none
Windows Azure DMZ RRS feed

  • Question

  • Hello Everyone,

    So i'm in the process of creating an ADFS infrastructure, all going good so far, i have 2 domain controllers, 1 dirsync, 2 ADFS, and 2 WAP servers.

    Now since the WAP servers are going to be facing the internet directly, we have to put them in a DMZ, and i'm not sure how to create that in Azure.

    I already have a virtual network connected to our on-premise network, do i have to create a new one for DMZ? and how am i supposed to create the access lists just for ADFS servers to be the only ones allowed to access the WAP servers.


    Friday, September 19, 2014 8:41 PM

Answers

  • Hi,

    This is not not a perfect way of building a DMZ. You would create separate networks for each of the services, and then put the servers in to separate clouds. This way you can use ACL on the public facing endpoints to get the DMZ feeling.

    Another thing is that the WAP servers is not facing internet directly. The traffic first hits the Load Balancer/Firewall from Microsoft Azure. This means that the requirement for a DMZ in Azure isn't that important as it would be on-premises. At least that's my opinion. If you run a strict policy on the servers also, you are safe.

    I hope this clarifies a bit :)


    /Anders Eide

    Monday, September 22, 2014 4:54 AM

All replies

  • Hi,

    This blog post goes in details on how you should configure ADFS in Azure.
    http://blogs.technet.com/b/abizerh/archive/2013/11/19/adfs-on-azure-vms.aspx

    You could create something that feels like a DMZ in Azure, by leveraging multiple networks and cloud services, and then configure ACL on the endpoints. http://azure.microsoft.com/en-us/documentation/articles/virtual-machines-set-up-endpoints/

    I hope this answer your question :)


    /Anders Eide

    Saturday, September 20, 2014 10:11 AM
  • Hi,
      Adding to anders reply, you can also look at the following link and let us know if it helps.
      http://www.rajinders.com/2013/06/11/setting-up-dmz-in-windows-azure/

    Regards,
    Nithin.Rathnakar
    ------------------
    Disclaimer: This response contains a reference to a third party World Wide Web site.
    Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there.
    There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

    Saturday, September 20, 2014 10:41 AM
  • Appreciate your reply, but i have made my google searches before posting here, and unfortunately, those two links i have already seen and neither one works for my case.

    ACLs are not supported on virtual machines that are connected to a virtual network....so i already have a virtual network connected to my on-premise network via VPN, if i create another network for DMZ, how am i supposed to connect both networks together?

    Sunday, September 21, 2014 3:55 AM
  • Hi,

    This is not not a perfect way of building a DMZ. You would create separate networks for each of the services, and then put the servers in to separate clouds. This way you can use ACL on the public facing endpoints to get the DMZ feeling.

    Another thing is that the WAP servers is not facing internet directly. The traffic first hits the Load Balancer/Firewall from Microsoft Azure. This means that the requirement for a DMZ in Azure isn't that important as it would be on-premises. At least that's my opinion. If you run a strict policy on the servers also, you are safe.

    I hope this clarifies a bit :)


    /Anders Eide

    Monday, September 22, 2014 4:54 AM