Web and Network

Azure Virtual Network

Azure Virtual Network

Azure Virtual Network is a representation of your own network in the cloud. A virtual network is a logical isolation of the Azure cloud dedicated to your subscription. You can connect virtual networks to other virtual networks, or to your on-premises network.

Virtual Networks can be partitioned into Subnets, and these can be protected by Network Security Groups (NSGs) that provide configurable firewalls between subnets and servers.

The Azure Virtual Network comes with an extensive range of virtual appliances, including load balancers and gateways.

Azure Virtual Networks and Subnets need to be created before creating Virtual Machines because new VMs must be placed on a Virtual Network/Subnet when they are created.

Subnets should be pre-configured to create security zones, to isolate environments and the various types of deployed resources. For example:

Environment Development
Application Servers 172.20.11.* 172.20.21.* 172.20.31.*
Database Servers 172.20.12.* 172.20.22.* 172.20.32.*
Web Servers 172.20.10.* 172.20.22.* 172.20.30.*

Communication between subnets should be controlled using firewalls, Network Security Groups or a virtual appliance. Communication between environments should be blocked. INTERNET access should be blocked; HTTPS communication (TCP port 443) should only be allowed for Web Servers.

A Network Security Group is the equivalent of a simple stateful packet filtering firewall or router. No protocol validation or intrusion prevention system capability is provided.

IP addresses on the VNet are assigned to VMs by the Azure DHCP server.VNets are created with an Azure DNS server for basic name resolution for all VMs on the same Azure Virtual Network. This server is not configurable – it can’t create records. Microsoft recommends creating a custom DNS server if customization is required.

Azure API Gateway and Load Balancing

TRELLIS uses Azure API Management to protect Web APIs and will extend this by adding an API Gateway for customers that have higher usage and security requirements.

Azure API Gateway and Load Balancing

The API Management service can be configured in a Virtual Network in internal mode, which makes it accessible only from within the Virtual Network. Azure Application Gateway (Web Application Firewall Application Gateway edition) is a PaaS Service which provides a Layer-7 load balancer. It acts as a reverse-proxy service and provides a Web Application Firewall (WAF).

Combining API Management provisioned in an internal VNET with the Application Gateway frontend permits the following scenarios:

Azure API Manager

Azure API Manager

TRELLIS implementations use the following features of the Azure API Manager Standard:

TRELLIS Web API interfaces will be captured as Swagger/WADL files which will be imported into the Azure API Manager.

Azure Application Manager

Azure Application Manager provides Application-level routing and load balancing services that let you build a scalable and highly-available web front end in Azure.

The application manager helps you protect your application from common web vulnerabilities and exploits like SQL Injection or Cross site scripting. You can customize rules to reduce false positives.

SSL offload lets you build a secure web front end with efficient backend servers and also streamline your certificate management.

Application Gateway gives you easy integration with Azure Traffic Manager to support multi-region redirection, automatic failover, and zero-downtime maintenance. Application Gateway is also integrated with Azure Load Balancer to support scale-out and high-availability for Internet-facing and internal-only web front ends.

Azure Content Delivery Network (CDN)

The Azure Content Delivery Network exposes regularly accessed static data (such as images, videos, etc.) through locally cached locations. This offloads bandwidth from data center networks and reduces latency for the end user.

By default, a single Azure subscription is limited to eight CDN profiles. Each CDN profile is limited to ten CDN endpoints. You can map a custom domain to a CDN endpoint using a CNAME record to use your own domain name in URLs to cached content, rather than using a subdomain of azureedge.net. For example, when integrated with Azure Storage, the address for a cached blob will be: http://.azureedge.net//