How would one make a TCP connection from an Azure PaaS hosted Web Sites to a Worker Role? That's deployed in one virtual network. Can this be done without opening an Input Endpoints, Internet facing port on the worker role? It looks like WebSites cannot currently be part of virtual network deployments as per Azure Virtual Network FAQ:
Can I use Windows Azure websites with Virtual Network? No. We do not support websites with virtual networks.
I'm new to Azure and playing with various configurations and it looks like this is something that could perhaps be done with the new regional vnets (and perhaps the internal load balancer), but then again there isn't really information around regarding this other than that they are on different virtual machines and in different networks and thus making them to communicate is a more involved process.
If it helps discussion, I have the following are the regional vnet configurations, which are used by the worker Xyz.ComputeRole. This role is the one accepting TCP connections.
<edit: I found a really good post regarding this matter Network Isolation Options for Machines in Windows Azure Virtual Networks. As it stands, it looks like I could open an Input Endpoint to the worker role and then restrict access to it only from the WebSites deployment. However, it looks like a lot of work to do, and hops over the networking elements like a load-balancer, and perhaps I'd need to find out the Web Sites deployment IP.
Am I off-base and there's a simple way to connect a WebSites to a Azure computer role via TCP connection?
Network configuration
<VirtualNetworkConfiguration>
<Dns>
<DnsServers>
<DnsServer name="XyzVnetDns" IPAddress="192.168.50.0" />
</DnsServers>
</Dns>
<VirtualNetworkSites>
<VirtualNetworkSite name="XyzVNet" Location="North Europe">
<AddressSpace>
<AddressPrefix>10.0.0.0/8</AddressPrefix>
</AddressSpace>
<Subnets>
<Subnet name="Sub1">
<AddressPrefix>10.0.0.0/11</AddressPrefix>
</Subnet>
</Subnets>
<DnsServersRef>
<DnsServerRef name="XyzVnetDns" />
</DnsServersRef>
</VirtualNetworkSite>
</VirtualNetworkSites>
Cloud service configuration
<NetworkConfiguration>
<VirtualNetworkSite name="XyzVNet" />
<AddressAssignments>
<InstanceAddress roleName="Xyz.ComputeRole">
<Subnets>
<Subnet name="Sub1" />
</Subnets>
</InstanceAddress>
</AddressAssignments>
You cannot add Azure Web Sites deployments to a VNet because there's no dedicated outbound IP address for Web Sites. This will also preclude you from setting up Access Control Lists (ACL's) on the worker role's input endpoints.
For Web Sites -> Worker Role (cloud service) security, you'd need to rely on something app-specific (maybe an SSL cert or something else).
By the way: regarding "a lot of work to do" for restricting access: Not sure exactly what you tried (or if you tried it), but it's trivial through the portal (just enter a subnet mask and... done), and very easy through command-line as well.
There are now two ways to connect to resources in your Azure VNET from your Azure Website. You can find details written up in several blogs.
The Hybrid Connections capability involves you downloading a relay agent that can access both Azure and your desired endpoint. This works for access to resources in your VNET or in any other network for that matter. You can install the agents on premise to enable TCP access to resources there. Each Hybrid Connection endpoint you define can only provide access to a single host:port. You can have 5 endpoints for free and if you need more you can pay to get them.
The VNET Integration capability allows you to access resource in your VNET. Under the cover it is using point to site technology to do this so your VNET needs a dynamic routing gateway and you need point to site to be enabled. If you also use site to site VPN to connect your on premise network to your VNET you can then access on premise resources.
None of these methods provide private access to your website. They only are intended to enable your website to access resource in other networks. Both features are also currently in preview and are being improved upon.
If you would like details on either there are a number of blogs and documents online. For an example you can refer to this one: using vnet or hybrid connections with Azure websites
来源:https://stackoverflow.com/questions/24475988/how-to-connect-azure-web-sites-to-a-worker-role-tcp-through-a-regional-vnet