0

Is there a way to establish a connection from Azure Web App to Azure SQL Database in another region "privately", that is without having to leave database open to the public.

Specifically, I would like my database to have the following firewall options set on the database:

  • "Deny public network access" - YES
  • "Allow Azure services and resources to access this server" - NO

What I have tried unsuccessfully (it is possible that I got something wrong in my setup):

  • VNET-VNET peering - allows cross region VNET connection but does not seem to work for Web App
  • SQL Database Private Endpoint - Endpoint was created in VNET hosted in the same region as Web App.

Update: Tried to follow instructions in Azure Global VNet peering and WebApps but I am not sure what VNET should gateways be created in? Create a gateway first in the remote network then checked "App Service Plan" blade, then created Gateway in the Web App VNET, still no luck.

In the "App Service Plan" blade, all of the gateway related settings are greyed out and gateway status is "N/A". "Sync Network" button is greyed out.

Alex
  • 4,885
  • 3
  • 19
  • 39
  • Would this work? https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal – CSharpRocks Apr 25 '20 at 01:43
  • Did you check this? https://stackoverflow.com/questions/55267247/azure-global-vnet-peering-and-webapps – Alex AIT Apr 25 '20 at 06:25
  • @CSharpRocks, thank you for your response. From what I can gather (including my experimentation) the link you provide is for OnPrem network connectivity. You have to connect to a different type of gateway than Virtual Gateway. – Alex Apr 26 '20 at 08:50
  • @AlexAIT, thank you for your response. I have a question regarding instructions: on which network should the gateway be created on? On the VNET that Web App connects to or on the 2nd VNET where my database is? It seems you can only have one gateway, right? – Alex Apr 26 '20 at 09:00
  • @AlexAIT, in the "App Service Plan" blade, all of the gateway related settings are greyed out and gateway status is "N/A", despite the fact that I have created a gateway on this VNET. – Alex Apr 26 '20 at 09:06

2 Answers2

1

You should be able to do this using a Private Link, there are instructions on the following Microsoft documentation: Multi-region web app with private connectivity to database

However, the part about adding the private link (i.e. part 3a of the "Deploy this scenario" section) isn't very clear as to what settings you need to select when actually creating the Private Link so I have created a blog post which helps to explain this part a bit better with screenshots: Connect from Azure Web App to Azure SQL Database in another region using Private Link

WebFletch
  • 172
  • 1
  • 16
0

Firstly, your linked SO answer is used to access Azure VMs from Azure web app. The Azure VMs are Azure IaaS. However, the Azure SQL database is Azure PaaS. You don't need to follow it in this scenario.

If you want to connect from Web App to Azure SQL Database in another region in a security way, you could do the these two steps:

  1. Enable regional VNet Integration with app service in the same region.
  2. Add the integrated subnet in the firewall and virtual networks in the Azure SQL database server. If selected subnet does not have service endpoint enabled for Microsoft.Sql. Enabling access may take up to 15 minutes to complete.

For more information, you could refer to this blog.

The above method will add the integrated subnet in the SQL server firewall. If you don't like to add it, you may consider to use Azure Private Link and with gateway required VNet integration. See this blog for more information. You could make sure you have set up the gateway in your virtual network (it will have private endpoint for SQL database and in the same region as the SQL database) well. see Use cases of Private Link for Azure SQL Database for more details.

Nancy
  • 26,865
  • 3
  • 18
  • 34
  • Thank you for your response. I have tried a number of the things you mention, unfortunately non of them have worked. 1. I cannot add VNET from another region to Azure SQL database firewall. At least not from UI. 2. Are there any specific requirements for the gateway required VNET integration. In the Web App Networking Blade I cannot see VNETs (with a gateway) from other regions. It says something along the lines of "no gateway enabled networks found" (I do not have the setup on hand to tell the exact message). – Alex Apr 27 '20 at 11:07
  • I have spent more than a week trying to get this to work with no results to show. Would really appreciate your help. – Alex Apr 27 '20 at 11:10
  • Gateway required vnet is that you need deploy a route based vpn gateway in that vnet and enable point to site connection and provide a client address space for this. – Nancy Apr 27 '20 at 12:08