Since Azure SQL have only DNS address and no IP , we can not enforce ACL's/NSG's on our Azure app VM as it needs to communicate with our Azure SQL.. ACL's/NSG's only have IP ranges restriction..no DNS restrictions..
So , potentially, a hacker who managed to sneak to our Azure App VM , can push its stolen data to what ever IP he wants as long as he is going out in port 1433.
Anyway we can restrict outbound communication from Azure VM only to our Azure SQL ?
You are correct, you can not place an Azure SQL Database within a Virtual Network (VNet). Also, you can only configure a NSG Outbound Security rule to use a Tag that restricts communication to Internet, Azure Load Balancer, or Azure Traffic Manager endpoint. So, unfortunately, it's currently not possible to restrict an Azure VM with NSG to only be able to communicate to a specific Azure SQL Database over Port 1433.
However, on the other side you can restrict the Azure SQL Database firewall rules to only allow your Azure VM to connect to the database by specifying it's IP Address in the SQL Database Firewall rules.
