Tuesday, June 27, 2017

PowerApps and BizTalk (Part 3 - Security)

Introduction

In my previous post I showed how to use a reverse proxy in an Azure API App to call an on premise REST API. The problem with this default implementation is that it is a public address using "http" which is open to anyone that can find the URL to your Azure API App. I prefer not to have security by obscurity and so in this post I'll be talking about how to secure your Azure API App and then will show you the steps in order to protect your Azure API App.


3. Security

There are a number of ways in which to protect your Azure API App such as API Management, Azure Active Directory or even a combination of the two. You can even restrict access to your Azure API App via an IP Address.

Azure API Management also known as APIM, is another service offering from Microsoft which provides a way in which to "manage" your API. It essentially sits in front of your API and allows an array of feature called policies which provides features such as caching, throttling of service calls to and from your Azure API App, translating SOAP calls to REST (and vice versa), limit operations / service calls etc. Using APIM you can provide the security mechanism to allow authenticated parties from using your Azure API App. For more information on APIM, see https://docs.microsoft.com/en-us/azure/api-management/.

The drawback with using APIM is the cost of using it (see https://azure.microsoft.com/en-ca/pricing/details/api-management/), so instead I'll be showing how to protect your Azure API App using Azure Active Directory. Azure Active Directory provides identity management and a range of other features such as multi-factor authentication, role based access control, auditing and security monitoring etc. 

So with a brief description of what Azure Active Directory is, lets get started with the steps to implement Azure Active Directory with you Azure API App.

Azure Active Directory with OAUTH2 

The following steps will show you how to setup your Azure Active Directory (Azure AD) to secure your Azure API App using your default Azure AD User account. 

1. Sign into the Azure Portal.
2. Locate the Azure API App that you wish to protect.
3. Scroll down and click on Authentication/ Authorization and then click on "On".

4. Click on the drop box next to "Action to take when request is not authenticated" and select "Log in with Azure Active Directory". 
This setting ensures that when any anonymous request attempts to browse to your Azure API App must be authenticated using your Azure AD, although we still have a few more steps in order to complete this.
5. Click on "Azure Active Directory".
6. Click on "Express", ensure that you have selected "Create New AD App", then add the word "App" to your Application. (This will help later when you need to identify what is an application and what is an identity which I'll explain later in this post.) and finally click on "OK".
This generates an application in your Azure AD which will be the
7. Click "Save".
8. In the Azure Portal, browse to you Azure Active Directory and then click on "App registrations".
9. You should now be able to see your App registration for you Azure API App.
10. Click on the application that you just created and then copy the Application ID into notepad and note it as the Application ID. (This will be used later in my next post "PowerApps".)

Creating the identity Application

Now that you have your application registered in Azure, you now need to create the identity Application which will provide the security for your application.

1. You should still be in the App registration screen from the previous step, if not browse to Azure Active Directory and click on App registrations.
2. Click on New application registration:
3. Fill in the following details:

  • Name: Type in your <application name>-Identity E.g. BizTalkAppNameGoesHereApp-Identity
  • Application type: Web app/ API
  • Sign-on URL: https://login.windows.net 
4. Click on Create.
5. Once it appears in the App registrations, click on it to open its settings.
6. Click on Reply URL's, click on the first empty row and then add "https://msmanaged-na.consent.azure-apim.net/redirect".
7. Click on Save.
You should now see the following:
8. Close the Reply URLs screen and go back to the settings and click on Required permissions.
9. Click on Select an API, then in the "Search for other applications with Service Principal name", type the name of your app, which should include the App at the end.
10. Select it and then click Select.
11. In the Enable Access screen under Delegated Permissions, click on the tick box next to Access BizTalkAppNameGoesHereApp and then click on Select. (Note if you tick on the box next to delegated permissions, the Select will not become active.)
12. Click on Done.
13. Click on Keys.
14. Type in the following:

  • Key description: BizTalkPowerApp
  • Duration: In 1 year
  • Value: Enter a password
Then click on Save.
15. Copy the Value that gets generated into notepad as Client Secret. (This will be used later in my next post "PowerApps".)

16. Close the Keys.
17. Copy the Application ID and paste it into your notepad as Client ID. (This will be used later in my next post "PowerApps".)

To test the authentication.
Open a browser with InPrivate Browsing if using internet explorer or with Incognito Window using Chrome and browse to your Azure API web site.

Once you sign in you should be able to access your Azure API App:
This will force any anonymous or unauthenticated application to sign in via Azure Active Directory before the Azure API App can be used.

Conclusion

Any public facing API should always be protected from threats so that only authenticated and authorised users can access your public API and any Azure API created is no exception. In this post I showed how to protect your Azure API App using Azure Active Directory. The key to using active directory is to have two registrations in your Azure Active Directory. One application represents your application whereas the second represents your applications identity.  The Client ID, Client Secret of your "Identity" application and the Application ID is what we will use to provide the security for your PowerApps which I will show in my next post.


Monday, June 5, 2017

PowerApps and BizTalk (Part 2 - Azure)

Introduction

In part 1 of my previous post, I spoke about how to install and configure the BizTalk Management Service on premise which will allow PowerApps to communicate with your BizTalk 2016 server. In this post I will focus on the next components which are "Components/ Services in Azure".


2. Components/ Services in Azure

In this section I will focus on creating the Azure API App which will be the public endpoint for your on premise resources.

Create the Azure API App

1. Sign into the Azure Portal:
2. Click on App Services, and then Add:



3, Once the blade opens up, in the "Filter", search for API App and then select it:



4. Create the API app by filling in the required fields and then click on Create (You can optionally click on Pin to dashboard which provides easy access to the API App you just created via your Azure Portal dashboard):


5. Once it deploys, open the new API App and you should see the following screen:


Azure Relay with Hybrid connection

Now that you have your public endpoint, how do you connect your Azure API App to your on premise resource?

You could use an On Premise / cloud hybrid application using Azure WCF relay  to connect your on premise web service to Azure but I decided to try with a hybrid connection. 

What is a hybrid connection?

A hybrid connection can connect to any on-premises resource that uses a static TCP port, such as SQL Server, MySQL, HTTP Web APIs, and most custom Web Services.
 See https://docs.microsoft.com/en-us/azure/biztalk-services/integration-hybrid-connection-overview.

I was originally planning on using the classic hybrid connection for my Azure API App mainly because it allowed a free pricing tier for the connection to my on premise resource whereas the newer hybrid connection requires a pricing tier of standard and above but unfortunately the classic hybrid is being retired (See this link for more details.). The good news though is that the setup using the new hybrid connection is a lot simpler. 

If you still have access to a BizTalk Service you will be able to link it to the classic hybrid connection (I'll make another post later on how to do this) in order to make use of the free pricing tier but in this post I'll be using the new hybrid connection.

But before we begin I'll need to explain a bit about one of the new features in Azure: The Azure Relay (currently in preview) which provides the option of two technologies:

  • Hybrid and 
  • WCF Relay 

Both technologies allows Azure to integrate with on premises application integration but I will focus on the hybrid connection as I already mentioned above, it allows you to integrate with line of business applications such as SAP, Oracle and SQL. This section will focus on the components that you need to install an Azure Relay with a hybrid connection.

New hybrid connection 

The following steps enable the Azure API App to communicate with an on premise resource using a hybrid connection via an Azure Relay, following from Step 5 above:

1. Scroll down and click on Networking or use the filter and type "Networking" and click on Networking.
2. Click on create new hybrid connection:

3. Enter the required fields for creating the new hybrid connection:
Field Name Purpose Example
Endpoint Name Friendly name for your on premise resource as it will be used by your Azure API App. AnthonysLaptop
Endpoint Host The machine name for your on premise resource. BizTalk2016Server
Endpoint Port The port number for accessing your on premies resource 80

4. Click on "OK".

What this does is in the background, it creates an Azure Relay, a service bus endpoint, and finally a hybrid connection associated to your server or host.
This can be seen by clicking on All Resources in the Azure Portal and filtering by Relay:
When you click the relay it will show you the following screen:
Clicking on my hybrid connection (the endpoint at the bottom of the screen) shows the following screen where the properties button gives you the endpoints that the hybrid connection is connecting to:


Installing the On premise Hybrid Connection Manager on Premise

We now need to install the on premise hybrid connection which will tie the resource on premise to the Azure Hybrid Connection.

1. In the Azure Portal, go back to your Azure API App that you had just created.
2. Scroll down and then click on Networking or use the filter and then click on Networking.
3. Click on Click on "Configure your hybrid connection endpoints".
4. Click on "Download connection manager" and save it to disk.
5. Run it using Administrative privileges.
6. Read and then accept the terms by clicking on the check box and then Install.
7. Click on finish, once it appears.
8. To configure the connection manager, click on Start, then type "hybrid" and you should see the Hybrid Connection Manager UI appear. Click on it:
9. Once it opens, click on "Configure another Hybrid Connection":
10. Sign in with the same credentials when you log into the Azure Portal.
11. Choose your subscription:
12. If you performed each of the above steps correctly, you will see your hybrid connection here. Click on it and then click on Save.
13. Once it configures, you will be returned to the previous screen and you will now be able to see your BizTalk connection:

14. Go back to the Azure Portal and you should see the following screen with your hybrid connection and its status set to "not connected". Click on refresh.
You should now see that your status is now connected.

Testing your connection

To test your connection to your on-premise server:
1. Open your Azure API App that you had just created and scroll down to Console.
2. Once the console loads, type tcpping [friendlyname of your hybrid conneciton] in my case it is "tcpping anthonyslaptop" and then press enter.
3. If everything is configured correctly, you should see the following:

This means that your Azure API App is now connected to your on premise server.

Extensions

You might have noticed that in the Azure API App there is a section called Extensions. You can read more about it here.

The extension I will be using is called the reverse proxy by Eelco Koster. (Project site is https://github.com/EelcoKoster/ReverseProxySiteExtension). The reverse proxy allows the Azure API App to forward requests to your on premise resource(s) using the hybrid connection.

1. In you Azure API App scroll down (or use the filter) and click on extensions and then click on Add:
2. Scroll down to ReverseProxy and then click on it.
3. Read the legal terms, and then click on the "OK" on the right, and then click "OK" again.
4. Once it is installed, click on the ReverseProxy extension to open it, and then click on Browse:
5. Once the browser opens, you will see the configuration screen for configuring the ReverseProxy:

I won't go into too much details of how the reverse proxy works but for those that are interested, you can always visit his project site for more info.

6. Replace the xml with the following, replacing the "<servername>" with the friendly name of your hybrid connect and finally click on "Save to web.config":
<rewrite>
  <rules>
    <rule name="BizTalkManagementRule" stopProcessing="true">
      <match url="^BizTalkManagementService/?(.*)" />
      <action type="Rewrite" url="http://<servername>:80/BizTalkManagementService/{R:1}" />
    </rule>
    <rule name="BizTalkOperationsRule" stopProcessing="true">
      <match url="^BizTalkOperationsAPI/?(.*)" />
      <action type="Rewrite" url="http://<servername>:80/BizTalkOperationsAPI/{R:1}" />
    </rule>
  </rules>
</rewrite>

The first rule (BizTalkManagementRule), essentially will forward any REST API calls to your on premise server whereas the second rule fires my custom on premise REST API that I built.

Note:

  • This configuration assumes that when you installed the feature pack, it is installed with the default application name of BizTalkManagementService. 
  • Additional on premise REST API's can be created. All that needs to be done is to modify/ update the rules in the configuration above.
7. Once saved, switch back to the Azure Portal and browse back to your Azure API App and finally in the overview, click on the restart button.
8. This will ensure, that the extension and the proxy has taken affect.
9. Once the restart is complete, browse to the Azure API App by clicking on the URL for your Azure API App:

Testing the Azure API App

Once the website opens for you Azure API App, enter the URL for the on premise BizTalk Management API. E.g.
http://<AzureAPIAppName>.azurewebsites.net/BizTalkManagementService/Applications

Important: Please note that the site is unprotected (http and NOT https) and has no security. I will be posting my tutorial on securing this later..


Conclusion

In this second post, I demonstrated how to create an Azure API App, setup a hybrid connection to your on-premise resource, how to link an Azure API App to your on premise server as well as setting up a reverse proxy so that your Azure API App is able to access your on premise resource. In the next post I'll be talking about setting up PowerApps to make use of your Azure API App..

PowerApps and BizTalk (Part 1 - Setting it up)

Introduction

My previous blog post regarding BizTalk and PowerApps contains a few moving parts which I will be explaining in this multi part blog post. It consists of four parts:

  1. Components on premise.
  2. Components/ Services in Azure. (Posted here.)
  3. Security. (Posted here.)
  4. PowerApps. (Posted here.)
This first post will focus on the on premise components: 

1. On premise

Prerequisites

The first thing that is required is to ensure that you have installed the feature pack for BizTalk 2016 which can be downloaded at this link, along with any new CU's. One of the features that is available with the installation of the feature pack is the BizTalk Management Service. 

The two REST services running on premise are:
  • The BizTalk Management Service (REST API with full swagger support) which provides operational and administrative functions such as listing applications, creating an application, retrieving operational data etc. For a full listing see this link.
  • A custom API App for the BizTalk operations (REST API with full swagger support), which provides additional functionality which is not available in the BizTalk Management Service such as:
    • Event logs which is implemented using a LINQ query which provides a paging mechanism to minimize the amount of data flowing back to PowerApps.
    • Restarting of the BizTalk host instance(s) which is not available in the BizTalk Management Service and is implemented using WMI.
Note:
I will not be focusing on the custom API App as there are many blog post and articles on the internet on how to create this already.

Installing the feature pack 

The feature pack can only be installed on Developer or Enterprise versions of BizTalk 2016 and you must:.
  1. Have an active software assurance with Microsoft or
  2. Running BizTalk Server 2016 in Azure under an Enterprise Agreement
Steps:
1. Download the feature pack from the Microsoft web link.
2. Install it with Administrative privileges.

Configuring the BizTalk Management Service

To configure the BizTalk Management Service:
1. Open PowerShell with Administrative privileges
2. Type: "Set-Location $env:BTSINSTALLPATH"
3. Type .\FeaturePack.ConfigureServices.ps1 -Service Management -WebSiteName 'Default Web Site' -ApplicationPool BtsMgmtAppPool -ApplicationPoolUser <AppPoolUser> -ApplicationPoolUserPassword <AppPoolPassword> -AuthorizationRoles 'BizTalk Server Administrators'

Changing the AppPoolUser name and AppPoolPassword appropriately to for example, "BizTalkServerIsolatedHost" and password.







Once you have configured the BizTalk Management Service, you can test it by browsing to: 

If done correctly, you should be able to see the following:

Conclusion

In this post I showed what components need to be setup on premise as well as how to install the feature pack as well as the BizTalk Management Service. In the next post I will focus on how to set up the Azure components as well as coming back to On Premise to install additional prerequisites.