How secure are Windows Azure internal endpoints?

I have a front-end MVC application in a web role, protected by WIF and ACS, and I would like my Azure application to display only an open surface. It connects to several back-end services, some work roles and some (for the convenience of adding service links to VS or because of the use of WCF service web roles). Back-end service roles have only internal endpoints.

My understanding from the MS literature is that internal endpoints are only available for other roles with the same deployment. With this in mind, it seems unnecessary to use any kind of transport or message security or authentication between the MVC web role and the back-end services, which seems to be due to the fact that https is not available for internal endpoints.

My question is: how safe is it? Is there any way for the endpoint to be detected by anything other than one of our expanded roles? Is there any reason to add extra security to any of the mutual bindings?

+8
azure
source share
1 answer

A service represents an isolation boundary, unless you declare the endpoint as an "input endpoint," it cannot be accessed outside this isolation boundary. Implementation of this boundary is a private network that does not have addressing for other branches.

Remember that internal endpoints are not load balanced. So there is a compromise. I wrote some things on the endpoints some time ago, which could have consolidated the consolidation a bit.

+7
source share

All Articles