1

For security concerns I'm planning to not allow Azure services to communicate with Azure services but the services it is only working with.

For example, I've some web apps that uses Azure SQL Databases. Should I only add the outbound IP addresses of Azure Web Apps in the Azure SQL server firewall?

or I need to do something else?

Mohamed Wali
  • 185
  • 10

5 Answers5

2

This is not as easy as it should be. SQL Azure is not designed to be virtual network friendly so your only options are "Allow all Azure services" or hard-coded IPs. Unless your web apps have static IPs however, this won't be possible without writing a custom updater for the database which picks up IP address changes.

You could install a SQL server onto a VM and use virtual private networks, otherwise, make sure the login credentials are secure and accept the fact that an Azure client from anyone could attempt to connect to your database server.

Lukos
  • 1,826
  • 1
  • 15
  • 29
  • "SQL Azure is not designed to be virtual network friendly" This has changed recently. See: https://learn.microsoft.com/en-us/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview – David Browne - Microsoft Jul 12 '18 at 15:51
  • @DavidBrowne-Microsoft i tried the following with the same result ... how can i achive this [link](https://stackoverflow.com/q/50483132/4810304) – Brandy23 Sep 06 '18 at 23:35
  • I think MS have added new functionality to VNETs to help with this, although it is not fully estasblished yet. This article should describe how to do what you need: https://learn.microsoft.com/en-us/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview – Lukos Sep 10 '18 at 08:23
2

The best way to lock down your SQL Database is with AAD Integration, and Managed Service Identities. Azure will provision an AAD identity for your application, and only code running in that application will be able to generate an Access Token for that Identity. Then you can provision it as an AAD user in your SQL Server.

This has the (large) added benefit of removing the secrets from the application, so you don't have to configure your application with a Client Secret, or a SQL Login/Password.

You can also run your App on a VNet, and configure your SQL firewall to only permit access from that VNet using Virtual Network service Endpoints For Azure SQL Database.

Or use the newer and much better Private Link for Azure SQL Database.

David Browne - Microsoft
  • 80,331
  • 6
  • 39
  • 67
  • Managed Identities are a nice step, but you'll still want network security. Unfortunately, Virtual Network service endpoints don't work unless your app service is in the same region as your DB, so not useful beyond test / toy applications. – Josh Noe Feb 26 '21 at 00:29
  • That's one reason why Service Endpoints have been superseded by Private Link, which actually puts the service behind an IP on your VNet. https://learn.microsoft.com/en-us/azure/private-link/ Updated the answer with newer alternatives. – David Browne - Microsoft Feb 26 '21 at 01:28
0

Some of the ways to secure the connection to the sql database that could be considered in this case are -

  1. As you mentioned you are already thinking of configuring a firewall to whitelist the allowed IP addresses. The firewall could be configured both on the sql server level and the database level(we can use SSMS to configure the firewall at the database level).

  2. We can encrypt data. Of course this would be encryption at rest. And the good news is the application connecting to the database need not change to query encrypted data.

  3. The third way would be the traditional way(even if we were not using azure db) we would prevent unauthorized access by creating users/roles/permissions.

  4. A very nice feature I found Azure db provides is the Threat Detection Capability. If you turned that on we would be notified of the possible vulnerabilities of the current db/server setup. And also where can we make improvements to fix those issues.

Avanish
  • 345
  • 3
  • 9
0
  1. Connect your Azure function with your SQL DB using private endpoints and VNET integration. Your app service will need to be standard or premium. Even Premium function plan will do. This LINK talks about it.
  2. Authenticate your azure function on your SQL DB using managed identities. See this link for info on how to do that. Managed identities
Anupam Chand
  • 2,209
  • 1
  • 5
  • 14
-1

In short yes.

You can possibly make this more secure by creating vnet connection from the web app and creating a service endpoint for SQL. I'm not sure that will work, but worth a try.

4c74356b41
  • 69,186
  • 6
  • 100
  • 141