I am developing a web app that is not doing anything fancy. The parent company wants to use a cloud based IIS service to support the web app and then submit the information to the client's local SQL servers through the internet and the client's firewalls.
Traffic isn't that much of an issue, we are talking about probably no more than 10 submissions daily per client. My question is with regard to connecting to the client's SQL servers and running the Stored Proc on each server.
We already have admin privileges on the firewalls and servers to do what we need to do to make anything happen.
What would be my best/reliable/secure method to implement this service?
Page asks for 10 items of info then submits to Stored Proc, that's it... with a local IIS server there is no problem, works nice. I want to make sure that the information stays secured, not just for the 10 items, but the SQL server and any security between it and the IIS server.
Any recommendations?
I would recommend setting up a VPN tunnel between the remote IIS server and the in-house SQL server. With a VPN tunnel, the SQL server is just like any other server on the network to the app.
Related
I have a requirement where I need to host an FTP server along with a website that is hosted on Azure Web Sites. We host separate instances of this app for our clients - and it needs an separate FTP server per instance
The solution that I'm trying currently is using the FubarDev.FtpServer. My plan was to host that FTP service in a web job.
Launching the FTP server seems ok. The Web Job prints out a line to web job console after the server is started, status is of the web job is running and no exceptions are output.
Now, trying to connect to the FTP fails. I suspect the reason is that the port 21 is not open on the firewall that protects azure websites and no traffic on that port is forwarded. Is there any way around this?
Connecting from the Website it self to the FTP server hosted in the job gives the following errors:
When connecting to 127.0.0.1
An attempt was made to access a socket in a way forbidden by its
access permissions 127.0.0.1:21
When connecting using the websitename.azurewebsite.net on port 21 (from the website itself, that is hosting the FTP inside the webjob)
A connection attempt failed because the connected party did not
properly respond after a period of time, or established connection
failed because connected host has failed to respond xx.xx.xx.xx:21
I would like to stick to the Azure Web Apps as much as possible to avoid having to manage VMs
Any help would be greatly appreciated! I'm also open to the potential alternative approaches to this problem.
Azure Web Apps only support incoming traffic on ports 80 and 443. You will not be able to host ftp servers via web apps (aside from the built-in ftp server). You'd need to place the ftp server either in a VM or web/worker role (cloud service).
I am trying lock down a virtual machine that acts as an app server for a web application. I have a two VM's: One for the app server and another one running the web server. I have to open a ton of ports to allow the web server talk to some wcf services, but I only want to allow those connections from the web server and no one outside of that network. I have to add endpoints in order for the web server to access the wcf services, but this also makes them accesible to the public IP. How can I only allow this traffic on the
For Virtual Machines, the only way of accessing ports from outside the hosted service is by defining input endpoints (with or without load-balancing across a set of machines). In your case, you'd just open, say, 80 and 443, specifically for your web server (e.g. not load-balanced). This is considered a port-forwarded endpoint since traffic on these two ports get forwarded directly to your web server. For more clarity around port-forwarded endpoints, I suggest Michael Washam's blog post, here.
At this point, you'd open various other ports on your app server (through its firewall config), and now your web server can talk to the app server, yet the outside world won't be able to reach the app server. Note: I'm assuming you placed your web server and app server in the same hosted service. Otherwise, you'd need to find a different way to connect between web and app servers, such as configuring a Virtual Network.
EDIT 6/5/2013 You can now enable ACLs on input endpoints, allowing (or blocking) IP ranges. Today ACLs may only be managed through PowerShell, with the June 2013 update. See this post to learn more.
Machines that exist on the same virtual network will be able to talk to each other as long as the local firewall has been opened to those ports. This problem was with my configuration in my application and not because of this. I also didn't have the correct ports open. Now it works like a charm.
We are looking to replace our normal Win2008 R2 IIS server with a Azure Cloud based solution. Our Current use scenario is something like this:
Server A
Hosts 7 Websites.
All Websites are Managed and Maintained with Visual Studio 2010. They are Web Projects, not Web Services. Each of the Sites has unique domain names. www.comanyA.com, www.companyB.com Intranet.companyB.com, etc. There are three sites that are SSL enabled and have Verisign Certificates.
The Sites consist of many asp, aspx and image files. We also create file content on demand (Excel Exports) that users can then click to download. We also make a Connection to a SQL Server for Back-end Data. We would need a Secure Connection to a SQL Azure DB and or an On-Premiss SQL Database (depending on when we move our SQL to SQL Azure).
I Would also need the same Security Permissions setup so all the users have the same permissions that they do for the Existing IIS Server. So I'd like Active Directly Integration.
I'd really rather not have a VM Image that is just running in the cloud. I don't want to have to maintain the OS level of stuff, (Updates, etc)
Is this something that Azure Compute can do for me?
Thanks!
This is not actually a single question. The only real question here that I see is
"Is this something that Azure Compute can do for me?"
And answer is - depends :) To very high degree, Azure compute might and will help you!
To solve challenge #1 (Multiple Websites / no ssl) - the easieast. Check this and that blog posts.
Challenge #2 (Connecting to SQL Azure / On-Premise SQL Server) - second easiest. SQL Azure still supports only SQL Server Authentication and it requires encrypted connection. As for connecting to On-Premise SQL Server, you can use Windows Azure Connect (and here). You can even domain-join your compute instances in the cloud.
Challenge #3 (Active Directory integration) - part of it described in Challenge #2 - domain join your roles! But you could also review the Windows Azure Access Control Service and its ADFS integration.
Challenge #4 (Multiple SSL Enabled sites behind same endpoint). Well, this is the trickiest! In Windows Azure everything lives behind a load balancer. So, you could generally define only one standard HTTPS (on port 443) endpoint. And that's it. Although, you could now have separate SSL certificate for each different SSL enabled site, this is not possible in Windows Azure. For this to work in Windows Azure, you need a Subject Alternative Name certificate (here, here and here are just some examples).
Hope that this helps!
Can I host an application in Windows Azure and have the database stored on different server? For example I want to keep my data on a server where I dont have to worry about privicy issues. And if this is possible does it remove the value of having an application hosted in the cloud?
thanks
You mean hosting your application on Windows Azure and then hosting the database on your own servers? This is totally possible, but you'd have to publicly expose your database. You could host your database on SQL Azure and that would be a 'separate server' from your Windows Azure host. With SQL Azure, you can set up a firewall rule to allow only your application to access your database.
If you were to host your database on your own servers, I don't think that it would completely diminish the value of hosting your application on the cloud as your app tier at least would still be hosted "in the cloud". Though, you could also run into performance issues in this scenario as SQL is a little slow to access over the internet using TCP.
You can host on premise and use a secure VPN as part of Azure now. This can be done using Azure network in the latest release.
Can setup an Azure site to site VPN and get access to your private data centre that way.
I'm working with a client to plan the topology for a public facing SharePoint internet site.
The SharePoint installation will live in the client's DMZ and the plan is to use an existing SQL Server machine to host the SharePoint databases.
The problem is that there is no domain in the DMZ - and the client doesn't want to create one without going through the proper planning process.
As far as I understand, there is no way to configure a multi-server SharePoint farm without using a Domain Account to initially connect SharePoint Central Administration to SQL.
I'm pretty sure (and have tried this) that you can't use SQL Server authentication to connect the farm to SQL Server when first provisioning Central Administration using the Productions and Technologies Wizard.
My other option is a single server install, acknowledging that this limits our future growth if we ever need to add another WFE.
Thank you
No. Mostly.
It is possible because it works this way here in the company I work.
We basically have an user account with the same name on the 2 servers (web front end server and SQL database server). This account has access to the database.