0

I have an Azure CloudService with two roles. Óne of these roles exposes a public endpoint and an internal endpoint. How can i control access to a MVC controller based on which endpoint the request is coming from?

Is there a better way of achieving this?

Niklas
  • 85
  • 5
  • What exactly you want to achieve? And if you have public Endpoint, you don't really internal, as the public one has already puched the Firewall as well as the Azure LB, so any traffic, coming from anywhere, including from within Azure is able to reach your endpoint. If you want only internal access on an Endpoint, then just do not expose it Publicly. More, you can always have Public endpoint on one port, internal on another - then checking server Port you will get which endpoint is accessed. – astaykov Mar 11 '16 at 10:13
  • Ok I'll explain what I'm trying to achieve, maybe there will be a better solution: – Niklas Mar 11 '16 at 10:26
  • @astaykov 1) A SignalR hub, that clients can connect to from the outside world 2) A website, with AD authorization, where service personnel can call the SignalR hub, triggering method calls on the clients through websocket. The two must both be hosted on Azure, but it doesn't matter if it's WebApp or CloudService. I am aware, that I could probably use ServiceBus or Azure Queues to do this, but I would like a direct response from the hub, to verify the call. Any suggestions? Does it make sense? – Niklas Mar 11 '16 at 10:32
  • 1
    1) you can update your question and not write explains in comment. 2) still didn't get the part where you want to check whether it is from Input or Ineternal endpoint. If you use AD to protect your resource, does it matter where the request is coming from, since it is authenticated and authorized to use the resource ? – astaykov Mar 11 '16 at 13:12

1 Answers1

0

You cloud use ACLs that are specified in the cscfg file. You first specify an access control rule element with permit or deny. This essentially whitelists an IP address or range. You then specify which endpoint to add this to... 

<ServiceConfiguration>
  <NetworkConfiguration>
    <AccessControls>
      <AccessControl name="aclName1">
        <Rule order="<rule-order>" action="<rule-action>" remoteSubnet="<subnet-address>" description="rule-description"/>
      </AccessControl>
    </AccessControls>
    <EndpointAcls>
      <EndpointAcl role="<role-name>" endpoint="<endpoint-name>" accessControl="<acl-name>"/>
    </EndpointAcls>

ref: https://msdn.microsoft.com/en-us/library/azure/jj156091.aspx

ref: http://blogs.msdn.com/b/walterm/archive/2014/04/22/windows-azure-paas-acls-are-here.aspx

tripdubroot
  • 1,143
  • 5
  • 13