Designing Hybrid cloud solution
Votexa (formerly known as Club Logistics Services) had all their data stored externally on Azure and other cloud providers without any local backups. This meant if a datacenter failure occurred all of their data would be lost without anyway to recover from it. Of the cloud providers used only Azure allows for geo replication of data, but this too expensive for small or average sized companies like Votexa.
Normally a local network gateway or a S2S or P2S VPN gateway has to be created between a Cloud provider and the On-premise network to ensure data is transmitted securely. But Votexa sadly has their data stored in different Resource meaning multiple gateways needs to be created or a data warehouse needs to be used which is too expensive.
So alongside creating a local backup of their data they also needed to streamline their data landscape to a single database which could be used for data analytical purposes. More about this can be read on the project page “Mapping company data flow“.
I told them to cancel the subscription with the other cloud providers and make a data dump of all the different files to an Azure Storage Account. Next I advised them to use Azure Functions to streamline the communication between the different Azure Resources as this is the only Azure resource which can access and communicate between Azure resources based on events.
Azure Functions have different pricing options, but namely the “Consumption Plan” and “Premium Plan”. You can only setup private connections between a On-premise server in the Premium Plan, which is too expensive for a company their size (±1500 euros a month) so the consumption plan was preferred. To get around the limitation set by Microsoft the data needed to be relayed from an external location to the On-premise server. This external pc should have two virtual machines. One running a public REST API and the other a VPN server. Encrypted data can be send from an Azure function to this REST API which sends it to a Queue stored in a shared drive between the two VM’s. The other VM can can dequeue messages and send them to the on-premise VPN Access Point through a P2S VPN gateway.
When the data is received on the On-Premise Server it is decrypted and stored in a local SQL server where analytical tools can access it.
I have insisted multiple times that this solution is not secure as anybody can make calls to the REST API. Although you can set up basic security measures with AuthO, this is by far less secure than directly having an P2S VPN connection. Votexa said they wanted a solution as cheap as possible without any regards to security.