Azure Infrastructure – Connecting On-Premise Network to Azure

One of the challenges of Organizations migrating On-Premise resources to Azure is Security. 

  • How to transfer data securely over the Internet?
  • What are the Alternatives?

VPN Gateway

Virtual Private Network is a Private Interconnected which uses Encrypted Tunnel to communicate between 2 Private Networks.  The untrusted internet problem is resolved by Encrypting the communications.

VPN Gateway is similar to Virtual Network Gateway which allows Site-to-Site, Point-to-Site and Network-to-Network connections.

  • Site-to-Site connections allow On-premise datacenter to connect to Azure Virtual Networks
  • Point-to-Site connections allow User Devices connections to Azure Virtual Networks.
  • Network-to-Network connections allow Azure Virtual Network to other Azure Virtual Networks.

ExpressRoute

Azure ExpressRoute allows secured, dedicated, high-bandwidth connections between your On-Premises and Azure.  This will bypass the Internet and hence more secured.

Following are the Features of Express Route:

  • Layer-3 Connectivity
  • Faster Access due to Peering of Networks
  • More Security
  • Higher Bandwidth
  • Bypasses Public Internet
  • Available in all Locations
  • Office365 Connectivity through Microsoft Peering

Following are the Drawbacks of Express Route:

  • ExpressRoute Circuit which is a Physical Connection needs to be created from Internet Provider
  • Cost is More

Few ExpressRoute providers are listed below:

image

Virtual Network Gateway

Virtual Network Gateway is required to connect 2 Networks either as:

  • VPN
  • ExpressRoute

When to choose VPN Gateway?

Low Bandwidth requirements

Point-to-Site scenarios

Occasional Connectivity

Moderate Data Security

When to choose ExpressRoute?

Dedicated Connection Required

High Security for Data

Faster & Continuous Access

References

https://docs.microsoft.com/en-us/learn/modules/connect-on-premises-network-with-vpn-gateway/2-connect-on-premises-networks-to-azure-using-site-to-site-vpn-gateways

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways#a-namep2sapoint-to-site-vpn-over-sstp

Event Hub vs Event Grid vs Service Bus

In this post we can see the different use cases of:

  • Event Hub
  • Event Grid
  • Service Bus




Service Purpose Type Use Case
Event Hub Big Data Handling Event Distribution (Discrete)

Telemetry Data

Eg: Application Insights, Logs

Event Grid Reactive Programming Event Streaming (Series)

Status Changes Reaction

Eg: Approval, Rejection

Service Bus Enterprise Messaging Messaging Order Processing & Financial Transactions

Example

In the below Microsoft example, Event Hub will capture the Big Data, pass to Azure Storage.

An even tis sent to Event Grid which will process the Meta Data.

Azure Function will perform the data migration to SQL Data Warehouse.

Tutorial: Migrate event data to SQL Data Warehouse - Azure Event ...

Computer Vision API–Testing SRK Photo

Computer Vision API provides ready algorithms for processing images – It can classify a picture as object, animal etc.  It can also validate it with Celebrities – all through the machine learning infrastructure of Azure under the hood.

image

Azure Service

For testing this you need to create the Computer Vision service from Azure > Marketplace.

image

Choose the S1 tier as most of the capabilities are residing there.

image

Console Application in C#

Create a Console Application in C# and add the following Nuget package.

image

SRK

As a test I am going to upload above SRK picture & let the Computer Vision API identify him.

Output

The API is successfully identifying SRK! Smile

image

The Code

using Microsoft.Azure.CognitiveServices.Vision.ComputerVision;
using Microsoft.Azure.CognitiveServices.Vision.ComputerVision.Models;
using Microsoft.Rest;
using System;
using System.IO;
using System.Net.Http;

namespace ComputerVisionAPI
{
     class Program
     {
         static void Main(string[] args)
         {
             var features = new VisualFeatureTypes[] { VisualFeatureTypes.Tags, VisualFeatureTypes.Description };

            ComputerVisionClient computerVisionClient = new ComputerVisionClient(
                 new ApiKeyServiceClientCredentials(“YOUR KEY”),
                 new DelegatingHandler[] { }
                 )
             {
                 Endpoint = https://URL.cognitiveservices.azure.com/
             };

            using (var fs = new FileStream(@”C:\temp\ShahrukhKhan.png”, FileMode.Open))
             {
                 ImageAnalysis result = computerVisionClient.AnalyzeImageInStreamAsync(fs, features).Result;

                Console.WriteLine(“TAGS >> “);
                 foreach (string tag in result.Description.Tags)
                     Console.Write($” {tag} “);

                Console.WriteLine(Environment.NewLine + Environment.NewLine + “CAPTION >>”);
                 foreach (ImageCaption caption in result.Description.Captions)
                     Console.WriteLine($”{caption.Text} – Confidence: {caption.Confidence} “);

            }
         }
     }
}

References

https://azure.microsoft.com/en-us/services/cognitive-services/computer-vision/#product-overview

Create an Angular App & Protect with Azure Easy Auth

In this post we can explore how to create an Angular App and Protect it with Azure Authentication Easy Auth without writing any line of code Nor making any configuration changes.

Create Angular App

  1. Install Node.js from https://nodejs.org/en/download/
  2. Open Command Prompt
  3. Run command npm install -g @angular/cli
  4. Create Project ng new AngularAAD
  5. Go inside folder & Run command ng serve
  6. Open the website http://localhost:4200

image

Publish to Azure

  1. Open Azure Portal
  2. Create new App Service
  3. Publish the Source
  4. Ensure Application accessible through URL

For Detailed Steps use this LINK

Azure AD – Easy Auth Protection

Go to App Service > Authentication Tab

Choose the following options.

image

Choose the Express settings.

image

Save Changes!

Now your Angular Application is protected with Azure AD Authentication.

Test Authentication

Go to the App Service > URL > Click to launch it

You will be prompted for Authentication.

image

This confirms Angular App protection with Azure Easy Auth.

Note

For advanced Configurations like Adding Users, Controlling Rules etc. you should use Azure AD Enterprise Applications page.

How to Disable Outbound Internet from a VM?

In this post we can see how to disable Outbound Internet Connectivity from a VM.

  • Outbound Connections are Originated From the system

Step1 : Create an NSG (Network Security Group)

image

Step 2: Disable Internet

Go to the Outbound Security Rules.  By default there will be 3 rules which enables Internet. 

We need to create a new rule with Lower Priority Number so it will be picked first.

Click the Add Rule button.  Make the following changes.

image

Save changes.

Step 3: Associate NSG with VM

Now go to the VM > Change the NSG to the new one.

Step 4: Test Connectivity

Restart the VM > Go to RDP > Open Internet Explorer > Try www.bing.com

You should not get the page displayed.  It ensures Internet Connectivity is disabled now.

Azure VNET Connectivity Options

We can connect 2 VNET using following options:

  • VNET Peering
  • VPN Gateway

VNET Peering

VNET Peering is the best option as it gives fastest connectivity using the Microsoft backbone infrastructure using Private addresses.

There are 2 types of VNET Peering:

  • VNET Peering for same region connectivity
  • Global VNET Peering for different region connectivity

VPN Gateway

If you have one of the VNET in an On-Premise then you can choose the VPN Gateway option.  It also offers Encryption which could make a decision.

However VPN Gateway will be slower compared with Peering, More Configuration & More Setup Time overheads exists.

Comparison

Description VNET Peering VPN Gateway
Easy Setup Yes No
Encryption No Yes
Cross-Region Support Yes Yes
Pricing Less More
Speed High Low
Bandwidth Limit No Yes
Public IP No Yes
On-Premise Support Complicated Yes

References

https://azure.microsoft.com/en-us/blog/vnet-peering-and-vpn-gateways/

What are the Different Ways to connect from Azure to On-Premise SQL Server?

Here I would like to list down the different ways to connect from Azure to On-Premise SQL Server.

VPN

We can create a site-to-site VPN for connecting from Azure to On-Premise.  Here the VPN device on Azure takes care of transmitting the request to the On-Premise network.

https://docs.microsoft.com/en-us/office365/enterprise/connect-an-on-premises-network-to-a-microsoft-azure-virtual-network

Azure Data Factory

Azure Data Factory requires running an Integration Runtime service in the On-Premise machine to make the connectivity happen.  It also requires Outbound port opening from On-Premise machine if there is any Outbound connection required back to the Azure SQL.

https://azure.microsoft.com/en-us/services/data-factory/

Azure Hybrid Connections

Hybrid Connections are created within the App Service.

https://docs.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections

https://nishantrana.me/2018/02/19/using-azure-hybrid-connections-to-connect-to-sql-on-prem-database-from-azure-webjob/

Azure Service Bus Relays

Relays create endpoints on the On-Premise application which can be accessed by the Outside World.

Link: https://www.c-sharpcorner.com/article/overview-of-azure-service-bus-relay/

Express Route

Express Route is a highly secured option as it creates a new connectivity other than Public Internet.

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction

On-Premises Data Gateway

If you are using Logic Apps, Power BI then you can rely on On-Premise Data Gateway.  This involves installing the On-Premise Data Gateway on Azure & On-Premise too.

https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-gateway-install

https://www.codit.eu/blog/installing-and-configuring-on-premise-data-gateway-for-logic-apps/

Note

Depending on your Network Security guidelines choose the appropriate one.

How to Verify Custom Domain from GoDaddy.com in Azure Portal?

In this post we can see how to verify custom domain purchased from www.godaddy.com in Azure Portal.

Purchase Domain

You can visit www.godaddy.com to complete the domain purchase.

Azure Portal

You can open the Azure Portal > Azure Active Directory > Custom domain names blade as shown below.

image

Choose the Add custom domain option > Enter your name > Copy the following values.

image

Copy the values.

GoDaddy

Now go to the www.godaddy.com website

https://dcc.godaddy.com/domains/

Choose > Manage DNS from the Ellipssis

image

In the upcoming records page click the Add button.

image

In the appearing page choose TXT and enter the values from Azure Portal.

image

Now wait for 1 minute & Come back to Azure Portal & Click Verify

image

You will get it Verified!

Azure Certificate based Authentication from App Service to Access Key Vault

In this post I would like to demonstrate the usage of Certificate based Authentication from a deployed App Service in Azure & thereby accessing Azure Key Vault.

Control Flow

Following picture depicts the entire Control Flow.

image

Follow the steps for Certificate creation: LINK 1

  • Create Certificate
  • Export to .CER format
  • Export to .PFX format

Following are the App Service & App Registration activities LINK 2

  • Create App Service
  • Associate the .PFX Certificate
  • Create App Registration
  • Associate the .CER Certificate

Following are the Key Vault Activities LINK 3

  • Create Key Vault
  • Create Secret
  • Provide necessary permissions to the App Registration

Create the Code LINK 4

  • Create Web API Project
  • Load the certificate
  • Access the Key Vault
  • Deploy the Application

Test the application

image

Note This is a real-world scenario & hence steps & complexities are high.

Certificate vs Password

Certificate based Authentication is more secured than Password because:

  • Certificate is difficult to copy, re-generate & install – hence more security
    • Certificate based Authentication enforces that the Token is only provided to Certificate holder
  • Password can be copied easily & played back – hence less security

Common Errors

  • Forbidden – Add necessary permission for App Registration in the Key Vault
  • Not Found – This should be Key Vault Secret Name is invalid

Contact

For any information OR consulting please contact me through Linked-in.

References

https://docs.microsoft.com/en-us/azure/key-vault/key-vault-group-permissions-for-apps