{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 ▲ chillily 的问题《Securing a network between a website and VM in azu》','https://www.manongdao.com/q-618356.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I understand that in windows azure you can add VMs to a virtual network, but I don't see the option to add a website to a network.
what is the recommended way of securing access to a VM (MongoDb) from an azure website?
I would much prefer have the db behind some sort of firewall rather than traffic going through the public internet.
Edit: the vm will be hosting MongoDb, so using Sql Azure or other MSSql solutions isn't an option.
Old question, but this is now supported by Microsoft Azure: http://azure.microsoft.com/en-us/documentation/articles/web-sites-integrate-with-vnet/
EDIT: First, make sure you've setup your VNET and have added a gateway (for some reason, adding the gateway takes a very long time... make sure you let it finish before you proceed).
The gateway can be added in the portal as well.
Then, and you have to use the new Preview Portal for this, browse for your web app and scroll down to the Networking section and click on the "Virtual network" button. Then, find your vnet under the list of existing connections. If you don't see it, then your gateway isn't setup correctly.
I'm not sure I understand your question but I will try answer it. An approach is to create a VM (IaaS) that will host your Web Site e.g. MVC 3 Application. (Create two of these and then Load Balance them in Azure). Create another VM (IaaS) and this will be your DB VM. e.g. SQL Server. A connection string from your Web Site will allow you to talk to your DB Server
When a user hits your site they will not be able to see your DB as its not publicly exposed, they will only see port 80 that you have opened for your Web Site to be browse able. You have effectively created a secure Web Site that people can browse off via port 80 with no access to your DB Tier.
The above model uses IaaS for everything, you could also do a PaaS/IaaS where you have a Web Site running in Azure PaaS (Web Role) and you have a DB running (e.g. SQL Server) on an IaaS machine. Again all traffic will hit your public facing Web Site, the Web Site will have a connection string to point to your IaaS instance and only that will be able to communicate with your DB instance.
There are more ways to solve this, via WAWS (Windows Azure Web Sites) which offer a MySQL (announced today)and also using SQL DB in Azure?
If you explain your exact requirements then we can direct you better?
I'm still not clear on your Virtual Network part and what sits where?
IF you are looking to use networking and your own database in Virtual machine, it is best to start with reserved websites. Shared website may not be good idea due to resource limitation and other restrictions.
If your DB is MongoDB, then you have two option:
Have your ASP.NET MVC application running in a Virtual Machine (Windows Server + IIS + your app - IaaS) and have MongoDB is running on other Virtual Machine. If both machines are in same DC, you dont need to fiddle with networking.
Have Azure ASP.NET MVC Web Role (PaaS) and a Virtual Machine have MongoDB is running (IaaS).
In both cases you just need to configure a connection string to connect MongoDB and there is no extra network modification needed to make it work as all machines are inside same DC.
You cannot add a Windows Azure Web Site to a virtual network comprised of other Windows Azure deployments.
As long as your database resides within the same datacenter, a virtual network isn't needed. If you create a Windows Azure Web Site, you can simply talk to a Windows Azure SQL Database - just set one up through the portal, get the connection string and credentials, and add it to your app. In fact, when you create a Web Site from the gallery (that uses SQL Server vs MySQL) you're asked to either create a new database or select an existing one.
In the portal, you can easily create your own database (this is database-as-a-service, and takes only a few seconds). Once you do, you can enable the firewall rule to allow Windows Azure services to access it. Then don't add any further firewall rules. At this point, only Windows Azure services could even find your database, and only services knowing the credentials can connect to it.
As @user728584 suggested, you could also run a database within a Virtual Machine, but you'd then have to access it via public IP address. If you access a database on-premises, you'd have the same issue, as there's no way to install a vpn client into an Azure Web Site. You can do this with a web application hosted in a Web Role (you can do pretty much anything).