Windows Azure内部端点的安全性如何?
[英]How secure are Windows Azure internal endpoints?
问题描述
I have a front end MVC application in a web role, protected by WIF and ACS, which I would like to be my Azure application's only exposed surface. 
我有一个Web角色的前端MVC应用程序,受WIF和ACS保护,我希望这是我的Azure应用程序唯一暴露的表面。 It connects to a number of back end services, some worker roles and some (for the convenience of adding service references in VS, or because they use WCF Data Services) web roles. 它连接到许多后端服务,一些工作者角色和一些(为了方便在VS中添加服务引用,或者因为它们使用WCF数据服务)Web角色。 The back end service roles have only internal endpoints. 后端服务角色只有内部端点。
My understanding from the MS literature is that internal endpoints are available only to other roles with the same deployment. 我从MS文献中了解到,内部端点仅适用于具有相同部署的其他角色。 Given this, it seems redundant to apply any kind of transport or message security, or authentication, between the MVC web role and the back end services, which is presumably why https is not available on internal endpoints. 鉴于此,在MVC Web角色和后端服务之间应用任何类型的传输或消息安全性或身份验证似乎都是多余的,这可能是为什么https在内部端点上不可用的原因。
My question is: how secure is this? 我的问题是:这有多安全? Is there any way an endpoint could be discovered from anything other than one of our deployed roles? 有没有什么方法可以从我们部署的角色之外的任何东西发现端点? Is there any reason to incur the overhead of additional security on any of the inter-role bindings? 是否有任何理由在任何角色间绑定上产生额外安全性的开销?
1 个解决方案
解决方案1
7 已采纳 2012-07-20 17:43:52
A service represents an isolation boundary, unless you declare an endpoint as an "input" endpoint, it cannot be accessed outside of this isolation boundary. 服务表示隔离边界,除非您将端点声明为“输入”端点,否则无法在此隔离边界之外访问它。 The implemetation of this boundary is a private network branch with no addressability to other branches. 该边界的实现是专用网络分支,对其他分支没有可寻址性。
Keep in mind that internal endpoints are not load balanced. 请记住, 内部端点不是负载平衡的。 So there is a trade off. 所以有一个权衡。 I wrote some stuff up on endpoints awhile back that might help consolidate things a bit. 我在一段时间后在端点上写了一些内容,这可能有助于巩固一些事情。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.