1

I have an azure web app in UK South and an azure SQL server in UK West. At the moment they can communicate because I have the option enabled on the server to allow access to azure services.

I want to secure the SQL server behind a vnet, so I have created a vnet in each region and setup peering between them.

I have added vnet rule to the SQL server and enabled the service endpoint for sql on the subnet so that the SQL server is now secured behind the vnet in the same region, and disabled the option to allow access to azure services.

I have then added the vnet in UK South to the web app (using the preview option in the portal), which I assumed would allow the web app to access the SQL server via the peered vnet. However the connection keeps getting refused.

Am I correct in my assumption that this should just work? Or am i missing something?

I have also tried setting up a VM on each vnet and while I can ping each VM from the other and can get the vm in the same region as the SQL server to connect. I cant get the VM in the other region to connect to the SQL server.

Can anyone help with how I get this setup correctly?

A. Poutney
  • 23
  • 4

1 Answers1

0

According to my research, if we use regional VNet Integration (using the preview option in the portal), we cannot reach resources across global peering connections(Connecting virtual networks across Azure regions). For more details, please refer to the docuemnt enter image description here

According to the situation, I suggest you add your web app and sql in the same region VNet.

Jim Xu
  • 21,610
  • 2
  • 19
  • 39
  • Unfortunately hosting the web app and sql in the same region wont work for me as what im aiming for is a geo-redundant system whereby I have a web app in both regions that connect to an sql failover group that has a geo-replicated database in each region. I need both web apps to be able to connect to the primary database which may not be in the same region – A. Poutney Nov 26 '19 at 09:07
  • @A.Poutney According to the situation, I think you can add the web app OutBound IPs in the firewall of your SQL server to allow your web app to access the sql. Regarding how to get the outbound IPs, please refer to the https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips#find-outbound-ips – Jim Xu Nov 27 '19 at 06:15
  • I had considered that, and yes it works when they are added. The idea of using the vnets was to ensure data between the two resources would travel through the azure back bone. If I add the web apps outbound IPs to the sql server, does this negate the vnet? – A. Poutney Nov 27 '19 at 09:57
  • @A.Poutney As far as I know, the Vnet will continue to work. – Jim Xu Nov 28 '19 at 05:36
  • @A.Poutney Did you find a solution? We've hit the same blocker. Web Apps active/active in 2 regions with the database in both using Failover groups to direct SQL connections to the Read/Write Primary. I've played around with Private Links but if you want to use the failover group DNS host you need to still peer the two VNETs and I hit the lack of support for global peering with App Service – J_D Jun 26 '20 at 14:14
  • @J_D I'm afraid I didn't find a solution. We had to add the outbound IP of the Web App to the SQL Server firewall in the opposite region. It was the only way this would work. – A. Poutney Jun 29 '20 at 07:44