1. 技术文章
  2. How to secure access from App Service To Azure Sql Database using virtual network?

How to secure access from App Service To Azure Sql Database using virtual network?

∥☆過路亽.° 提交于 2019-11-30 09:35:52

Unfortunately, you cannot achieve this scenario for now.

Why:

  1. When you use VNET Integration with your Web App, your web App can communicate with the VNET like Web App <---> VNET.

  2. When you use SQL firewall to allow triffic from a specific VNet, so the trffic from the VNET address space can communicate with your SQL like VNet <---> SQL server.

  3. When all configurations are setup, your scenario should be Web App <---> VNET <---> SQL server. The important thing is that the traffic from Web App cannot go trough the VNET to the SQL server, because the web App is not wthin the VNET, it's out side the VNET! So,When you use Web App try to access the SQL server, the triffic is not from the VNET.

Solution:

The solution is that put your Web App into the VNet. So, you can use Azure ASE to achieve this.

Reference:

VNet Integration gives your web app access to resources in your virtual network but does not grant private access to your web app from the virtual network. Private site access refers to making your app only accessible from a private network such as from within an Azure virtual network. Private site access is only available with an ASE configured with an Internal Load Balancer (ILB). For details on using an ILB ASE, start with the article here: Creating and using an ILB ASE.

Similar case:App Service VNet Integration with Azure Storage Service Enpoint

If you want to lock down access from your app to a service such as Azure SQL, Storage, Cosmos DB, etc with service endpoints, you can use the new VNet Integration feature. The earlier form of the feature requires a gateway and builds on point to site VPN. The source IP from your app will be one of the point to site addresses. Service endpoints only works if your source IP is one of the VNet addresses.

With the new VNet Integration, your app backend will make calls with IPs in the selected subnet. That means you can set service endpoints on that subnet.

This is not to be confused with service endpoints TO your app. That is the recently released capability to lock traffic to your app down to selected VNet/subnets.

One option to consider that would allow you to remove the firewall setting "Allow access to App Services" is to add firewall rules for the outbound IP addresses of your specific App Service(s).

You can find the current list in the Properties section of the App Service, or with PowerShell...

$outboundIps = (Get-AzureRmResource -ResourceGroupName $rg -ResourceType Microsoft.Web/sites -ResourceName $appService).Properties.outboundIpAddresses

A couple of important caveats.

  1. The outbound IPs can change, but do so predictably (see link below). I run PowerShell scripts as part of a VSTS release process that updates the firewall rules. (If you also manage your resources and their scale through your release process rather than the Azure portal, this approach seems reliable.)

  2. I haven't been able to find any information to confirm whether these IPs are unique to your App Service. This is a risk to consider.

https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-addresses

With the latest launch of new service named Private Link, you can now setup private endpoint to access Azure SQL database.

With today’s announcement of Azure Private Link, you can simply create a private endpoint in your VNet and map it to your PaaS resource (Your Azure Storage account blob or SQL Database server).

标签
azure
azure-sql-database
azure-web-sites
firewall
azure-virtual-network
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!