Application Insight on MS Revenue Processing applications without Internet Exposure

[ShitalMehta]

Hello All,

We, Enterprise Commerce @ Microsoft, build/deploy/maintain/support Transaction Processing systems. These systems are moving to IAAS/PAAS. One of the by design outcome of moving to IAAS is that many systems that doesn't require exposure to internet are kept under EBL IP ADDR, which are not exposing the systems to Internet. These servers will have provide capability to reach out to internet/azure platform.

Our systems are already equipped with Telemetry and Application Insight logging to Azure Platform. Current design allows us to have multiple set of IPs, ones with Internet exposure and ones without Internet exposure. So our App Insight logging works. As we move to IAAS, we lose those IPs with internet capability.

How do we implement Application Insight in these systems?

We've explored options like RELAY Servers with HTTP Proxies that takes the App Insight logging and port to Azure, however these are not feasible OR we don't even know how to make those to work. Feel free to contact me directly on internal skype to discuss the issue[s].

Regards, Shital Mehta

[SergeyKanzhelev]

You can configure proxy server for Application Insights using EndpointAddress property of TelemetryChannel. See http://apmtips.com/blog/2014/12/19/proxy-application-insights-events/ You can use any http proxy server you'll find. You can even configure IIS's url rewrite module to redirect traffic to Application Insights endpoint (here is some info on url rewrite).

Will this work for you?

[ShitalMehta]

Thanks Sergey, I am going thru the links.

[ShitalMehta]

Sergey, We are going thru the Reverse Proxy / ARR setup. Tutorial is nicely documented, but it's overwhelming setting it up. While we go thru it and setup successfully, I have a question.

Reverse proxy seems to be intended for making calls to an internet exposed proxy server, which will take the session/call and communicate back and forth with internal only service. Here the call is initiated from Internet, while in our case the Internal Server needs internet access to post Application Insight logging to external Azure Portal. Will this solution work in our scenario i.e. Call initiated from Internal/EBL web server?

[SergeyKanzhelev]

I sent this tutorial as an example how IIS can be used as a proxy or reverse proxy using URL rewrite feature. This one is better: http://www.iis.net/learn/extensions/configuring-application-request-routing-(arr)/creating-a-forward-proxy-using-application-request-routing However you can use ANY http proxy to implement this redirection. The key here is that you can configure SDK to send telemetry data to any endpoint you want - it can be inside your DMZ and than redirect traffic from this endpoint to internet.

[ShitalMehta]

Thanks Sergey again for your quick response. Some of our applications are only using Out of Box Application Insight Agent installation on Internal/EBL Servers, where the export of data happens based on me configuring App Insight Agent to pick Resource Group in an Azure Portal Subscription I own. I don't have any control over SDK or sending Telemetry data to a particular End Point.

[SergeyKanzhelev]

As I mentioned in blog post - you can change endpoint address by modifying ApplicationInsights.config file. Just add EndpointAddress node to TelemetryChannel after enabling Application Insights for your application.

<TelemetryChannel>
  <EndpointAddress>http://localhost:8888/v2/track</EndpointAddress>
</TelemetryChannel>

[ShitalMehta]

Thanks for your responses.

1) I've setup the Forward Proxy server as per http://www.iis.net/learn/extensions/configuring-application-request-routing-(arr)/creating-a-forward-proxy-using-application-request-routing. This article isn't asking to create any dummy site on the Proxy server.

2) Now, I moved on to the EBL/Inside only Server. In IE Browser LAN Settings, i configured to use HTTP proxy. I put the Proxy Server name in the

However when I browse any site like http://www.bing.com on the EBL Server, I am getting following error.

I am researching further, if my Browser LAN Settings are all I need to consume the Proxy Server or not.

Current Status:

1. EBL Server can't browse bing.com
2. I can't setup Web Platform Installer 5, because EBL doesn't have internet connection.
3. Application Insight Setup EXE requires IE connection to locate my Azure Subscription info.

[SergeyKanzhelev]

My recommendation was to onboard your application to Application Insights before deploying to the server and modify ApplicationInsights.config to specify that IIS installation as an EndpointAddress. This way you do not change IE settings, you only redirect Application Insights traffic. Implementing proxy that will allow Status Monitor to run on these machines and log in into Azure is a much bigger change.

[FDAHMED]

Sergey - Can you please list down the best practice around, Implementing proxy that will allow Status Monitor to log data into Azure. SDK change is not a option for us in EC team.

[SergeyKanzhelev]

All Status Monitor does is copies bunch of assemblies into the bin folder of your application, copy ApplicationInsights.config and set InstrumentationKey in this config file. Dependend on the version of Status Monitor it will also modify web.config file for your application.

You can compare your application folder before and after applying of Status Monitor to see the difference.

So if you do not have an option to add Application Insights SDK to your application during development time you can do the following:

• Deploy your application to the staging environment
• Use Status Monitor to enable monitoring
• Modify ApplicationInsights.config file the way you need. In this case - configure EndpointAddress for TelemetryChannel.
• Compare folders and apply the same changes to your production installation. You can basically copy the entire folder.

In general it's a good practice to deploy to production the same bits as you use in staging.

BTW, we are working on scripting for Status Monitor to simplify these steps and do not require Internet Connection.

[ShitalMehta]

Thanks Fareed, Sergey,

Sergey, I've moved past install/configure issues with above suggestion.

In my ApplicationInsight.config file, I am not seeing EndpointAddress information. I installed App Insight Status Monitor from http://go.microsoft.com/fwlink/?linkid=506648&clcid=0x409

1.3.0-build00446 1.2.3

[SergeyKanzhelev]

Hi @ShitalMehta - any luck after our conversation? Can you please close an issue once it will start working for you?

[ShitalMehta]

Thanks Surgey for your time. We have not succeeded setting up Forward Proxy. On top of setting up ARR and URLRewrite, there is configuration portion. My team member set it up, however basic test for ARR/Proxy server to reroute any Service Traffic to internet/Azure isn't happening. Give me a day. I am fetching more information. If it's related to ARR/Proxy, we can close the issue tomorrow as setting up Proxy would be out of App Insight scope as we discussed.

[ShitalMehta]

Hello Sergey

I have tried to add the below mentioned Azure portals to the proxy server for application routing but I am getting below error on the ARR server. management.azure.com dc.services.visualstudio.com

Need below info  Do we need any additional permissions to access the Azure portal through ARR?  Are the above Azure endpoints valid for AppInsights?

[SergeyKanzhelev]

For SDK you only need to configure dc.services.visualstudio.com. Portal access is not required to collect the data.

[ShitalMehta]

Hello Sergey,

My apologies in delayed response. We appreciate your time and all the explanation we've received.

We reviewed the option of setting up Proxy Server [ARR] as work around for App Insight on EBL servers issue. Following points were considered if we setup Forward Proxy.

1. We don't have existing scalable proxy servers in our Eco system. We need to procure new servers. Which requires larger compliance reviews.
2. A Proxy server will present a threat of Single Point of Failure. We will have to setup IIS Cluster Setup. This adds complexity and we basically are adding one more full fledged IT Application to maintain.

We went to our Infrastructure Org and they have allowed us to use EFL IP addresses on impacted services. We are putting combined solution of EFL IP address to have INSIDE OUT access to internet AND ILB to control/prevent OUTSIDE IN traffic [INGRESS AND EGRESS].

As we are approaching our Quarterly Release in less then two weeks, completing Pilots, Service Redesign and securing sign offs wasn't possible around Proxy Solution.

Again, thanks for all your help and please archive/close this incident.

[SergeyKanzhelev]

@ShitalMehta thanks for the update!