, Topics & Subscriptions). I have a similar question with you, maybe you could check.
I found Azure is not support instance profile like aws.
If bind a role to instance on aws, aws system will generate a temporary api access token and write to metadata server.
Aws sdk will auto fetch access token from metadata server, so a service that uses aws sdk does not need to configure sdk's access token.
But Azure's IAM and SAS(shared access signature) and metadata server, is not support mechanism like above.
Just deployed a boilerplate Web Role in Azure Cloud service. Upon launching, it seems the default current dir is "d:\windows\system32\inetsrv" and home is "F:\sitesroot\0"
It seems I have limited write permissions, no delete permissions.
2 questions:
How much storage is there on this server under F:\sitesroot? Is it persistent?
How do I control the default permission/access of a web role?
You should be reading/writing to a LocalStorage resource. When you define a LocalStorage resource a folder is configured on the C: drive with appropriate size and permissions setup.
There is no persistent local storage for WebRoles. If you need something persistent then you should use Azure storage (blobs/tables) or something else like SQL Azure.
See http://msdn.microsoft.com/en-us/library/ee758708.aspx for more information, and http://convective.wordpress.com/2009/05/09/local-storage-on-windows-azure/ for sample code.
I know it is possible to add co-administrators to my subscription but I can't find any way to add a user space. I mean something that would allow users to see only their own storage and services created within the subscription.
I'm not worried about usage quotas but just would like to separate my users into distinct areas, so they don't interfere with each other.
Is there any way to do/achieve that?
Cheers,
Jacek
Currently in a subscription it is not possible to do so in Windows Azure. One possible solution would be to create separate subscription for each user and make them co-administrator on that subscription so that they will only see that subscription. This will obviously add more management headaches for you.
Again, not a fool-proof solution but when we were developing Azure Management Studio at Cerebrata (Disclosure - I was Founder of Cerebrata though now I'm not associated with it), we came up with something called Profiles. Basically what you do is put some resources (like storage accounts, cloud services etc.) and grant permissions on these resources in a profile and save that profile. You can then distribute this profile file to your user. When they run Azure Management Studio, they can load this profile file and will only see the things you included in that profile file. Again it is very specific to the tool only, is not as comprehensive as it does not include everything that Windows Azure offers and as and when you change storage credentials etc., you would need to regenerate that profile file.
No that is not possible.
The Co-Admins have complete control for the services in the account (non billing) as a whole and all the Services (Storage, Virtual Machine, Websites etc) are equally accessible to every administrator and co-administrator.
I'm looking to setup AD for our company. We have developed a cloud based app that needs robust permissions abilities, which AD easily can handle. The app is bases out of Heroku which runs on AWS. I really need AD to manage logins and organizational hierarchy.
I'd like to use a cloud based service to act as the primary Domain controller and in the future, setup on-premise servers to provide local authentication to manage file/print and computer services. This is a secondary need to the authentication needs for our app.
Does anyone know if this architecture is possible? That is, a AD's DC in Azure with replicated services to other on-premise servers, at a later time? This seems to be the reverse of most setups in Azure. I'm ok with using other cloud services than Azure. It just seems they have the most documentation for cloud AD setups.
Any thoughts or help would be greatly appreciated.
Thanks,
AT
Although I wouldn't go for Cloud to be my primary DC, here are some guidelines which might help you:
Guidelines for Deploying Windows Server Active Directory on Windows Azure Virtual Machines
Install a new Active Directory forest in Windows Azure
In order to fully validate your scenario, how do you think to join the Heroku computers to your domain controller? Because joining the server where your application runs will make the total sense of what you are trying to achieve.
If you just want to provide LDAP access from your application to the primary DC, and your app is not part of the Domain, then it makes no sense to install AD in Azure.
If you plan to just query the AD for organizational structure, I highly suggest that you take a look at the Windows Azure Active Directory and its Graph API. this is what you need, in the case you will not join any computers to the domain, because Windows Azure Active Directory is not a Domain Controller.
UPDATE
Please update your question with better description of simply to allow our Heroku based app to pull in the directory structure and login information to allow our users to authenticate to it. - I am afraid I can't really understand the application architecture and user login flow here.