堆栈内存溢出
  简体   繁体   English

Windows Azure VPN和IP限制

[英]Windows Azure VPN and IP restriction

 原文  2011-08-19 14:58:35       security/ azure/ vpn/ tunneling/ azure-connect

问题描述

We integrate with a third-party service where we can run queries which is right now secured using HTTPS encryption and username/password. 我们与第三方服务集成,可以在其中运行使用HTTPS加密和用户名/密码保护的查询。 We send our queries from a service running on the Windows Azure cloud. 我们从Windows Azure云上运行的服务发送查询。

The third-party provider wants to migrate towards better security and they have asked us to either 第三方提供商希望向更高的安全性迁移,他们已经要求我们要么

  1. Setup a VPN - which is problematic because for we'd need to use Azure Connect and they'd have to install the client endpoint service on their part. 设置VPN-这是有问题的,因为我们需要使用Azure Connect,而他们必须自己安装客户端终结点服务。

  2. Provide some IP address where the queries will come from so they can filter out anyone else at the firewall level - which is problematic because AFAIK you cannot fix the IP addresses of the Windows Azure Compute nodes. 提供查询将来自的一些IP地址,以便它们可以在防火墙级别过滤掉其他任何人-这是有问题的,因为AFAIK您无法修复Windows Azure Compute节点的IP地址。

  3. Suggest another secure alternative - the only thing I could think of is to set up the VPN with them on a non-Azure server and then tunnel the requests through using Azure Connect - which is obviously extra work for us and also defeats the point of hosting the service on a cloud if it depends on a non-cloud service. 提出另一种安全的替代方法-我唯一想到的就是在非Azure服务器上与它们建立VPN,然后使用Azure Connect传输请求-这显然对我们来说是额外的工作,并且也削弱了托管的目的如果该服务依赖于非云服务,则在云上。

Any ideas? 有任何想法吗?

  • Can they install the Azure Connect endpoint on another server on their DMZ network? 他们可以在其DMZ网络上的另一台服务器上安装Azure Connect终结点吗? ie not the actual server which hosts their service? 即不是托管服务的实际服务器?
  • Can we somehow provide them with static IPs for incoming queries? 我们可以以某种方式为他们提供传入查询的静态IP吗?
  • Any other solution that is scalable? 还有其他可扩展的解决方案吗?

Thanks 谢谢

2 个解决方案

解决方案1
 1 已采纳  2011-08-23 22:09:12

If I understand the scenario correctly, your Azure service is a client to a 3rd party service. 如果我正确理解了该情况,则您的Azure服务是第三方服务的客户端。 This scenario may be solved through the use of the Windows Azure AppFabric Service Bus. 通过使用Windows Azure AppFabric服务总线可以解决此情况。 You would need to install a proxy app in the 3rd party's datacenter that would be responsible for establishing the connection to the service bus. 您需要在第三方数据中心中安装一个代理应用程序,该应用程序负责建立与服务总线的连接。 The connection comes from inside the 3rd party's datacenter, so no new incoming holes in the firewall. 连接来自第3方的数据中心内部,因此防火墙中没有新的传入漏洞。 The connection can handle WCF connections with all its security strengths, and users can be authenticated with ACS. 该连接可以处理具有所有安全性的WCF连接,并且可以通过ACS认证用户。

Here is a starting point: http://msdn.microsoft.com/en-us/library/ee732537.aspx 这是一个起点: http : //msdn.microsoft.com/zh-cn/library/ee732537.aspx

There is a hands on lab in the Windows Azure Platform Training Kit that explains most of the details that you'll need. Windows Azure平台培训工具包中有一个动手实验,它解释了您需要的大多数详细信息。

解决方案2
 0  2011-08-19 15:11:50

IMHO, HTTPS is already very good ; 恕我直言, HTTPS已经非常好 and I don't exactly see how a VPN would make the system any more secure. 而且我还没有完全了解VPN如何使系统更加安全。 In particular, VPN is no silver bullet, if your VM is compromised then the VPN connection is compromised too (same for HTTPS). 特别是,VPN并不是灵丹妙药,如果您的VM受到了威胁,那么VPN连接也受到了威胁(与HTTPS相同)。 On the other hand, the IP restriction would indeed reduce the attack surface. 另一方面,IP限制确实会减少攻击面。

Then, using a server outside the cloud is a poor idea indeed . 然后, 在云之外使用服务器确实不是一个好主意 Not only it defeats most of the benefits of the cloud (been there, done that and suffered a lot), but also it also makes the whole thing less secure with more complexity and more attack surface. 它不仅破坏了云技术的大部分优势(到那里,这样做并遭受了很多损失),而且还使整个事情变得不那么安全,因为它具有更高的复杂性和更多的攻击面。

Windows Azure does not provide anything that look like a static IP at this point. Windows Azure目前不提供任何看起来像静态IP的东西。 In our experience, IP addresses for a given service change once in a while even if the service is only upgraded (and never deleted). 根据我们的经验,即使仅升级(但从未删除)服务,给定服务的IP地址也会偶尔更改。 Static IP addresses have been an important feature request for a long time, Microsoft will probably provide it at some point, but it might still take many months. 长期以来,静态IP地址一直是一项重要的功能请求,Microsoft可能会在某个时候提供它,但仍可能需要几个月的时间。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Azure上的Linux虚拟机 - 如何应用IP限制 - Linux Virtual Machine at Azure - how to apply IP restriction 是否可以为Windows Azure网站设置IP限制? - Is it possible to set IP restrictions for Windows Azure Web sites? SQL 2005 sql登录ip限制 - SQL 2005 sql login ip restriction 具有托管标识和 IP 限制的虚拟机谁赢了? - VM with Managed Identity and IP restriction who wins? IIS 不同 IP 对特定资源的限制 - IIS different IP restriction for specific resource 没有公共 IP 地址 - 无需 VPN 仍可访问 - No public IP address - still accessible without VPN 带有 VPN 网关的用于 postgresql 超大规模的 Azure 数据库 - Azure database for postgresql hyperscale with VPN gateway 如何从1个IP自动检测高[数据输出](Windows Azure网站) - How to auto-detect High [Data out] from 1 IP (Windows azure website) GCP:IP 地址限制以从有限的 IP 地址集中使用服务帐户 - GCP: IP address restriction to use service account from limited set of ip addresses Azure中的IP安全性和始终开启设置 - IP Security and Always On Setting in Azure
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM