问题
In Azure, if you choose to use internal endpoint (instead of input endpoint), https is not an option. http & tcp are the only options. Does it mean internal endpoint is 100% secure and you don't need encryption.
Then it comes to another question. If i choose to use input endpoint between mvc application and wcf service. Is it really necessary to have https between them? Is it OK if i have 2 input endpoints for wcf. One with http on port 80, which is supposed to be used by mvc application. Another with https on port 443, which can be used by somebody else. (not our own application)
回答1:
Do you need to encrypt internal endpoints?
No, a web/worker role cannot connect to an internal endpoint in another deployment. The Azure network prevents this, so man-in-the-middle attacks shouldn't be possible. Therefore, it's not necessary to enable SSL on internal endpoints.
Is is necessary to enable HTTPS on WCF endpoints?
It's certainly possible to configure your application in that way. Why not make the port 80 endpoint on the WCF service an internal one? Or - why not host the WCF application on the same Role, then you can just use the loopback address?
You need to think about the security requirements of your application and go from there.
来源:https://stackoverflow.com/questions/12820368/azure-security-between-web-roles