WCF Routing Service & VPN

In this sample scenario the customer offered outsourcing services to its business partners. The customer would host a white labelled website which each of its partners would have an instance of but behind the scenes the applications would all hook into the same internal WCF Services. This application had been working very well for a while. The customer would host the websites in their DMZ so they could be exposed to the public but their internal WCF services were hosted on the internal network and a firewall port was opened to allow the application to talk to the WCF services over port 443.

The customer won some new business with a new business partner who liked the white labelled website product offering but the new business partner had a requirement to host their instance of the website themselves and it had to be hosted in their data centre which was in a different location. This was the pre-cloud days so the option of using a cloud based bridging technology was not available but there were a number of networking options available.

A VPN was created between the new partners data centre and the DMZ in the customers data centre. An instance of the WCF Routing Service was deployed in the DMZ and firewall and networking rules were created to allow the application hosted in the partner data centre to be able to access the server hosting the WCF Routing Service. The web application which was deployed in the partner data centre was then updated so that its url’s pointed to the Routing Service and when calls were made the routing service would forward then on to the WCF Services existing on the internal network. This was a very low cost way to implement this routing/gateway pattern.

The role played by the WCF Routing Service was an important one because the customer did not want to allow the partner to access any resources on their internal network directly for security reasons. The existing services though were inside this internal network. We needed to implement a man in the middle to route the traffic and to be able to implement some security which could be translated across the WCF stack.

There are a number of ways to solve this problem but by using the WCF Routing Service once the VPN was in place we were able to implement this pattern by simply hosting a web.config file inside IIS. This meant that the application in the partner data centre was the only thing that could access the router and the router was able to forward messages to the appropriate destination. It only took some lines of simple configuration to do this.