How to security access onprem database from Azure AppService

Question

Is there a way to securely access a on-prem Sql Server, from an AppService?

The IT guys are nervious about letting an App Service which needs access to our on-premise database.

I am not a networking guy, and am trying to come up with a solution.

The only thing I have thought of is creating a new database (CDS_API). The AppService is then given a connection string to this database. This database would then have access to the primary database (CDS).

If the AppService has only execute permissions to CDS_API, this seems secure to me. Am I missing something?

Is there a better way to do this?

Answer 1

The simple solution is to use an App Service Hybrid Connection

Hybrid Connections can be used to access application resources in any network that can make outbound calls to Azure over port 443. Hybrid Connections provides access from your app to a TCP endpoint and does not enable a new way to access your app. As used in App Service, each Hybrid Connection correlates to a single TCP host and port combination. This enables your apps to access resources on any OS, provided it is a TCP endpoint. The Hybrid Connections feature does not know or care what the application protocol is, or what you are accessing. It simply provides network access.

Alternatively, you can Integrate your app with an Azure virtual network which is connected securely to your on-prem networks either with a Site-to-Site VPN or over ExpressRoute.