Expose Data Factory using FrontDoor - azure-data-factory

I have a Data Factory that is being using private endpoint and would like to configure an integration runtime to have conection between my ADF and an SQL Server that is in another organization but without using vpn connection.
What I've been trying. I create a new record (CNAME) on DNS to direct mytest.domain.com to my FrontDoor and there I've configured a frontend (mytest.domain.com) > backend (adf service endpoint) > routing rule then in the IR side I grab the key authentication from ADF and change the adf service endpoint for my CNMAE was created mytest.domain.com mantaing the others information. Therefore when I go to IR to register it I got error saying
Is possible have my ADF as private endpoint and expose it using FrontDoor and limited it only for the IP of my client?
I'm expecting to allow only the client IP to connect by IR using FrontDoor instead a VPN.

Related

Cloudsql access from ai-platform job

Google has nice ways to connect to cloudsql from other google services but I cannot see how to connect from ai-platform jobs. As part of our training job, we need to update our cloudsql db with metrics but the only I could get it to work is by whitelisting all IPs (don't want that!) in the cloudsql and connecting via the public IP. I don't see an option to add cloud-sql-proxy to the trainer instance. Since the IP of the trainer instance is dynamic, we cannot reliably add specific IP address to whitelist. Any other ways to handle this?
It looks like AI Platform supports VPC peering, so you should be able to connect to Cloud SQL using private IP.
Since Cloud SQL also uses VPC peering, you'll likely need to do the following to get the resources to connect:
Create a VPC to share (or use the "default" VPC)
Follow the steps here to setup VPC peering for AI Platform in your VPC.
Follow the steps here to setup a private IP for your instance in your VPC.
Since the resources are technically in different networks, you may need to export custom routes (Step #2) to allow the AI platform access to your Cloud SQL instance.
Alternatively to using private IP, you could keep using public IP w/ an IP allowlist coupled with Authorizing with SSL/TLS certificates. This still isn't as secure as using the proxy or private IP (as users are technically able to connect to your instance), but they'll be unable to interact with the database engine without the correct certificates.
Can you publish a PubSub message from within your training job and have it trigger a cloud function that connects to the database? AI Platform training seems to have IAM restrictions that I too am curious how to control.

Cloud Connector problem. Cloud To On-Premise

I created in SAP Logon OData Service and Registed it.
I cheked it and it works good. Now, I want to create cloud connector using the link which I got when tested my Odata Service. It looks like:
http://mylink.com:1234/sap/opu/odata/sap/***_SRV/.
In cloud connector setting I put:
Internal host:mylink.com
Internal port:1234.
But, everytime when I try to check my connection in Cloud Connector it show to me Not Reachable.
Can anybody advice to me something about that and explain to me the reasons of it?
Thanks a lot.
Cloud connector requires two different addresses:
Internal Host and port: this should be the real network address of your on premise system. Typically the SAP Netweaver Gateway where the service URL is in. The address must be reachable from the Cloud Connector server
Virtual Host and port: this should be a non real (virtual) address. It’s a must that this address match the URL address of a destination configured in SAP Cloud Platform.
Moreover, apart from the on premise configuration you must enable which URL paths are allowed to be accessed from the cloud
Check whether your cloud connector and SAP LogOn OData service are in the same network. Then only the SAP cloud connector can reach your on-premise system through a secure channel.

IBM Bluemix Secure gateway / public access

Should I be able to setup secure gateway to be able to connect to my on-prem SQL server DB, using SQL Server Management Studio on my laptop from home (not on prem)?
You don't "have to" use the secure gateway in order for your application on the cloud to see your local db. You could simply give your application the public ip (and port) of the local machine and they should work fine.
It is however a good practise to use the Secure Gateway service as it can ensure the security of the local-to-cloud communication. Make sure to have a look at the documentation to learn how the service works - https://console.ng.bluemix.net/docs/services/SecureGateway/secure_gateway.html

Azure Service Fabric: Make endpoint Input and Internal for identity server 4

I want to run an application on Azure service fabric. One service should serve as identity provider. So I installed identity server 4 package on that 'usermanager'. I have also two other services which should use this usermanager for authentication and authorization.
That works on localhost. But on Azure I have the problem that an endpoint must be 'Input' or 'Internal' in my service manifest. But for my usermanager I need both input and internal.
<Endpoint Protocol="http" Name="IdentityServerEndpoint" Type="Input" Port="5000" />
/.well-known/openid-configuration needs 'Internal' and
/connect/authorize?xxxxxx needs 'Input'
I found that for Input endpoints azure service fabric uses the full qualified domain name and for internal endpoints it uses the ip address of the lokal network like 10.0.0.4.
Is there a solution to make an endpoint both input and internal?
Or is there a solution to make identity server 4 to handle two endpoints?
Any ideas to solve this problem?
Believe it or not, the "Type" field in the Endpoint config doesn't actually do anything on any hosting platform. It's just metadata that you can configure and use in your code (basically a way for you to set your own policies). It doesn't matter what you put there otherwise.
Ultimately, you're opening an endpoint on a process on a VM. That endpoint will be open on the VM's IP and the port you choose, e.g., 10.0.0.1:5000.
If you want that endpoint to also be available on your cluster's VIP and FQDN, that configuration is external to Service Fabric. In Azure you just need to configure the Azure Load Balancer to forward external traffic on the port your service is listening on. See here for more info on that: https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-connect-and-communicate-with-services#connections-from-external-clients

Secure Connector API endpoint not in VCAP_SERVICES?

I have created an API via basic secure connector (SOAP). The API works but I am wondering why I can't retrieve the endpoint URL from VCAP_SERVICES. Anything I miss here?
Are you using the secure connector portion of the Cloud Integration service in Bluemix? You might want to try the Secure Gateway service, which is newer and is basically just the secure connector as a standalone service without the rest of Cloud Integration.
"Reaching enterprise backend with Bluemix Secure Gateway via console" explains how to set up a Secure Gateway instance. When you create a destination, that creates an integration.ibmcloud.com URL that your app can then use to connect to your destination via the gateway. The gateway is a proxy, preserving the interface, so the cloud host URL has the same API as the destination host.