So you’ve got an on-premise WCF Service and you’re going to expose the endpoint to the Cloud via ServiceBus.
I’m with a client excited about the prospect of Azure and using ServiceBus for connectivity
for our local WCF Services.
Remember ServiceBus is touted as the firewall friend communications mechanism.
Should be pretty easy right? – just follow an article like – http://msdn.microsoft.com/en-us/library/ee732535.aspx
If you are on a Secure Server – i.e. one that doesn’t have default open slather
access to the internet by default you will fall well short.
(nb: the Azure ServiceBus documentation is a little thin here also. ie no mention
whatsoever)
You will get ‘can’t contact watchdog.servicebus.windows.net’ and many others….So….
After much head banging Scotty sat down
one rainy day and looked at the full conversation to establish a connection to the
cloud via Service Bus
NB: XXXX is your ServiceBus endpoint name you configured in the Azure Management Portal
earlier. This endpoint lives in the Azure Singapore Data Center
ConnectionMode = TCP (Hybrid)
lookup for watchdog.servicebus.windows.net >
returns ns-sb-prod-sn1-001.cloudapp.net
to ns-sb-prod-sn1-001.cloudapp.net (port 9350)
lookup for XXXX-sb.accesscontrol.windows.net returns ns-ac-prod-sin-001.cloudapp.net
to ns-ac-prod-sin-001.cloudapp.net (port 443)
lookup for XXXX.servicebus.windows.net returns ns-sb-prod-sin-001.cloudapp.net
to ns-sb-prod-sin-001.cloudapp.net (port 9351)
ConnectionMode = Http
lookup for XXXX-sb.accesscontrol.windows.net returns ns-ac-prod-sin-001.cloudapp.net
to ns-ac-prod-sin-001.cloudapp.net (port 443)
lookup for XXXX.servicebus.windows.net returns ns-sb-prod-sin-001.cloudapp.net
to ns-sb-prod-sin-001.cloudapp.net (port 80)
when we lock this down to https endpoint step 4 above will be over 443
the complete firewall rules to support both modes should be:
(9350-9353)
(9350-9353)
(443)
(443)
(80, 443, 9350-9353)
(80, 443, 9350-9353)
the difference between ns-sb-prod-sn1-001.cloudapp.net and
the others ns-ac-prod-sin-001.cloudapp.net,
ns-sb-prod-sin-001.cloudapp.net
Hopefully you won’t get caught out at a client site asking for firewall changes, one
at a time as you discover them.
Enjoy,
Mick + big thanks Scotty for the details.
Blog Post by: Mick Badran