Is there a way to securely access a on-prem Sql Server, from an AppService?
The IT guys are nervious about letting an App Service which needs access to our on-premise database.
I am not a networking guy, and am trying to come up with a solution.
The only thing I have thought of is creating a new database (CDS_API). The AppService is then given a connection string to this database. This database would then have access to the primary database (CDS).
If the AppService has only execute permissions to CDS_API, this seems secure to me. Am I missing something?
Is there a better way to do this?
The simple solution is to use an App Service Hybrid Connection
Hybrid Connections can be used to access application resources in any
network that can make outbound calls to Azure over port 443. Hybrid
Connections provides access from your app to a TCP endpoint and does
not enable a new way to access your app. As used in App Service, each
Hybrid Connection correlates to a single TCP host and port
combination. This enables your apps to access resources on any OS,
provided it is a TCP endpoint. The Hybrid Connections feature does not
know or care what the application protocol is, or what you are
accessing. It simply provides network access.
Alternatively, you can Integrate your app with an Azure virtual network which is connected securely to your on-prem networks either with a Site-to-Site VPN or over ExpressRoute.
Related
I am trying to make a web page that is going to make an API call to query data in our existing remote SQL Server. When I am testing it now, my code can access the database using windows authentication, but when I deploy this web page on Azure, will my code be able to still access the remote SQL Server using windows authentication? If not, what do I need to do in order for my web page to query the data in the existing remote SQL Server?
Hybrid Connections is both a service in Azure and a feature in Azure App Service. As a service, it has uses and capabilities beyond those that are used in App Service. To learn more about Hybrid Connections and their usage outside App Service, see Azure Relay Hybrid Connections.
Within App Service, Hybrid Connections can be used to access application resources in other networks. It provides access from your app to an application endpoint. It does not enable an alternate capability to access your application. As used in App Service, each Hybrid Connection correlates to a single TCP host and port combination. This means that the Hybrid Connection endpoint can be on any operating system and any application, provided you are accessing a TCP listening port. The Hybrid Connections feature does not know or care what the application protocol is, or what you are accessing. It is simply providing network access.
https://learn.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections
We've been experimenting with hosting our ASP.NET + SQL Server application in Azure. We've tried two ways so far:
App Service for ASP.NET, VM for SQL Server, both in the same data-centre, so I imagine a LAN connection is possible, but currently the connection string lists the public IP
A single VM for both IIS ASP.NET and SQL Server (an interim solution - we will eventually move SQL behind a firewall)
We'd prefer the first option because of costs and manageability. But it seems slower (I guess because of the public IP in the connection string).
Question
Can the App Service - SQL connection be LAN rather than WAN/internet? Are there any specific tricks during setup to achieve this?
What I've tried
The SQL VM is in a VNet. I've tried adding the App Service into the VNet (based on the guess that it'll then be able to see the SQL VM's internal IP), but the existing VNet is not selectable in the App Service's VNet configuration options.
Can the App Service - SQL connection be LAN rather than WAN/internet?
According to your description, maybe we can use VPN to integrate your app with an Azure Virtual Network.
When we want to select one Vnet for Azure app service, we should setup a point-to-site VPN with a Dynamic routing gateway.
Getting started
Here are some things to keep in mind before connecting your web app to
a virtual network:
•VNet Integration only works with apps in a
Standard, Premium, or Isolated pricing plan. If you enable the
feature, and then scale your App Service Plan to an unsupported
pricing plan your apps lose their connections to the VNets they are
using.
•If your target virtual network already exists, it must have
point-to-site VPN enabled with a Dynamic routing gateway before it can
be connected to an app. If your gateway is configured with Static
routing, you cannot enable point-to-site Virtual Private Network
(VPN).
•The VNet must be in the same subscription as your App Service
Plan(ASP).
•The apps that integrate with a VNet use the DNS that is
specified for that VNet.
•By default your integrating apps only route
traffic into your VNet based on the routes that are defined in your
VNet.
More information about integrate App with an Azure virtual network, please refer to this link.
my goal is to run an azure web site that accesses data from our local company database.
I followed a tutorial on the web to setup an azure virtual network and connect it via site-to-site vpn to our local company network. In the azure portal I can see that the connection is actually working and that data is received and transmitted.
What do I have to do make the azure web site connect to the database? Is it enough to enter a connection string in the web config?
Is it meant to work this way, or is the site-to-site vpn only set up to access azure virtual machines from the company network.
Let me know if I should provide more details on the connection overall.
Thanks for you help in advance.
Best regards,
Frank.
Azure Web Sites do not support the Azure Virtual Network (as of 8/22/2013);
http://www.windowsazure.com/en-us/manage/services/web-sites/choose-web-app-service/
You will need to create a cloud service deployment instead if you would like to use Virtual Network and access the on-premises database. Once that is done and your firewall is properly configured, it is like you say just a connection string.
I am currently looking into connecting Azure Web Sites to an on-prem SQL database using the Azure Service Bus:
http://www.bradygaster.com/post/windowsazurewebsites-onprem-servicebus
http://azure.microsoft.com/en-us/documentation/articles/cloud-services-dotnet-hybrid-app-using-service-bus-relay/
Now an application is connected to a database server in the same LAN and performs selects and inserts.
The database will be moved to a remote location accessible throughout internet. Performance degradation will be addressed reducing the number of operations to the db. It is not possible to use vpn or configure access-in rules based on client IP on the firewall of the net where the database server will be moved. So it seems to me it is necessary to create a database front end in order to protect it. I suppose one way to achieve this goal is to create a web service.
Are there easier alternatives?
I'm new to web services: it should run into Glassfish server while the client would be a c# application.
I read a bit about securing a web service but I'm a confused.
One method I found in internet is to use Glassfish built-in authentication mechanism and configure web.xml limiting the access to the web service URL to a group of users.
It seems an easy approach, are there any drawbacks?
Is it easy to use this type of authentication in the C# client?
Other existing web services wants a parameter key in the request. Then this key is compared with valid ones and if the check is successful the request will be accepted.
Is this approach more secure than the previous one?
Another alternative is to use WSIT but at a first glance it seems over-complicated and all the security mechanisms need a server certificate.
Anyway it looks more secure; does it fit well with JAX-RS and restful web services?
You can use L2TP or PPTP VPN in this case.
Let me show you first Network topology.
Client (accessing firewall with L2TP or PPTP )-----> Firewall (L2TP or PPTP VPN Server)---> Firewall LAN where your Server placed.
In above case all Client come from VPN so its secure and On firewall you have to Configure VPN to LAN rule with client base rule.
I am trying to secure online transaction between application server and database. One-way is SSL, but is there any other way of securing transaction between them. I am trying to reduce the overhead in securing the line. Are there any tool or api's which I can integrate with the application server or deploy on it.
/SR
Sure, but it requires a thoughtful review of your architecture. If you have a dedicated line between your application and your database, the connection could be encrypted at the network layer.
I'm a bit surprised that your application server and your database are not within the same trust boundary. Is this an app in the cloud?
SSL is by far the best way, its extremely secure and absolutely free. If your database or another application doesn't support SSL then you can use a free SSL VPN such as OpenVPN. This will create a secure transport layer connection between 2 machines.
If you are connecting to a database on the local machine then there is no point in a secure transport layer connection. However you should firewall off the database port, for instance MySQL uses tcp 3306.