Before we go deeper into details of exposing BizTalk Applications to the cloud, let us clarify how cloud related technologies have impacted application and service deployment. We can divide the application and service deployment scenarios into two broad categories:
- On-premises deployment: An application or service that runs within an organization’s firewall and is typically accessed by clients that are within the firewall.
- On-cloud deployment: An application or service that runs within an organizational firewall and can be accessed by clients inside or outside the firewall through a Service Bus endpoint exposed in the cloud. The services still run locally in IIS. Only the endpoints are exposed in the cloud.
Windows Azure AppFabric Service Bus provides the capability to take on-premise web services and extend their reach to external clients. Windows Azure AppFabric Service Bus supports this on-cloud scenario with a relay service that can listen to external clients on behalf of the on-premise web service at a given public address and relay messages between both parties.
Windows Azure AppFabric Service Bus provides the platform where developers expose the Service Bus endpoints for their on-premises services. AppFabric Connect for Services enhances the capabilities of theBizTalk WCF Service Publishing Wizard to enable developers to expose on-premise BizTalk application operations to external clients as WCF services via the Windows Azure AppFabric Service Bus relay service.
What does the BizTalk WCF Service Publishing Wizard do?
The BizTalk WCF Service Publishing Wizard essentially exposes the operations in BizTalk Applications as WCF services. AppFabric Connect for Services enhances the wizard to support the relay service provided by Azure AppFabric Service Bus. The wizard enables you to select the operations that you want to expose as services and then creates the following:
- A local endpoint for the WCF service.
- A Service Bus endpoint for the WCF service.
- A Service Bus endpoint for metadata exchange with the WCF service (if configured).
- Receive ports in the BizTalk Application, which are used to bind to the desired operations.
Security Considerations when Exposing Services on Cloud
Security becomes a paramount concern when organizations expose mission critical data and operations to services outside an organization’s protected environment. To address these concerns, organizations can follow certain security best-practices to ensure that only authenticated clients get access to the service.
- Client authentication by the Service Bus Relay Service. All the Service Bus relay bindings expose a binding property, ‘RelayClientAuthenticationType’, that controls whether the client consuming the service is required to present an authentication token to the relay service. This property can be set to either ‘None’ or ‘RelayAccessToken’. If the property is set to ‘RelayAccessToken’, the client must provide an authentication token to the Service Bus. The authentication token must be communicated separately to the client, for example, as an e-mail message by the organization hosting the service. In addition to implementing security, setting ‘RelayClientAuthenticationType’ is also a cost-effective solution for the organization hosting the service. If there is no authentication from the Service Bus, any client would be able to hit the service endpoint even if it is eventually denied by the service. As a result, the organization would incur a chargeback even though there was no business operation that resulted.
- Message-level and transport-level security. WCF inherently provides message-level and transport-level security for services. For more information on message- and transport-level security, seehttp://msdn.microsoft.com/en-us/library/ms733137.aspx.
Tip: It’s not essentially a security setting, but organizations can also secure the services which are exposed on the cloud by not making the endpoints publicly discoverable. Service Bus provides an ATOM feed which lists all the publicly discoverable endpoints under a given Service Namespace. Making the endpoints discoverable is controlled through the “DiscoveryMode” attribute of an endpoint's behavior in the "ServiceRegistrySetting". This can be set using the BizTalk WCF Adapter Publishing wizard. The disadvantage of not making the endpoints publicly discoverable is that if you have a large number of clients that would be using the service you hosted, you will have to communicate the endpoint URL to each of those clients.
Who Should Read This Whitepaper?
This whitepaper assumes some familiarity with Microsoft BizTalk Server, Windows Azure AppFabric Service Bus, Windows Azure AppFabric Access Control Service (ACS), and Windows Communication Foundation (WCF). This whitepaper is intended for the following users:
- Organizations that want to extend the reach of their on-premises BizTalk applications to the cloud by exposing them as WCF Services with endpoints in Windows Azure AppFabric Service Bus.
- Users that want to consume the web service that is extended to the cloud, to perform operations implemented in BizTalk Application that are deployed inside an organization’s firewall.
No comments:
Post a Comment