How to secure access from App Service To Azure Sql Database using virtual network?

Question

Scenario

I want to use virtual network in order to limit access to Azure Database only from my App Service, so that I can turn of "Allow access to App Services" in firewall settings

What I have done:

1. I went to App Service -> Networking -> VNET Integration -> Setup -> Create New Virtual Network
2. I've created new VNET with default settings.
3. When VNET was created I went to App Service -> Networking -> VNET Integration and ensured that the VNET is connected
4. I went to SQL Firewall settigs -> Virtual Network -> Add existing Virtual Newtork and selected my VNET. I've left default subnet and address space: "default / 10.0.0.0/24" and I've left IgnoreMissingServiceEndpoint flag unchecked.

I can now see Microsoft.Sql service endpoint in my VNET:

Question

However, I'm still getting

SqlException: Cannot open server 'my-sqlserver' requested by the login. Client with IP address '52.233..' is not allowed to access the server.:

What am I missing?

Answer 1

If you want to lock down access from your app to a service such as Azure SQL, Storage, Cosmos DB, etc with service endpoints, you can use the new VNet Integration feature. The earlier form of the feature requires a gateway and builds on point to site VPN. The source IP from your app will be one of the point to site addresses. Service endpoints only works if your source IP is one of the VNet addresses.

With the new VNet Integration, your app backend will make calls with IPs in the selected subnet. That means you can set service endpoints on that subnet.

This is not to be confused with service endpoints TO your app. That is the recently released capability to lock traffic to your app down to selected VNet/subnets.