one Traffic manager and multiple DNS mapping (pls need clarification on how security is ensured)
Hi Team, I feel really strange on how Azure Traffic Manager allowing traffic from multiple Custom domains with just adding a CNAME record of traffic manager to them without enforcing any validation of DNS from Azure end. May be I am wrong, but let me explain in detail: Here's my setup: Traffic Manager \_____ App Gateway(East) & App Gateway(West) \_WebApp (East) & \_WebApp(West) A HA setup with applications in East & West. I've bought Domain from GoDaddy & I added CNAME record pointing to Traffic manager (pqr-tm.trafficmanager.net). I did no additional steps for Domain validation from Azure. After the DNS propogation happend, the other day when I tired my Custom Domain (lets say pqr.com), it routed to my WebApp as expected as per CNAME record. Now, when I typed http://www.prq.com in https://digwebinterface.com I could see, it resolved first to "traffic manager" (it clearly displaying my traffic manager name), then to Application Gateway DNS and then to Application Gateway Public IP. Then my friend said, I'll do a trick, I'll get into your site without my notice. Here's what he did: he has Domain in Yahoo. lets say - xyz.com he opened his Yahoo account, went to DNS settings, and in Forward URL option, he kept my traffic manager DNS name which is clearly appearing in https://digwebinterface.com by just typing my website http://www.prq.com in it. To my surprise, with in a minute, when he type xyz.com in browser, my WebApp started rending page. So, I thought where is security? Here's my point: https://digwebinterface.com -- is publicly available by typing the site name, any one can get Traffic manager URL (if the setup includes it) then, just by keeping CNAME in their forward URL, if they are able to map my site....where is the security? or Am I missed any step in Traffic manager which binds My Domain to it and If any others tries to point their domain to my traffic manager, it rejects? Pls help!! I've a strong feeling that, there will be tightening point, which I am not aware of. Pls guide Guru's :) Thanks, Kiran
Traffic Manager vs Load Balancer for RDP sessions
Hello Azure Team, My challenge: - i want to provide access to Virtual Desktops (VDI) deployed in Azure - i have 3 regions: us, emea, apac - in each region i have 3 shifts (10h each, with 2h overlap), so each region provides 24/7 support - i need to reinitialize each VDI every 24h (redeploy new Windows Terminal Server to make sure no customer data is there for more then 24h) What would be the right design ? I was thinking to use Traffic Manager (DNS loadbalancing) nested profiles: - global profile - nested emea profile - nested us profile - nested apac profile Then another layer of nested profile inside each region (3 shifts per region). But the challenge is in overlaps. I need to make sure my shift2 from emea starting 2 hours before shift1 in emea is finished can work correctly. If i will switchover on the beginning of overlap my shift1 will get a new DNS A responses and their RDP session could be redirected to a new VDI (they would lost all data). I was thinking to increase DNS TTL timer to 2 hours - but that looks like a can of worms (i would not have failover if specific VDI is going down). Another option is not to do DNS loadbalancing but application Load Balancing (using LoadBalancer). But i do face similar challenges - how to plan overlapping shifts (each region is having all 3 shifts). I would like to use Load Balancing with sticky option - this way existing RDP sessions would be redirected to the same VDI, at the beginning of the overlap i would change the weight of the VDI for all new sessions to be redirected to a new VDI, while old sessions would stick with old VDI. Would that work ? Any recommendations ? Thanks, Michal