DEV Community

loading...
Cover image for Securing Azure SignalR +Azure App Service - Part 2

Securing Azure SignalR +Azure App Service - Part 2

Jayendran Arumugam
MCT | Cloud Architect | Azure | AI Eng | DevOps | Stackoverflow | Technical Writer | Power BI Super User | Learner | @Gartner
・4 min read

In the previous part, we saw the basics of azure signalr connections. In this part we are going to see how to secure the connection between azure signalr and web app.

Let us secure our Azure SignalR Service

Azure SignalR Security features

By the design itself Azure signalr service has a public endpoint that is accessible through the internet, and it currently does not support deploying directly into a virtual network and allowing IP address because of this you cannot leverage certain networking features with the offering's resources such as network security groups, route tables, or other network dependent appliances such as an Azure Firewall.

However, it allows you to create private endpoints to secure the traffic between resources in your virtual network and Azure SignalR Service.

You can also use Service tags and configure network security group rules to restrict inbound/outbound traffic to Azure SignalR Service.

Since in our POC we are using Azure Web app, which is internal to azure, so we are going to leverage the private endpoint to secure the internal connectivity and restricting the entire public internet access.

Default network access control(NAC) will looks like below

image

Here we are opening/allowing the Server and Client Connection to the open internet(entire public).The rest of connections like Rest API and Trace API will be denied by the Default Action setting

By the way the Trace / REST API are a new connection still in development phase, as of now there is no official docs from Microsoft yet

We are going to update this default setting as per our POC configurations.

Architecture Design

Alt Text

Securing connection between Azure SignalR and Web App

Our requirement is to connect the azure signalr from azure webapp. The Azure Web App can be accessible from internet. So, the way we need to configure the NAC will be like

  1. Configure the public network rule to only allow Client Connections from the public network

    image

  2. For the Server connection we need to configure it privately using the private endpoint and allow the Server Connection from that private endpoint connection, i.e., we should not allow the Server connection from the public network

    This step involves a series of other steps to be configured on azure app service as well, let us see that.

Configuring VNet

  1. First we need a Virtual Network (VNet), which should be in the same location as your App services and azure Signalr. In my case it would be Central US
    • vnet-cus image
  2. Create 2 subnets inside the VNet, one for our Web App and another for Private Endpoint (azure signalr)
    • public-subnet
    • private-endpoint-subnet image

Integrating Azure App Service with VNet

  1. Configure the VNet Integration on our Web App, i.e., Integration with vnet-cus and public-subnetimageimage

Configuring Private endpoint on Azure SignalR

  1. From Azure signalR menu, => Private endpoint connections and create a new Private Endpoint
    image

  2. Configure the Private endpoint like below

    • Basic (note that the Region should be same as your VNet) Alt Text
    • Resource (Choose your SignalR service as your Resource) Alt Text
    • Configuration (choose subnet as private-endpoint-subnet) Alt Text
  3. Once you created your private endpoint connection the state should be in Approved- since I'm the actually the owner of the subscription it gets auto-approved for me, if you are not seeing approved state, please reach out to the resource owner

image

Configuring NAC on Azure SignalR

  1. As we now have an approved private endpoint connection, it is time to secure our Server connection via private endpoint

image

Testing

Well, that is it, we have secured the connectivity between our azure web app and azure signalr.

But WAIT? How can I make sure that my Web app is using the private endpoint and not the internet for the Azure SignalR connectivity?

I am glad you asked this question, let us find it out.

From my Azure Web App, I tried to nameresolve the azure signalr service.

> nameresolver signalrsevice.service.signalr.net

image

If we see the output , it is returning the private IP 10.2.1.4 of the signalr resource which confirms that connection to signalr is private and not public.

In the next part we will see the concepts related to signalr Infrastructure using terraform 💪

Discussion (3)

Collapse
robertlyson profile image
Robert

Thanks Jayendran, really comprehensive and details tutorial. Thanks for sharing!

I followed your steps and used the same configuration details for vnet and subnets but unfortunately at the end when I try to resolve SignalR name from App Service instance console I'm getting public IP instead of private one. I tried to ping (with tcpping) SignalrR service by private IP which I got from connected devices tab from virtual network details, but that's end up with connection time out.

Any suggestions what I may have missed or how to debug the issue?

Collapse
robertlyson profile image
Robert • Edited

I just deleted private endpoint and private dns zone, recreated private endpoint and .. it started to work 😑🥳

Collapse
jayendran profile image
Jayendran Arumugam Author

hmm. glad it worked for you atlast :)