We are looking at deploying an application on azure web sites and deploying a redis and solr clusters on sets of azure virtual machines. What is the best practise for restricting access so just my azure web site can access these boxes?
We store private information in the redis and solr cluster so cannot risk allowing other azure websites access to the redis and solr clusters so allowing the complete IP range of the azure data centres is a no go.
Azure Web Sites do not have dedicated outbound IP addresses for each deployment. This precludes you from using ACLs or Virtual Networks to connect to your Redis / Solr virtual machines.
While you can filter IP traffic entering a Virtual Machine via ACL, this will only work with Cloud Services (web/worker roles) and Virtual Machines. Likewise, you can add Cloud Services and Virtual Machines to a Virtual Network, allowing you to directly access your Redis/Solr instances.
As @Itamar mentioned in his answer, you can use IP filtering on the Redis/Solr instances themselves, via the OS or within Redis/Solr as supported. You can also use an SSL connection.
Don't know about solr, but if you want a secure connection to your Redis you should consider using a secure proxy such stunnel on the website and the Redis servers (see for example http://bencane.com/2014/02/18/sending-redis-traffic-through-an-ssl-tunnel-with-stunnel)... or, just use a Redis service provider that supports SSL (e.g. http://redislabs.com ;)).
