Multitenancy and network virtualization (Continued):   

Some of the best practices for virtual network are universal design principles. For example, the address-spaces must be ensured to be non-overlapping. The subnets should not cover the entire address space of the virtual network. There must be fewer large virtual networks rather than smaller numerous ones. The virtual networks must be secured by assigning Network security groups to the subnets underlying the vNet.   

When a resource is hidden from the public internet, it eliminates a common attack vector. An application can connect to this resource over a fully private connection.  

There are three types of design patterns for private connectivity that are commonly used. These include: 

Connection from another service using an Azure Private Endpoint for inbound connectivity  
Connection over a virtual network integration  
Connection over an app service environment for hosting web application within an isolated environment.  

The use of a virtual network with a resource is merely to help with routing traffic otherwise there are no specific appliances installed. Other subnets and workloads could also run in this virtual network and they can access this resource without having to go over the internet. The use of a private link is to setup a private endpoint for the resource in the PrivateLinkSubnet of the virtual network. Any application will then connect to the resource through the PrivateLinkSubnet of the virtual network. The firewall for the resource will allow only the traffic coming through the PrivateLinkSubnet to connect making the resource inaccessible from the public internet. The difference between the use of a private endpoint versus a private link is that the private endpoint is used to privately connect to a resource irrespective of public access while the private link helps to hide the resource exclusively for private access.  

The App Service and private link subnets could also be in separate virtual networks, but they must be peered. The virtual network integration routes traffic from the consuming services only to the private addresses in the network while the DNS resolution still results in the resource’s public ip address. This can be overcome by adding an alias record or a name-record delegation in the parent domain. If the consuming services set their traffic to be “route all” through the virtual network integration then that can also forward traffic to the private ip address of the resource. Finally, with the help of a service endpoint strategy rather than a private endpoint strategy, the use of a private endpoint, PrivateLinkSubnet and Route All regional VNet integration setting become unnecessary. Only the vnet integration is needed. It differs from the private endpoint in that it is not for a specific resource instance but for the entire service. For example, if it were to apply to a SQL Server service, it would apply to all SQL Servers of all customers as opposed to a specific SQL server instance. 

Name resolution applies to virtual networks. The name resolution to an IP address depends on whether there is a single instance or many instances of the multitenant application. For example, a CNAME for the custom domain of a tenant might have a value pointing to a multi-part subdomain of the multitenant application solution provider. Since this provider might want to set up proper routing to multiple instances, they might have a CNAME record for subdomains of their individual instance to route to that instance. They will also have an A name record for that specific instance to point to the IP address of the provider’s domain name. This chain of records resolves the requests for the custom domain to the IP address of the instance within the multiple instances deployed by the provider.  

Validation of custom domains is a necessity for the tenants to be onboarded. Without validation, tenants might accidentally or maliciously park a domain name. Typos in custom domain names are encountered often. Parking leads to an error for others wanting to use their custom domain with the message that the domain name is already in use. Domain names especially within a self-service or automated process require a domain verification step. A CNAME record or a DNS TXT record might be added to reserve the domain name until the verification is completed. Private DNS domains as well as custom domain names are supported with private virtual networks.   

#codingexercise

Path of sum from root to leaf equals a given value in BST.

bool hasPathSum(Node root, int sum) 

{ 

if (root ==null) return sum == 0; 

int newsum = sum-root.data; 

if (newsum == 0 && root.left == null && root.right == null) return true; 

return hasPathSum(root.left, newsum) || hasPathSum(root.right, newsum); 

}