Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to secure access from App Service To Azure Sql Database using virtual network?

Tags:

azure-sql-database

firewall

azure

azure-web-app-service

azure-virtual-network

Scenario

I want to use virtual network in order to limit access to Azure Database only from my App Service, so that I can turn of "Allow access to App Services" in firewall settings

Allow access to App Services screenshot

What I have done:

  1. I went to App Service -> Networking -> VNET Integration -> Setup -> Create New Virtual Network
  2. I've created new VNET with default settings.
  3. When VNET was created I went to App Service -> Networking -> VNET Integration and ensured that the VNET is connected
  4. I went to SQL Firewall settigs -> Virtual Network -> Add existing Virtual Newtork and selected my VNET. I've left default subnet and address space: "default / 10.0.0.0/24" and I've left IgnoreMissingServiceEndpoint flag unchecked.

I can now see Microsoft.Sql service endpoint in my VNET: enter image description here

Question

However, I'm still getting

SqlException: Cannot open server 'my-sqlserver' requested by the login. Client with IP address '52.233..' is not allowed to access the server.:

What am I missing?

like image 502
Liero Avatar asked May 23 '18 08:05

Liero

People also ask

How do I securely connect to my Azure SQL Database?

In the Azure portal, select SQL databases from the left-hand menu, and select your database on the SQL databases page. In the Security section, select Transparent data encryption. If necessary, set Data encryption to ON. Select Save.

What encryption technology can be used to secure Azure SQL databases?

Transparent data encryption (TDE) helps protect Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics against the threat of malicious offline activity by encrypting data at rest.

1 Answers

If you want to lock down access from your app to a service such as Azure SQL, Storage, Cosmos DB, etc with service endpoints, you can use the new VNet Integration feature. The earlier form of the feature requires a gateway and builds on point to site VPN. The source IP from your app will be one of the point to site addresses. Service endpoints only works if your source IP is one of the VNet addresses.

With the new VNet Integration, your app backend will make calls with IPs in the selected subnet. That means you can set service endpoints on that subnet.

This is not to be confused with service endpoints TO your app. That is the recently released capability to lock traffic to your app down to selected VNet/subnets.

like image 81
Christina Compy Avatar answered Sep 18 '22 14:09

Christina Compy
Sign in to Comment

Related questions

Unable to get queue length / message count from Azure
how to prevent azure from scaling out additional instances until they are ready?
Azure now returns invalid value of "Coordinated Universal Time" for TimeZoneInfo.Local.Id instead of "UTC"? Why?
Bad performance on Azure for Owin/IIS application
Running .exe on Azure
Azure Function should log or throw exception on error?
Simple select count(id) uses 100% of Azure SQL DTUs
TCP support in Azure IoT Hub
Python HTTPS against Azure service management API fails on Windows
Why is writing to a MemoryStream slower than to a file?
Azure Application Gateway with Service Fabric
Why would using PrincipalSearcher be faster than FindByIdentity()?
Run self-hosted OWIN application in Azure Web Apps
The configured execution strategy 'SqlAzureExecutionStrategy' does not support user initiated transactions
Microsoft Azure Subscription
Thread management in asp.net core / kestrel
Complex object app settings in Azure Function
.NET Profiler for Azure?
Any Free Alternative to PostSharp [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!