I periodically review Azure PaaS resource edge security. As a part of that process I examine and cleanup AzureSQL firewall rules. Once you have more than a handful of subscriptions and AzureSQL databases, doing this manually starts becoming unfeasible. To that end, Azure Powershell is your friend…
As is typical, you need to install the Powershell AZ module on your workstation, after that you need to run.
Then supply your Azure credentials (preferably creds that have the ability to view and manage all of your AzureSQL databases and firewall rules, otherwise the rest is moot.
When your business hinges upon remote workers and remote offices, secure connections, and lots of data manipulation… how do you deal with some of your folks being extra remote? Granted the internet in 2020 is very different from the internet in say 2008 and the world has grown ever smaller as a result… but distance and all of the congested, intervening, network hops that come with it are still a reality. Particularly for remote workers living on other continents that have to interface regularly with systems in the United States as a part of their job.
The two big headaches for remote workers in other countries connecting to offices in the US are latency and bandwidth. In the past there were only and handful of solutions, most involving long-term contracts with a telcom and lengthy, complicated setups. I would argue that MPLS still falls squarely in this camp. SD-WAN has certainly improved on all of the above but it’s still enough of a headache that it typically involves contract terms and conversations with sales “engineers.”
I would like to propose something different using Azure.
The current state of the world has caused some unique stresses on IT infrastructure. For IT departments servicing internal teams, remote access infrastructure in particular has felt the brunt of the blow. To that end, I spent a couple of weeks testing out enterprise VPN solutions.
I had a recent requirement from one of our clients that took a little bit of tinkering to figure out… we will call our client Contoso LLC. and our project that we host for them we will call the “Cool Widget Project.”
We built a really neat widget of an application for Contoso to use and we are hosting it under a sub-domain of a domain we control. We needed to keep hosting it under this domain. However, our client, Contoso, wanted to hand out a link for their users to the new widget we built using an existing sub-domain from a domain they control. This was of course under their main domain, constosollc.com, and they already had existing users that came to the old version of the widget (built by another vendor) at widget.contosollc.com.
Our company was hosting the new widget app at widgetapp.appworks.net.
To further complicate things… our company appreciates security, likes fast DNS updates, and the app really benefits from using a CDN… so we are using Cloudflare to manage DNS for the appworks.net domain. Better yet, we also like the cloud, and this new widgetapp is actually an Azure Web App.
So there’s the situation…
We essentially need this to happen:
User visits widget.contosollc.com --> widgetapp.appworks.net.
Oh but this is Azure… so actually widgetapp.appworks.net is already a CNAME record and it actually points to widgetapp.azurewebsites.net. So it is this:
User visits widget.contosollc.com --> widgetapp.appworks.net --> widgetapp.azurewebsites.net.
To elaborate the above just a little bit more:
widget.contosollc.com (DNS from random provider) --> widgetapp.appworks.net (Cloudflare DNS, CNAME) --> widgetapp.azurewebsites.net (the DNS name provided by Azure for the application)
Simple right? Just get our client to create a CNAME record that points to widgetapp.appworks.net and move on with life… wrong…
I have been taking a free networking class from Stanford University’s online “open source” education platform. I have really been enjoying the first unit of the course as it has started filling in some gaps in the foundation of my understanding regarding networking, the internet, and TCP/IP. I highly recommend this to anyone that has been in IT for a while but has never taken a more “academic” approach to their work. Okay, so that is my plug for free education. You can check out more here if interested: https://lagunita.stanford.edu/
OSI 7-Layer Model, TCP/IP 4-Layer Model
One of the gaps in my understanding of networking has to do with the OSI 7-layer networking model and the more simplified TCP/IP 4-Layer model (which was developed by DARPA? and predates the OSI Model). I didn’t even realize there was anything other than the 7-Layer model until taking this class and furthermore didn’t realize that while the OSI model gets talked about and referenced more frequently, academia (I think… and perhaps the industry) is shifting to using the simpler 4-layer model for discussion, understanding, and development regarding networking. Please don’t take any of this as gospel truth, this is just my understanding based on coursework and reading. I also find it much easier to think about and reference the 4-layer model. If you are curious how the two compare, this technet article is an interesting read, Technet: TCP/IP Protocol Architecture. Okay, so for this article, I will be sticking with what I am most comfortable with at this point and will be talking about and referencing the 4-layer TCP/IP model and discussing how VPN works. (more…)