I am trying to make a web page that is going to make an API call to query data in our existing remote SQL Server. When I am testing it now, my code can access the database using windows authentication, but when I deploy this web page on Azure, will my code be able to still access the remote SQL Server using windows authentication? If not, what do I need to do in order for my web page to query the data in the existing remote SQL Server?
Hybrid Connections is both a service in Azure and a feature in Azure App Service. As a service, it has uses and capabilities beyond those that are used in App Service. To learn more about Hybrid Connections and their usage outside App Service, see Azure Relay Hybrid Connections.
Within App Service, Hybrid Connections can be used to access application resources in other networks. It provides access from your app to an application endpoint. It does not enable an alternate capability to access your application. As used in App Service, each Hybrid Connection correlates to a single TCP host and port combination. This means that the Hybrid Connection endpoint can be on any operating system and any application, provided you are accessing a TCP listening port. The Hybrid Connections feature does not know or care what the application protocol is, or what you are accessing. It is simply providing network access.
https://learn.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections
Related
We have a WinForms desktop app that connects to a remote server to pull some data. The remote server hosts a web service on a standard IIS website that queries a SQL Server database installed on the same machine. Today, if the remote server is under maintenance or not available our end-user cannot retrieve the necessary data.
Now I am requested to make this feature fault-tolerant. Here are my questions:
Should I ask for another remote server that runs the same web service and move the DB to a third remote server? So the two web services can connect to the same DB?
Should I consider moving the web service logic to the WinForms desktop app and connect directly to a remote DB paying a first-class 99.99% availability service?
Do AWS or Azure provide a ready-to-use solution that fulfills my requirements?
Is there any other option I didn't consider?
Is there a way to securely access a on-prem Sql Server, from an AppService?
The IT guys are nervious about letting an App Service which needs access to our on-premise database.
I am not a networking guy, and am trying to come up with a solution.
The only thing I have thought of is creating a new database (CDS_API). The AppService is then given a connection string to this database. This database would then have access to the primary database (CDS).
If the AppService has only execute permissions to CDS_API, this seems secure to me. Am I missing something?
Is there a better way to do this?
The simple solution is to use an App Service Hybrid Connection
Hybrid Connections can be used to access application resources in any
network that can make outbound calls to Azure over port 443. Hybrid
Connections provides access from your app to a TCP endpoint and does
not enable a new way to access your app. As used in App Service, each
Hybrid Connection correlates to a single TCP host and port
combination. This enables your apps to access resources on any OS,
provided it is a TCP endpoint. The Hybrid Connections feature does not
know or care what the application protocol is, or what you are
accessing. It simply provides network access.
Alternatively, you can Integrate your app with an Azure virtual network which is connected securely to your on-prem networks either with a Site-to-Site VPN or over ExpressRoute.
We've been experimenting with hosting our ASP.NET + SQL Server application in Azure. We've tried two ways so far:
App Service for ASP.NET, VM for SQL Server, both in the same data-centre, so I imagine a LAN connection is possible, but currently the connection string lists the public IP
A single VM for both IIS ASP.NET and SQL Server (an interim solution - we will eventually move SQL behind a firewall)
We'd prefer the first option because of costs and manageability. But it seems slower (I guess because of the public IP in the connection string).
Question
Can the App Service - SQL connection be LAN rather than WAN/internet? Are there any specific tricks during setup to achieve this?
What I've tried
The SQL VM is in a VNet. I've tried adding the App Service into the VNet (based on the guess that it'll then be able to see the SQL VM's internal IP), but the existing VNet is not selectable in the App Service's VNet configuration options.
Can the App Service - SQL connection be LAN rather than WAN/internet?
According to your description, maybe we can use VPN to integrate your app with an Azure Virtual Network.
When we want to select one Vnet for Azure app service, we should setup a point-to-site VPN with a Dynamic routing gateway.
Getting started
Here are some things to keep in mind before connecting your web app to
a virtual network:
•VNet Integration only works with apps in a
Standard, Premium, or Isolated pricing plan. If you enable the
feature, and then scale your App Service Plan to an unsupported
pricing plan your apps lose their connections to the VNets they are
using.
•If your target virtual network already exists, it must have
point-to-site VPN enabled with a Dynamic routing gateway before it can
be connected to an app. If your gateway is configured with Static
routing, you cannot enable point-to-site Virtual Private Network
(VPN).
•The VNet must be in the same subscription as your App Service
Plan(ASP).
•The apps that integrate with a VNet use the DNS that is
specified for that VNet.
•By default your integrating apps only route
traffic into your VNet based on the routes that are defined in your
VNet.
More information about integrate App with an Azure virtual network, please refer to this link.
I have hosted a webapp in azure cloud.
My MS sql database is in rackspace which only allows a selected ip to access.
I can add more IPs to allow access to the rackspace database.
Which IP address of the Azure webapp should I add in rackspace?
Is it the customDomain's IP address or something else.
There isn't just one - check out this doc - basically Azure Web Apps run in a server farm that's managed by Microsoft. Unless you use an ASE (app service environment) you can't change this. There are a couple of ways you can do what you're trying to do - either
1 - connect over the internet by opening up the ports on your rackspace VM - this will work, but opens you up to the possibility of a network layer attack from any app that someone hosts in Azure. (so you're relying on authentication rather than network level protection).
2 - use a hybrid connection - this is an app service feature that allows you to download a gateway exe app that runs in your VM in rackspace, and then connects to the app service and creates a secure tunnel to it. Hence, its outbound from your rackspace DC, you don't need to change firewall settings. You can read about it and download the app from the azure portal (in app services). You then configure the connection in your azure web app just as if the rackspace VM was on the same network. (eg. you can use "localhost" if the gateway exe is running on the sql server). This is the approach I'd recommend if you can't move your SQL estate to Azure SQL and hence locate it alongside your web apps.
Is it possible to have a WCF service that is running on Windows Azure communicate with a local / on-premises SQL Server database?
Alternative options we're considering are:
Push the 4 SQL Server databases that the WCF service needs to gather and process data from up to a Azure VM
Create 4 SQL Azure "clones" of the local / on-prem SQL Server databases and use the data sync feature to keep the Azure clones in sync with the local data.
Ideally, we'd like to be able to expose the on-premises database (via the VPN) to the service and hit each of the databases directly.
Yes, you can make outbound connections from any Azure hosted service, whether running in web sites, cloud services or virtual machines. If you need traffic going through a VPN, you'll need to use cloud services or virtual machines, since web sites can't be added to a virtual network.
Actually, an easier solution would be to host your WCF service internally and expose the service via an Azure Service Bus Relay. The service bus relay supports multiple authentication types for securing the service and no VPN is required. There is a good walk-thru here - .NET On-Premises/Cloud Hybrid Application Using Service Bus Relay. We have successfully used this technique to expose several services to third-party vendors.
you can set up Site-to-site VPN as shown in this resource - Step-By-Step: Create a Site-to-Site VPN between your network and Azure
I would think of SQL Data Sync for scheduler times and that too for small amounts of data (at least not in millions)