VM website hosting

Question

So I got my Azure VM preview setup, the peristent one. Now I trying to figure out how to host websites that is mostly in php. Is there a way I can have additional dedicated IPs yet?

Another question I have is regarding security. Does Microsoft take care of DDOS and other attacks against the IPs assigned to the VMs? Whats the best way to secure the VM in an Azure environment to defend ddos and other hacking attempts.? Any recommendations on affordable security implementations?

Answer 1

Hi Vinith,

You can use IP:port combination to host multiple sites. or use Host headers. Setting up host headers is no different from on-premise IIS.

http://technet.microsoft.com/en-us/library/cc753195(v=WS.10).aspx

Below are the details regarding DOS, security best practices.

Denial of Service

Windows Azure’s load balancing will partially mitigate Denial of Service attacks from the Internet and internal networks. This mitigation is done in conjunction with the developer defining an appropriate Service Definition VM instance count scale-out. On the Internet, Windows Azure VMs are only accessible through public Virtual IP Addresses (VIPs). VIP traffic is routed through Windows Azure’s load-balancing infrastructure. Windows Azure monitors and detects internally initiated Denial of Service attacks and removes offending VMs/accounts from the network. As a further protection, the root host OS that controls guest VMs in the cloud is not directly addressable internally by other tenants on the Windows Azure network and the root host OS is not externally addressable.

Windows Azure is also reviewing additional Distributed Denial of Service (DDoS) solutions available from Microsoft Global Foundation Services to help further protect against Denial of Service attacks.

http://technet.microsoft.com/en-us/edge/Video/ff945095

http://technet.microsoft.com/en-us/edge/video/data-security-in-azure-part-1-of-2

http://technet.microsoft.com/en-us/edge/video/data-security-in-azure-part-2-of-2

Security best practices

http://blogs.technet.com/b/gfs/archive/2010/06/11/security-best-practices-for-developing-windows-azure-applications.aspx

http://blogs.technet.com/b/gfs/archive/2009/05/27/securing-microsoft-s-cloud-infrastructure.aspx

http://blogs.technet.com/b/gfs/archive/2009/06/08/securing-microsoft-s-cloud-infrastructure-part-2.aspx

Hope this helps!

Answer 2

Thanks Hari, I suppose then there is no way to buy additional IPs atleast yet? This might be problematic when hosting multiple websites that require SSLs?

I need to read the blogs you have posted links for regarding the security, so looks like MS is taking care of most of the DDOS, I think I will not have any control over the DDOS since I dont have access to the infrastructure, right? Sorry, think of me more as a business decision maker than an IT guy :D

Perhaps I can only purchase some software or cloud based Firewall service to protect the persistent VPSes in the Azure platform? Maybe this cant mitigate the DDOS still I think as that will need to be taken care of before hitting the VPS in the network infrastructure itself?

Thanks Hari.

-Vin.