0

I have an ASP.NET Web API deployed on an App Service Web App, and a SQL Azure instance separately. I created the two using the Web App + SQL template in Azure.

I have allowed the SQL Azure access to my own localhost's IP so I can open it in SQL Server Management Studio.

For now, I have also set a rule in the SQL Azure's firewall settings to allow all outbound IP's where my App Service has been deployed. I copied the list of outbound IP's of my App Service from the Properties blade in my App Service settings. Please see below.

enter image description here

But I was wondering about three things:

  1. Will Azure ever change these IP's?

  2. And if and when it does, I'll have to re-enter the new ones in my SQL Azure firewall settings and delete the old ones? What if I forget the old ones because there'll be no place to see the old ones from, and if I just end up deleting all the wrong IP's?

  3. Is it even necessary to provide these IP's to the firewall? Or is just having the Allow access to Azure Services switch turned to on enough? But I believe, from reading the help tool-tip that this switch is only to allow Azure services such as the Query Editor et al to access your database.

enter image description here

Water Cooler v2
  • 32,724
  • 54
  • 166
  • 336

3 Answers3

1
  1. no, not under normal circumstances, if that would happen you will get an email warning you in advance.
  2. call them something meaningful?
  3. that is enough, but that is an overkill, you can narrow it down to just your outbound addresses
4c74356b41
  • 69,186
  • 6
  • 100
  • 141
  • 1
    Thanks for the clarification. That was all I needed. – Water Cooler v2 Jan 31 '19 at 06:57
  • I *just* created another brand new API with a brand new SQL Azure database and did not at all set its firewall rule to allow incoming requests from my API, and the API was still able to connect to the database. Strange. So, it seems that it is unnecessary to set these Azure service app IP's in the SQL firewall. – Water Cooler v2 Jan 31 '19 at 08:31
  • that shouldnt happen. it is probably enabled by default – 4c74356b41 Jan 31 '19 at 08:35
0

No, it's not necessary to set firewall rules for allowing your App Service Web App's to access your SQL Azure database.

They will work just fine without doing this.

Water Cooler v2
  • 32,724
  • 54
  • 166
  • 336
  • got any sort of proof? – 4c74356b41 Jan 31 '19 at 15:50
  • I was the one who asked the question. I tried it out and it worked without setting those rules. See my comment to 4c74356b41's answer. Oh, I just realized you're the poster of this question..You can try it out yourself. What other proof should I offer in a written post? – Water Cooler v2 Jan 31 '19 at 16:02
  • i can read, can you show any proof? i know for sure it doesnt work without that – 4c74356b41 Jan 31 '19 at 16:02
  • Try it yourself. I just did. Did you? You may *know* that but you must try it. – Water Cooler v2 Jan 31 '19 at 16:03
  • i did try it many times, i mean, why is it so hard to provide a proof if you got it to work without that. i cant make it work without that checkbox – 4c74356b41 Jan 31 '19 at 16:04
  • It's my night time. Besides, I don't want to waste time on argument. If you're so convinced and offended that this works, why don't you show proof that it doesn't? – Water Cooler v2 Jan 31 '19 at 16:16
  • nowhere I said I'm offended, I'm curious. why would I waste time on proving it doesnt work when I know it doesnt work. I've tested it many times ;) – 4c74356b41 Jan 31 '19 at 16:19
0

MS will not change your IPs without informing to you (At least before 1 month). Best practice is applying FW rules and OFF the setting of "Allow Access to Azure service". Because if some one hack some your other Azure resources, there is a possibility then reach this DB as well.

Inzi
  • 348
  • 3
  • 12