Securely connect to remote private applications FROM Azure Functions/API's

AzureFunctions-1.gif

 

NetFoundry provides a seamless connectivity for app to app integration TO/FROM Azure PaaS. While this may be a new concept for cloud, serverless compute requires access to remote Data Centers, Public Clouds and/or users. We have found that Dev/Ops and certain PaaS functionality requires bi-directional connectivity models that do not traverse the Public Internet. This is the 2nd part of a solution set where we specifically focus on configuring the Azure Vnet to forward remote cloud destined traffic through the NetFoundry Edge Router.

 

NFJust-Text-Blue.png

 

The NetFoundry Platform is a highly  secure overlay network that creates a "Dark" network for your DevOps workloads and associated API connections from the Azure Functions Platform.  The NetFoundry Edge Router and associated platform documentation can be found in our Docs and Guides section of our support portal. Deployment in Azure is simple by searching the Azure Marketplace for "NetFoundry"

 

Simple solution sample:

 

 

Prerequisites

1. Active Azure subscription with access to the portal. The account will need to have an active Resource Group and  Vnet configured with 1 subnet(for NetFoundry) and 1 subnet (for Functions). NOTE: Azure functions require a dedicated subnet for deployment.

https://learn.microsoft.com/en-us/azure/azure-functions/functions-networking-options?tabs=azure-cli

2. Active NetFoundry platform account. Get started HERE to enable your free account. Once you have gained access to the SaaS orchestration platform be sure to check the Getting Started videos here

3. An active Azure Function that can be created and tested for end to end connectivity.

4. An active remote API or Application in a Public Cloud or Data Center. It will be necessary to deploy endpoint software on the desired host or deploy a Customer Hosted Edge router. These can be deployed in the Data Center with downloadable Hypervisor based images or through any of the Cloud marketplaces. For this tutorial, we will deploy an edge router per the diagram above (upper left). Our example will be a webpage running on a downstream server on the same L2 network of 172.34.34.53. This server does not have NetFoundry software so we will use the Edge Router to fulfill the webpage request sent from the Azure Function.

 

 

Solution Overview

 

1. Create a Netfoundry Network

  • Sign up for NetFoundry console access and create your Zero Trust Network

  • Log in to your NetFoundry Console at https://nfconsole.io/.
  • Once logged in, you will be prompted to create your network.
  • Give your network a name.
  • Hit Create My Network to commence the provisioning of your network.
  • It will take approximately 5-10 minutes for the network provisioning to complete. Once your network is ready, you will see the spinning globe icon turning green.

mceclip0.png

 

 

2. Create NetFoundry Edge Routers {Transit & Edge}

 

A. Adding a NetFoundry hosted Edge Router - aka Transit/Fabric Router

mceclip7.png

NOTE: Represented in the diagram with red circle. Ignore other 3. This router will act as the overlay transit router. It is managed within the NetFoundry cloud tenancy. Think of it as the middle mile or core of the network. A typical Enterprise network would make use of several of these to form a geographic mesh. For testing, a single router is suffice.

  • From your Network Dashboard page, navigate to Edge Routers.
  • Under the Manage Edge Routers tab, click on the +sign at the upper right to add an edge router. 
  • mceclip1.png
  • Give your edge router a name.
  • Give your edge router a router attribute (optional). Router attributes are tags applied to a router. Apply the same tag to other transit routers to form a group of routers. For this demo, we will use #transit.
  • Select NetFoundry Hosted as your hosting type, and choose the Data Center  region that is close to where your endpoints and resources are located.
  • Hit Create to commence the provisioning of your edge router.
  • Once your edge router is registered (5-8 minutes), it will start accepting outbound fabric connections from a private-launched edge router, as well as from clients accessing the fabric.

mceclip2.png

 

B. Adding NetFoundry customer hosted Edge Routers.

Quantity: 2

1 in Azure for Function Application & 1 in remote Public Cloud(AWS).

 

Customer-hosted edge routers with link listeners turned off are private routers. 

  • From your Network Dashboard page, navigate to Edge Routers.
  • Under the Manage Edge Routers tab, click on the +sign at the upper right to add an edge router.
  • Give your edge router a name: e.g. azure-edgerouter-useast
  • Give your edge router a router attribute (optional). Router attributes are tags applied to a router. Apply the same tag to other routers to form a group of routers. For this demo, we will not use attributes.
  • Select Customer Hosted as your hosting type.
  • HitC reate to complete the process.
  • Copy your edge router registration key. Save for later (copy and paste to txt file) You may also opt to save it as a JWT or a config file.
  • Repeast for AWS example but choose another name e.g. aws-webapp-uswest

 

mceclip5.png

mceclip6.png

 

 

C. Launching your Edge Router in Azure Marketplace

.

mceclip6.png

 

  • Login to Azure console and Search for "NetFoundry Edge Router" in Azure Marketplace
  • Click on "Create" and Select the Subscription.
  • If a Resource group is not created, create one, e.g: "FunctionsDemo"
  • Enter the Virtual machine name
  • Choose the same region as the Azure Function.
  • Please select the Size as "Standard_F2s_v2 - 2 vCPUs, 4 GiB memory"
  • Choose password or SSH Public Key authentication.
  • Fill in the username for authentication as ziggy
  • Fill in the SSH Public key, if you don't have an existing Azure key, you can generate a new key pair
  • Premium SSD is selected by default and the default disk size is 30 GB. You may select Standard.
  • On the "Advanced" tab in the field "Custom Data" enter this script, substituting the registration key from your clipboard in 
#!/bin/bash
/opt/netfoundry/router-registration {key}
  • Hit Next, in the networking section, select subnet not used for Functions.
  • Click on Review + Create.
  • In the NetFoundry console, confirm the Edge Router is REGISTERED within ten minutes.

To learn more about Edge Routers go toCreate and Manage Edge Routersarticle on theNetFoundry Support Hub.

 

D. Launching your Edge Router in AWS Marketplace

mceclip8.png

 

  • Login to AWS console and go to EC2 dashboard and select launch instance. From the catalog, search for "NetFoundry Edge Router" in Marketplace
  • Enter the Virtual machine name
  • Choose the same  VPC and Subnet as the application you are connecting to and enable public ip address (fine for demo)
  • Select auto assigned security group from image.
  • Please select the Size as "T2 Small"
  • Choose SSH Public Key authentication and select desired key
  • On the "Advanced details" section in  the field "User-data " enter this script, substituting the registration key from your notes kept from step 2 B.
#!/bin/bash
/opt/netfoundry/router-registration {key}
  • Hit Launch Instance.
  • Click on Review + Create.
  • In the NetFoundry console, confirm the Edge Router is REGISTERED within ten minutes.

3. Create NetFoundry Edge Router Policy

An edge router policy is required for endpoints to transit the fabric.

  • From your Network Dashboard page, navigate to Edge Routers.
  • Under the Manage Edge Routers Policies tab, click on the +sign at the upper right to add a policy. An Edge Router Policy allows a specific endpoint or group of endpoints to have access to a specific edge router or group of edge routers.
  • mceclip3.png
  • Give your edge router policy a name.
  • In the Edge Router Attributes field, specify the edge routers to be associated with this policy. For this demo, we will add the #transit router attribute to select all edge routers having that router attribute.
  • In the Endpoint Attributes field, specify the endpoints to be associated with this policy. For this demo, we will add the #all endpoint attribute to select all endpoints having that endpoint attribute. NOTE: You should notice the single transit router you created in the first step populated in the "Edge routers Preview" pane. On the right pane, you should notice both the AWS and Azure endpoints created in the second step.
  • Hit Create to complete the process.

 

mceclip5.png

 

3. Service Creation

A service definition to specify the Function service in AWS that we will connect to from a remote system. (server, workstation or mobile)

 

  • From your Network Dashboard page, navigate to Services.
  • Under the Manage Services tab, click on the + sign at the upper right to add a service.
  • Choose the type of your service. For this demo, we will use Simple Service as the service type.
  • In the Client Configuration box, type in <ip of your app>for the Intercept Host Name/IP field and <your app port> for the Port field. 
  • Toggle the Native Application SDK Based to No.
  • In the Host Configuration box, select Endpoint Hosted as your service host.
  • Select the associated endpoints capable of accepting connections from clients. This will be the AWS Endpoint created from step 2. Click on the box to reveal and select it.
  • Select TCP for the Protocol Type.
  • In the Host Name/IP field, enter the IP address for the demo server. This is the internal IP address of the application.
  • Use <your app port> for the Port field.
  • Hit Create to complete the process.

 

mceclip9.png

 

4. AppWAN Creation

  • From your Network Dashboard page, navigate toAppWAN.
  • Under the Manage AppWANs tab, click on the +sign at the upper right to add an AppWAN.
  • Give your AppWAN a name.
  • In the Service Attributes field, specify the service created in the previous step to be associated with this AppWAN. 
  • In the Endpoint Attributes field, specify the endpoints to be associated with this policy. For this demo, we will add the Azure endpoint created in step 2.
  • Hit Create to complete the process.

 

5. Azure Networking configuration.

At this point we have the entire network configured with a core transit router and 2 cloud based edge routers. Each of the Edge Routers resides in the same network as the associated resources. Since the AWS application & Azure function application do not have NetFoundry endpoint software built in, we will use the edge routers for the On-Ramp -- Off-Ramp to each.

 

1. From within your Resource Group enable IP forwarding on Azure Edge Router IP Interface. 

mceclip10.png

mceclip11.png

 

2. From within your Resource Group. Create a Route Table that is associated to both the Edge Router subnet and the Azure Functions subnet. Select Create Resource and then search Route Table. Ensure the correct Resource Group and Region are selected.

mceclip13.png

 

3. Once created, you will now create the Route to AWS (or other) to use local Azure Edge Router as On-Ramp to NetFoundry network. Hit Routes, then + Add. Choose a name that describes intention, choose IP address, supply network address with mask CIDR. Select Virtual Appliance and then the local Azure Edge Router IP address. and select Add.

 

mceclip12.png

 

The Azure Function will need to be configured for vNET integration and User Defined Routes to utilize this functionality.

 

mceclip20.png

 

NOTE: vNET configuration

mceclip21.png

 

 

6. Testing connectivity

In this test example, I will be testing private connectivity from an NGINX function running in Azure to a Static Website in AWS.  A to B

 

mceclip19.png

 

 

 

From the Terminal of the NGINX Function - Curl the website in AWS private IP 172.34.34.53.

mceclip23.png

 

Function in Azure

 

mceclip18.png

 

Instance with HTTPD running in AWS.

 

mceclip17.png

 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.