2

Currently we run a UI web role and a web service web role(WCF REST) on Azure. Each role contains 2 instances (for load balancing and meeting the SLA reqs.) The UI Web role and web service web role are within the same subscription but in different deployments. We do not want to merge the code bases (maintainability etc etc). So the UI layer is on xyz.cloudapp.net and the Web Service layer is on abc.cloudapp.net.

Currently, the requirement is to make the web service web role an internal endpoint i.e only accessible by the UI layer. The literature on configuring internal endpoints and accessing it from a different deployment is not very clear.

I am assuming that the two different roles need to be part of a single deployment for this to work. Can this be done without affecting the deployments? Any pointers in the right direction would be greatly appreciated.

SliverNinja - MSFT
  • 31,051
  • 11
  • 110
  • 173
user275157
  • 1,332
  • 4
  • 23
  • 45

3 Answers3

2

Internal endpoints are only accessible within a single deployment, and do not route through the load balancer (so if you have 2 instances of your wcf services accessible on internal endpoint, you'd need to distribute calls between the instances). This, of course, would require you to put both your web role and wcf web role into the same deployment.

You might want to consider service bus for a secure way of reaching your wcf services from your web role instances. Or... expose the wcf services via input endpoint but secure the service.

David Makogon
  • 69,407
  • 21
  • 141
  • 189
  • Would a service bus relay work from the Azure Service Interface (*i.e. can you enable autostart for the service bus listener via the azure hosted IIS appfabric*)? – SliverNinja - MSFT Apr 16 '12 at 14:13
1

Have you considered using ACS (Access Control Services) for restricting access using claims-based authentication to your WCF endpoint?

There are numerous protection schemes you could provide via WCF bindings.

Internal Endpoints can only communicate with inter-roles in the same deployment. If you have 2 separate deployments (abc.cloudapp.net and xyz.cloudapp.net, internal endpoints won't help you).

SliverNinja - MSFT
  • 31,051
  • 11
  • 110
  • 173
1

There's an approach I like to call the virtual DMZ that sould meet your needs: http://brentdacodemonkey.wordpress.com/?s=virtual+dmz

It leverages the ACS and WCF bindings to allow you to create access control to input endpoints (which are then load balanced). Of course, if you don't want something tha robust, you can go with just a standard old WCF mutual auth scenario.

That said, David makes an excellent point. Internal endpoints are only accessible with a single deployed service. This is because that service represents an isolation boundary (think virtual lan branch) and the only input endpoints can be adressed from outside of that boundary.

BrentDaCodeMonkey
  • 5,493
  • 20
  • 18