Consider the following network security setup:
Users Internet
|
====Firewall==== Port 80, 443 only
|
Web Server DMZ - ASP.NET MVC + Web API
|
====Firewall==== Port 80, 443 only
|
"App" Server WCF or ASP.NET Web API ??
|
Database Internal network
I have seen the above network setup at many client premises. The IT infrastructure team doesn't allow web server in DMZ to establish direct connection to SQL Server hosted in internal network over port 1433. Irony is I've seen web.config lying around on web server with plain text DB passwords which they're OK with.
Usually I've seen and worked on solutions where a WCF is hosted on the "App" server (as it can be used on HTTP ports) as shown in the diagram. WCF becomes the only way for web frontend to interact with DB. One "benefit" of using WCF is that it returns strongly typed objects which are easy to consume from the ASP.NET MVC frontend.
Questions:
Please note that we cannot use ASP.NET Core at present.
Since this is a recurring problem, I'd really like to hear from community if there is better solution than using WCF.
I have just done a system with the same issue, DB access is restricted to an App server.
The method we chose to employ was an Mvc front end and a Web Api back end hosted on the App Server.
To get the strong typing that you would typically get over WCF, we opted for a tool called Refit: https://github.com/paulcbetts/refit. It allows you to turn an interface with a pre-configured url template into an object you can inject via a normal DI container, making it very testable and removing a lot of the boilerplate HttpClient code. This works really well with a WebApi back end.
Build IIS Reverse Proxy to your DMZ area and you do not need two separate servers (web+app). When reverse proxy routes all relevant traffic to your web server, you can run it in internal network.
Users Internet
|
====Firewall==== Port 80, 443 only
|
IIS Reverse Proxy DMZ
|
====Firewall==== Port 80, 443 only
|
Web Server ASP.NET MVC
|
Database Internal network
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With