In a microservice architecture it's quite common to have tens of "internal" services, i.e. those services that are only intended to be called by other services in the architecture and not publicly accessible.
We're very happy with Azure Cloud Services (web and worker roles) and all the nice PAAS deployment benefits they bring. We'd like to develop several internal microservices as Azure Cloud Services but at the same time avoid having to add custom application security code to them (OAuth etc.) by ensuring they can only be accessed by other machines in the same Azure Virtual Network.
What are the options for achieving this? Is there anyway to stop an Azure Cloud Service being assigned a Public VIP Address / Site URL (*.cloudapp.net)?
One option we're aware of is using the IIS ipSecurity element to lock down the services to a defined range of internal IP addresses but wondering if there are any better alternatives?