I have multiple Service Fabric APIs. Both services are hosted in the same cluster using Kestrel. Currently each service is assigned to a specific port so they show up as
http://service1:123 and
http://service2:456
I would like to access the services using default port 80 for both. Is there a way to do this without having to use Azure API Management?
Sure, Kestrel doesn't support port sharing, but you can:
run on IIS, inside containers.
use the built in reverse proxy
use a (containerized) reverse proxy like Traefik
Related
I want to deploy Identity Server 4 on Kubernetes 1.8, and use this as a Federation Gateway between my web application and Azure Active Directory (to begin with).
If I call Identity Server from my web application using the local k8s service name, my users are redirected to the wrong Identity Server URL (containing the local k8s service name) during Sign in which clearly won't work. We are using an implicit flow.
I therefore setup a Azure Load balancer with dns name and configured Identity Server to be externally accessible with the domain name as the PublicOrigin URL.
However, my web application which runs in the same cluster cannot access Identity Server using the external URL of the Identity Server (discovery fails).
If I run Identity Server on another Kubernetes cluster then everything works fine.
My question is:
How do you properly deploy Identity Server in Kubernetes? Do I really need another Kubernetes cluster?
Note: I am using Kubernetes on Azure created with ACS engine (because we have mixed windows and linux containers).
I'm using AKS (Azure managed kubernetes) and have a single client asp.net core 2 web app in the same cluster as my IS4 service with no issues. Both webapps are fronted by Nginx with kube-lego for LetsEncrpyt TLS support, and DNS is provided by Azure DNS.
I'm not using the PublicOrigin but instead the client app's Authority (in the openidconnect setup) uses the full (external Azure) DNS name of the IS4 service. You can use PublicOrigin if you want to use the cluster service naming from your clients
Is it possible to use Azure Application Gateway to route incoming traffic to a URL/Port and append a path? I want to do this so can use Service Fabric reverse proxy lookup.
i.e. I have a listener on ms-company.domain.com and I want it to redirect to http://servicefabric.domain.com:19081/Company/Microservice/api/healthcheck
That way even if I change the port that the micro-service lives in the Reverse Proxy lookup will work.
This is possible with the recent URL path override feature. Please refer to sample template at https://azure.microsoft.com/en-us/resources/templates/201-application-gateway-path-override/
I created a secure service fabric and have full control. Only services developed by me will be deployed and all public facing apis are using https. The question is for communication between service to service in cluster, is it safe to use http instead of https?
Thanks,
This is related to how do you set up your cluster with your network. Public facing services and internal services should be in a different NSG networks. You should control very strict communication between public and internal. If you can do that then http or any protocol between services is not a problem
Personally, i prefer http over remoting because there will be less dependency between services. Communication between services can be defined using Open API and therefore become vendor neutral.
There is a very good course on MVA for how to set up Service fabric class and best practice
https://mva.microsoft.com/en-US/training-courses/16925?l=E5B3nJSGD_805167344
I recommend using service fabric remoting (instead of http). This can be secured using certificates, with little effort.
More info here: https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-reliable-services-secure-communication
I'm currently deploying on cloud foundry, Now I have a frontend server and a backend server.
Both deployed as micro services with the Cloud Foundry nodejs build pack.
I would like to hide the backend server from the outside world, that only my frontend server can access it. How do I do that?
If I remove the route to the backend server the server is hidden from the outside but then I do not know how to access it from my frontend.
I'm new to Cloud Foundry maybe there is an easy way.
Thanks
Andreas
Thanks for the information so far.
I do however not understand how I could now hide my backend instance from being accessed from the outside, but allow for access of the frontrontend?
Basically what roule would I need to set in my space in order to allow only port 80 to be accessed of my frontend instance (lets say the frontend ip is 168.192.0.5).
could you make an example?
If you are using OSS Cloud Foundry, you can put the backend services into their own space, and then set the security group rules for that space so that they will not respond to outside IP addresses:
https://docs.pivotal.io/pivotalcf/adminguide/app-sec-groups.html
If you are using Pivotal Cloud Foundry, you can use Spring Cloud Service Discovery, as Amit said.
What about using "cf push myjavaapp --no-route"?
The no-route option tell Bluemix that your backend is not a web application.
Another solution to hide the back-end microservice from the public is to use containers (also available on Bluemix, based on Docker, see https://www.ng.bluemix.net/docs/containers/container_gettingstarted.html). Containers have a private IP by default and can access other containers in the same space. You can assign the front-end microservice a public IP using e.g. following command
cf ic ip bind {public_ip} {container_name}
but don't assign a public address to your back-end microservices.
(A few weeks ago I've created a simple example for a microservice in a container, you can find the code at
https://hub.jazz.net/project/matthiashub/bluemix-unistuttgart-container/overview I admit that this was done in Java and not in nodejs but I think you get the idea.)
Can a WCF RESTful service and a regular site/www service be hosted concurrently? Or do I need a seperate machine to host WCF?
Thanks.
Yes. they can be hosted on the same machine (depending on whether you are using shared hosting). If you have the permission, you just need to bind them to different ports.
For example, if your website is hosted on port 80 (which is usually the default), then you can create another website on the same machine hosted on port 8080 for the WCF HTTP service.
If your website is a .NET app pool, you can even host the WCF service inside the same app pool as your website, by using a virtual directory.
Also, you can host multiple websites on the same port if you differentiate them by host headers.