none
Accessing Azure Management APIs from within Azure Websites

    Question

  • I'm trying to access the Azure Management APIs from within an Azure Website, however the moment I make a web request in Azure, I get an error which bypasess any logic I have for the catch block surrounding the code making the web request..

    You can repro this with by clicking the button on the below ASPX page.  When run locally, ASP.Net prints out an error (see below).  In Azure websites however, I get back a 502 error (below) which confuses me for two reason:

    1. The web call is made in a try/catch block.  Therefore the exception should have been handled
    2. If the error was in making a web request, I would have expected a 500 error from asp.net, rather than a 502 from IIS.

    I am sure this issue is caused specifically by making a call to management.core.windows.net, because making either of the below two changes stops the 502 response, and I instead get the WebException output on the page itself.

    • Change the url on line 21 to another domain
    • Change the contents of the try block on line 29 to return a hardcoded string.

    Local Response

    ERROR: System.Net.WebException: The remote server returned an error: (403) Forbidden.
       at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)
       at System.Net.WebClient.DownloadString(Uri address)
       at ASP.default_aspx.AzureManagementCall(String endpoint, String method, String body) in d:\Telligent\SVN\AzureManageTest\AzureManageTest\default.aspx:line 37

    (This error is expected because I didn't provide a valid certificate to.  I excluded the code for adding the certificate as it adds a lot of code, and isn't strictly nessescary to reproduce the issue)

    Response in Azure Websites

    Server Error

    <fieldset style="padding:0px 15px 10px;">

    502 - Web server received an invalid response while acting as a gateway or proxy server.

    There is a problem with the page you are looking for, and it cannot be displayed. When the Web server (while acting as a gateway or proxy) contacted the upstream content server, it received an invalid response from the content server.

    </fieldset>

    Sample Code

    <%@ Page Language="C#" AutoEventWireup="true"  %>
    <%@ Import Namespace="System.IO" %>
    <%@ Import Namespace="System.Net" %>
    <%@ Import Namespace="System.Security.Cryptography.X509Certificates" %>
    <%@ Import Namespace="System.Xml.Linq" %>
    
    <script runat="server">
    		private readonly Guid _subscriptionId = new Guid("0b23da9e-640a-4683-b7c6-7509eb10f68e");
    
    		protected void Button1_Click(object sender, EventArgs e)
    		{
    			var siteInfo = AzureManagementCall("locations", "GET");
    
    			Response.Write("<pre>");
    			Response.Write(HttpUtility.HtmlEncode(siteInfo));
    			Response.Write("</pre>");
    		}
    
    		private string AzureManagementCall(string endpoint, string method, string body = null)
    		{
    			var requestUri = new Uri("https://management.core.windows.net/"
    									+ _subscriptionId.ToString()
    									+ "/services/"
    									+ endpoint);
    
    			var client = new WebClient();
    			try
    			{				
    				return client.DownloadString(requestUri);
    			}
    			catch (Exception ex)
    			{
    				return "ERROR: " + ex.ToString();
    			}
    		}
    </script>
    <form runat="server">
    	<h2>Azure Management Test</h2>
    	<asp:Button ID="Button1" runat="server" onclick="Button1_Click" Text="List Locations" />
    </form>
    • Edited by Alex Crome Sunday, July 29, 2012 7:13 PM
    Sunday, July 29, 2012 7:01 PM

Answers

  • We are aware of this issue and working on addressing this for websites. This should work just fine from Web Role.

    Thanks

    AJ


    Apurva Joshi, This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, August 23, 2012 4:56 PM
    Owner

All replies

  • A few other things to add

    1. After enabling Failed Trace REquest Logging, nothing shows up for the 502 error
    2. After enabling Detailed error logging, again nothing shows up
    3. The POST requests for the button click are not even logged in the HTTP Logs
    4. If you repeat the request a few times in a short period, you start getting 503 errors.

    I'm now suspecting that somehow accessing the Azure Management APIs from within Azure Websites is causing the worker process to crash:

    • the 'Rapid Failure protection settings in IIS mean that repeated worker process crashes within a short time interval cause 503 errors.
    • A crash would likely prevent the failed request being logged in the HTTP Logs (3)
    • A crash would also explain why the catch logic around the http request gets ignored
    Sunday, July 29, 2012 7:42 PM
  • Hi, Alex. I looked up the exception using your subscription ID, and the problem you're having is caused by a failed network connection to one of the back-end servers. I'm not sure what's causing that, but I suspect it may be caused because you aren't authenticated. You are required to be authenticated in order to make this request.

    Ultimately, I think you're going to have to resolve the issue with the certificate before you can move forward. Have you reviewed the documentation and sample code for authenticating Azure Management requests?


    Jim Cheshire | Microsoft

    Tuesday, July 31, 2012 6:04 PM
    Moderator
  • Hi Alex,

    I have reproduced and debugged this issue. To keep the technical details short, Website virtual machines are sandboxed. We block bunch of system level APIs to enhance the security of dense hosting. It seems like we are blocking SEC_I_RENEGOTIATE calls on Websites virtual machines. This is resulting in access violation inside w3wp.exe process and hence the issue. I have engaged the developers to further investigate this issue and update you with the results as soon as I hear from them.

    Thanks much for reporting this issue.

    AJ


    Apurva Joshi, This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, July 31, 2012 11:43 PM
    Owner
  • I appear to be having the same issue with a request to a payment provider from inside an azure website.

    All the OP points about catch blocks and error logs being skipped are the same. It works locally fine but crashes out with 502 causing the website to restart when on azure.

    Please let me know if this is azure blocking the provider.

    I have posted more information about the bug here 

    http://stackoverflow.com/questions/12057646/502-requesting-payment-service-inside-azure-website

    Thursday, August 23, 2012 12:49 PM
  •    
    
    
    public class TestController : BaseController    
    {        
    
    public string test()       
     {            
    try            
    {                var webClient = new WebClient();                var stream = webClient.OpenRead("https://paltest.adyen.com/pal/servlet/soap/Payment");                var streamReader = new StreamReader(stream);                return streamReader.ReadToEnd();            }            catch (Exception exp)            {                errorResult(exp);            }            return formattedResult(result);        }    }
    

    The the test method of this controller when deployed to azure websites causes the site to crash and restart.

    Whilst the adyen url requires basic auth the crash happens before that is required and whether it is provided or not.

    Presumably adyen  (like many other sites?) requires part of the HTTP protocol like SEC_I_RENEGOTIATE which MS has left out.

    What can be done about this.

    Do i have to run my site as a web role? will this method work in a web role?


    Thursday, August 23, 2012 2:31 PM
  • We are aware of this issue and working on addressing this for websites. This should work just fine from Web Role.

    Thanks

    AJ


    Apurva Joshi, This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, August 23, 2012 4:56 PM
    Owner