0

I have an azure application that runs on PaaS architecture. To access azure resources like sql or add, I would like that to go through a secure virtual machine instead of from personal devices which is what happens today.

The problem today is that access is from personal devices which can be a personal Pc or laptop, secondly if the personal laptop is compromised this presents a risk. Third point, IP addresses change from ISP's when coming from a personal device this means that multiple up address entries are required for the sql firewall, if access is from a VM, the hassle of managing public IP address entries can be eliminated.

What is the best way to configure this (jump host, bastion host, VPN) and is it possible to have more than one virtual machine for access from a disaster recovery perspective. I am after a few options with some comments on the cost implication please and if it can be on demand. Please note that there is currently no vnet.

learner
  • 101
  • 1
  • You have an application that directly accesses back-end resources like DB from the client it's running on? – vidarlo Jun 11 '22 at 19:52
  • I meant users can access the dB directly from personal devices remotely. I would want them to go through a vm or so and not have direct access from home where thier public ip often changes. – learner Jun 12 '22 at 07:34

1 Answers1

0

You can restric access to the Azure Portal by applying conditional access policies that restrict access to certain IP addresses. This does require Azure AD P2 licences to do that. You can see an example of doing that here

Once you enable CA, it should just be a case of adding the external IP's of the resources you do want access to the policy.

Sam Cogan
  • 38,736
  • 6
  • 78
  • 114