This is the first time I've published a web app on Azure. I have a SQL Server database on Amazon AWS that I'm connecting to. I need to set the security group to allow the Azure Web App to connect. How do I get the IP address of the Azure web app?
From what I understand about Azure, the web apps have a rotating IP address because they're on shared servers. What can I tell the security group to allow?
Check this Azure Outbound Address
There can be only 4 IPs your web app can have. Add 4 rules to your SG, one for each IP. It is much safer than allowing a larger CIDR block.
As MS updated their portal, So it would look like the attached screen shot.
Related
I am developing a .Net Core REST API for an Android app which is written in Dart/Flutter, both .Net Core and android app are connected to the same local network, right now I am sending requests to server by using it's IP address, however I want to make it easy for end users to use the app since they have limited knowledge of configuring stuff.
How can I link a local domain to the server or at least use server name instead of ip address for sending requests, in that case it would have saved me a lot of time and hassle with end users.
Do I need a DNS server for this and is it easy to implement this functionality?
According to your description, you should set up a DNS server in your local network. If you want to access the app by using domain, you should make sure the android app is also inside that local network.
A DNS server is a computer server that contains a database of public IP addresses and their associated hostnames, and in most cases serves to resolve, or translate, those names to IP addresses as requested.
More details about how to set up a DNS server and configure a DNS server , you could refer to below article: https://support.microsoft.com/en-us/help/814591/how-to-install-and-configure-dns-server-in-windows-server-2003
I have a Web App (Azure App Service) and I have an Azure SQL Database that this Web App talks to. I have two questions regarding communication between the two.
When connecting from the Web App to the Database (using the connection string), does the communication go out to the internet and then back into Azure or does Azure know to keep the traffic locally in Azure?
I have been looking into V-Net Service Endpoints as a possible way to improve speed of communication between the two. It is said that when connecting from a VM on V-Net with Service Endpoints enabled to a SQL Database, that Azure knows to keep the traffic internal to the Azure network and not go out to the internet, is this the same for Azure App Services?
Is it possible to keep traffic between an App Service and SQL Database internal to Azure? If so, how do I go about doing this? Any guidance on this is greatly appreciated.
It knows to keep it local on the "Azure backbone" (as per Azure doco). It doesn't go out to the public internet
Yes
Yes. It is already internal to the "Azure Backbone"
Having said that.... networks are really complicated.
As I understand it the main benefit of V-Net is that you can define your own network and add things to it like firewalls, security groups, subnets, peering between networks. Also it helps when setting up a hybrid network - i.e. connecting Azure resources to an on-premises network. When you can set up the same kind of structures as on premise, it's easier to 'transparently' make it part of the on-premises network. Lastly (rereading the doco), you can remove any incoming public IP firewall rules. These are "Azure backbone" IP addresses but they are also "public internet" addresses
There may be a performance improvement if the App Service and Azure SQL are on the same V-Net.
Azure SQL service endpoints are a bit mysterious. They "connect" to the VNET but you still need to connect to a public address. They don't actually take a up a local IP adress.
Depending on what you are really doing, you might want to look into private endpoint, which actually assigns a private IP to your Azure SQL.
Yes, communication between Azure App Service and Azure SQL Database is "local" within the Azure Virtual Network and does not go out to the public internet.
The problem I have is that we're trying to use our WebApp in Microsoft Azure to connect to an external SQL-database (not our own) through a VPN. The SQL-database is only allowing connections from our local IP-addresses that we put up as a Network (for example 176.0.0.0/24).
We are now connected to the same virtual private network, and through our Azure-VM we can now connect to the SQL-Server through SQL Server Management Studio.
Now we want to do the same with a WebApp, but we're not getting through to the server. It gets "Not authenticated" before reaching the SQL-Server (probably the server isn't accepting our IP from the WebApp).
The different problems I have tried to look through is:
Do we only try to connect through our Outbound IPs?
Is the WebApp not connected to the VPN?
I have unfortunatley not found any real answers, and neither any solutions to my problem. If you have any ideas of how to solve our problem, or maybe know how I could tunnel all of the SQL-calls through the VM, the help would be very much appreciated!
Hybrid connection is one option. What you can also do is enable point-to-site in your VPN. Once you do that, you can directly integrate your web app to the vnet and your connections will work. (Go to your web app -> Settings -> Networking -> VNet Integration)
If your Vnet is V1(older way of creating VNs) then enabling point to site is very straightforward. You can do it through portal. For V2 Vnets you have to do it through powershell commands.
Here is a link for the documentation which explains both the options.
https://azure.microsoft.com/en-in/documentation/articles/web-sites-integrate-with-vnet/
There's a way to "tunnel all of the SQL-calls through the VM". You may want to use hybrid connections (cf https://azure.microsoft.com/en-us/documentation/articles/integration-hybrid-connection-overview/).
The principle is to have an agent installed on the VM that can access the database with the correct IP address.
Suppose you can access the SQL DB as mysqldbsrv from the VM. You add an hybrid connection associated to your web app, you install the agent on the VM. Then, when you connect to mysqldbsrv from the Web App, you go through the VM.
If I want to self host WCF in a Windows Azure Website by spinning up my own ServiceHost can I host end points on 8080 or any other port I want to? Is there any specific usable range of ports I have access to or is port access entirely blocked?
Edit: for absolute clarification this question is NOT about web or worker roles and is only about Azure Websites
This blog post is slightly out dated now as Windows Azure Websites have more features now (like staging and production slots, WebJobs, etc) but the part regarding ports is still true for Azure Websites.
When to use Cloud Services [...] Windows Azure Websites is all IIS, the web server provides the entire platform, there is no room for long running processes or threads that can sit and wait for communication on another port outside of IIS
http://blogs.msdn.com/b/cdndevs/archive/2013/11/21/windows-azure-websites-vs-cloud-services.aspx
Note that now you can have a long running process using webjobs that does back-end work, but you can't listen on anything other than 80
No, WAMS won't let you open ports. If you need that, you should host in a Web Role (Cloud services). Then you can configure your endpoints through windows azure management portal.
Here is my farm configuration (1 app server, 1 web front end and 1 backend db server). I just looked at the IIS logs on App server and WFE and learned all the web traffic is going to APP server and not to the WFE server.
How do I make sure all the traffic needs to hit the WFE?
Some questions you need to answer:
What URL are you using to reach your Sharepoint site?
Does the DNS for the URL point to the WFE?
Are your Alternate Access Mappings configured correctly?