1

We integrate with a third-party service where we can run queries which is right now secured using HTTPS encryption and username/password. We send our queries from a service running on the Windows Azure cloud.

The third-party provider wants to migrate towards better security and they have asked us to either

  1. Setup a VPN - which is problematic because for we'd need to use Azure Connect and they'd have to install the client endpoint service on their part.

  2. Provide some IP address where the queries will come from so they can filter out anyone else at the firewall level - which is problematic because AFAIK you cannot fix the IP addresses of the Windows Azure Compute nodes.

  3. Suggest another secure alternative - the only thing I could think of is to set up the VPN with them on a non-Azure server and then tunnel the requests through using Azure Connect - which is obviously extra work for us and also defeats the point of hosting the service on a cloud if it depends on a non-cloud service.

Any ideas?

  • Can they install the Azure Connect endpoint on another server on their DMZ network? i.e. not the actual server which hosts their service?
  • Can we somehow provide them with static IPs for incoming queries?
  • Any other solution that is scalable?

Thanks

georgiosd
  • 3,038
  • 3
  • 39
  • 51

2 Answers2

1

If I understand the scenario correctly, your Azure service is a client to a 3rd party service. This scenario may be solved through the use of the Windows Azure AppFabric Service Bus. You would need to install a proxy app in the 3rd party's datacenter that would be responsible for establishing the connection to the service bus. The connection comes from inside the 3rd party's datacenter, so no new incoming holes in the firewall. The connection can handle WCF connections with all its security strengths, and users can be authenticated with ACS.

Here is a starting point: http://msdn.microsoft.com/en-us/library/ee732537.aspx

There is a hands on lab in the Windows Azure Platform Training Kit that explains most of the details that you'll need.

sebastus
  • 350
  • 1
  • 7
  • Thanks Greg. Does that mean they can host the Azure AppFabric Service Bus anywhere on their network and not necessarily on the server that runs the service? – georgiosd Aug 24 '11 at 10:57
  • Service Bus is hosted in Windows Azure. The proxy app is the bit that you need create and put in your 3rd party's datacenter somewhere. This proxy app would be responsible for publishing existence of the 3rd party's service within the Service Bus, authenticating requests, and funneling requests to/from it from invocations that come through the Service Bus. – sebastus Aug 24 '11 at 20:52
  • Thanks again Greg - if you have any specific resources on how to set the Service Bus up such that it is hosted on Server A within the 3rd party's data center but redirects requests to Server B within the 3rd party data center, please share them - I'd be grateful. – georgiosd Aug 25 '11 at 11:56
0

IMHO, HTTPS is already very good; and I don't exactly see how a VPN would make the system any more secure. In particular, VPN is no silver bullet, if your VM is compromised then the VPN connection is compromised too (same for HTTPS). On the other hand, the IP restriction would indeed reduce the attack surface.

Then, using a server outside the cloud is a poor idea indeed. Not only it defeats most of the benefits of the cloud (been there, done that and suffered a lot), but also it also makes the whole thing less secure with more complexity and more attack surface.

Windows Azure does not provide anything that look like a static IP at this point. In our experience, IP addresses for a given service change once in a while even if the service is only upgraded (and never deleted). Static IP addresses have been an important feature request for a long time, Microsoft will probably provide it at some point, but it might still take many months.

Joannes Vermorel
  • 8,976
  • 12
  • 64
  • 104
  • While I agree with what you wrote, staying with HTTPS is not an option they are giving us so we'll have to find an alternative. – georgiosd Aug 19 '11 at 16:37
  • Then, VPN it is. It made our lives miserable at Lokad.com more than once :-) Let's hope it will be easier in your case. – Joannes Vermorel Aug 21 '11 at 09:03
  • Thanks for the follow-up but, how do you imagine the VPN happening in this case? :S Is it possible for the Azure Client to run on a different machine on their side than the actual server that handles the requests? Or are you talking about the tunnel? – georgiosd Aug 22 '11 at 00:00
  • I'd say that HTTP requests using 2-way-SSL are as safe as a VPN. Azure already (2019) support static IP addresses. – Guido Feb 10 '19 at 20:39