Service Gateway as a gateway to web assets in multiple Azure deployments

Dec 16, 2013 at 7:42 PM
We would like to use Service Gateway as a secured proxy to multiple web roles. For example, we have a devops website a BI site and a partners website. We would like to route all requests through SG where authentication and various other pipeline stages will be performed. We would like Azure AD auth on SG which will then proxy the calls to the appropriate internal sites. The problem is we cannot set our web roles as internal endpoints on a VN and access them from the gateway. The only way we are able to achieve this is if all of our web roles including SG are in the same Azure deployment. What is the correct approach to this design?

Dec 20, 2013 at 9:30 PM

There is no requirement for the web roles to be internal only. The web roles can detect if a request came via the Gateway or not and choose to serve a response or return an error. If there is no information breach in supporting direct requests, then this is a perfectly acceptable state.

We are considering mechanisms for securing the channel between the Gateway and the web role (options include; virtual network or similar transport layer protection, mutual authentication via client certificates, or bearer tokens). The only one of these mechanisms that will work without code change is transport layer protection, but given you cannot place your endpoints in a VN it would be great if you indicated which of the remaining two approaches is more attractive to you.