简体繁体 English

Azure终结点-不同的部署

[英]Azure endpoints - different deployments

原文 2012-04-16 13:12:15 6 3 wcf/ azure/ wcf-rest

Currently we run a UI web role and a web service web role(WCF REST) on Azure. 当前，我们在Azure上运行UI Web角色和Web服务Web角色（WCF REST）。 Each role contains 2 instances (for load balancing and meeting the SLA reqs.) The UI Web role and web service web role are within the same subscription but in different deployments. 每个角色包含2个实例（用于负载平衡和满足SLA要求。） UI Web角色和Web服务Web角色位于同一预订中，但部署不同。 We do not want to merge the code bases (maintainability etc etc). 我们不想合并代码库（可维护性等）。 So the UI layer is on xyz.cloudapp.net and the Web Service layer is on abc.cloudapp.net. 因此，UI层位于xyz.cloudapp.net上，而Web Service层位于abc.cloudapp.net上。

Currently, the requirement is to make the web service web role an internal endpoint ie only accessible by the UI layer. 当前，要求是使Web服务Web角色成为内部端点，即只能由UI层访问。 The literature on configuring internal endpoints and accessing it from a different deployment is not very clear. 关于配置内部端点并从其他部署中访问它的文献并不十分清楚。

I am assuming that the two different roles need to be part of a single deployment for this to work. 我假设两个不同的角色需要成为单个部署的一部分才能起作用。 Can this be done without affecting the deployments? 可以在不影响部署的情况下做到这一点吗？ Any pointers in the right direction would be greatly appreciated. 朝正确方向的任何指针将不胜感激。

3 个解决方案

Internal endpoints are only accessible within a single deployment, and do not route through the load balancer (so if you have 2 instances of your wcf services accessible on internal endpoint, you'd need to distribute calls between the instances). 内部端点只能在单个部署中访问，并且不能通过负载均衡器进行路由（因此，如果您在内部端点上可以访问2个wcf服务实例，则需要在这些实例之间分配调用）。 This, of course, would require you to put both your web role and wcf web role into the same deployment. 当然，这将需要您将Web角色和WCF Web角色都放入同一部署中。

You might want to consider service bus for a secure way of reaching your wcf services from your web role instances. 您可能需要考虑使用服务总线，以一种安全的方式从Web角色实例访问wcf服务。 Or... expose the wcf services via input endpoint but secure the service. 或者...通过输入端点公开wcf服务，但保护服务。

Have you considered using ACS ( Access Control Services ) for restricting access using claims-based authentication to your WCF endpoint? 您是否考虑过使用ACS（ 访问控制服务 ）通过对WCF终结点的基于声明的身份验证来限制访问？

There are numerous protection schemes you could provide via WCF bindings . 您可以通过WCF绑定提供多种保护方案。

Internal Endpoints can only communicate with inter-roles in the same deployment. 内部端点只能与同一部署中的角色间通信。 If you have 2 separate deployments ( abc.cloudapp.net and xyz.cloudapp.net , internal endpoints won't help you ). 如果您有2个单独的部署（ abc.cloudapp.net和xyz.cloudapp.net ，内部端点将无济于事 ）。

There's an approach I like to call the virtual DMZ that sould meet your needs: http://brentdacodemonkey.wordpress.com/?s=virtual+dmz 我喜欢一种可以满足您需求的虚拟DMZ： http ://brentdacodemonkey.wordpress.com/?s=virtual+dmz

It leverages the ACS and WCF bindings to allow you to create access control to input endpoints (which are then load balanced). 它利用ACS和WCF绑定来允许您创建对输入端点的访问控制（然后进行负载平衡）。 Of course, if you don't want something tha robust, you can go with just a standard old WCF mutual auth scenario. 当然，如果您不希望某些功能强大，则可以使用标准的旧WCF相互身份验证方案。

That said, David makes an excellent point. 也就是说，大卫提出了一个很好的观点。 Internal endpoints are only accessible with a single deployed service. 内部端点只能通过单个部署的服务访问。 This is because that service represents an isolation boundary (think virtual lan branch) and the only input endpoints can be adressed from outside of that boundary. 这是因为该服务表示隔离边界（请考虑虚拟lan分支），并且只能从该边界之外获取输入端点。