I've deployed RavenDB to Azure and run it under IIS in one web role.
Now I would like to restrict access to it to either another web roles / worker roles or certain admin users.
What are the possible options and their pros and cons?
Here's what I've managed to find out up to now:
I know that RavenDB supports Windows authentication, but I've read that it's difficult to use it in Azure. Is it possible to create a local user on web role start up?
Can I somehow use Azure ACL to restrict access to the RavenDB web role?
Should I use certificates?
Should I start reading about federated identity?
I don't think I can restrict access by IP as I want to be able to create new roles and also access db role from the internet.
I would prefer a solution that wouldn't stop / hider me from spinning up new instances of web / worker roles that need to talk to my db role.