How to secure access from App Service To Azure Sql

2020-02-08 21:31发布

问题:

Scenario

I want to use virtual network in order to limit access to Azure Database only from my App Service, so that I can turn of "Allow access to App Services" in firewall settings

What I have done:

  1. I went to App Service -> Networking -> VNET Integration -> Setup -> Create New Virtual Network
  2. I've created new VNET with default settings.
  3. When VNET was created I went to App Service -> Networking -> VNET Integration and ensured that the VNET is connected
  4. I went to SQL Firewall settigs -> Virtual Network -> Add existing Virtual Newtork and selected my VNET. I've left default subnet and address space: "default / 10.0.0.0/24" and I've left IgnoreMissingServiceEndpoint flag unchecked.

I can now see Microsoft.Sql service endpoint in my VNET:

Question

However, I'm still getting

SqlException: Cannot open server 'my-sqlserver' requested by the login. Client with IP address '52.233..' is not allowed to access the server.:

What am I missing?

回答1:

Unfortunately, you cannot achieve this scenario for now.

Why:

  1. When you use VNET Integration with your Web App, your web App can communicate with the VNET like Web App <---> VNET.

  2. When you use SQL firewall to allow triffic from a specific VNet, so the trffic from the VNET address space can communicate with your SQL like VNet <---> SQL server.

  3. When all configurations are setup, your scenario should be Web App <---> VNET <---> SQL server. The important thing is that the traffic from Web App cannot go trough the VNET to the SQL server, because the web App is not wthin the VNET, it's out side the VNET! So,When you use Web App try to access the SQL server, the triffic is not from the VNET.

Solution:

The solution is that put your Web App into the VNet. So, you can use Azure ASE to achieve this.

Reference:

VNet Integration gives your web app access to resources in your virtual network but does not grant private access to your web app from the virtual network. Private site access refers to making your app only accessible from a private network such as from within an Azure virtual network. Private site access is only available with an ASE configured with an Internal Load Balancer (ILB). For details on using an ILB ASE, start with the article here: Creating and using an ILB ASE.

Similar case:App Service VNet Integration with Azure Storage Service Enpoint



回答2:

If you want to lock down access from your app to a service such as Azure SQL, Storage, Cosmos DB, etc with service endpoints, you can use the new VNet Integration feature. The earlier form of the feature requires a gateway and builds on point to site VPN. The source IP from your app will be one of the point to site addresses. Service endpoints only works if your source IP is one of the VNet addresses.

With the new VNet Integration, your app backend will make calls with IPs in the selected subnet. That means you can set service endpoints on that subnet.

This is not to be confused with service endpoints TO your app. That is the recently released capability to lock traffic to your app down to selected VNet/subnets.



回答3:

One option to consider that would allow you to remove the firewall setting "Allow access to App Services" is to add firewall rules for the outbound IP addresses of your specific App Service(s).

You can find the current list in the Properties section of the App Service, or with PowerShell...

$outboundIps = (Get-AzureRmResource -ResourceGroupName $rg -ResourceType Microsoft.Web/sites -ResourceName $appService).Properties.outboundIpAddresses

A couple of important caveats.

  1. The outbound IPs can change, but do so predictably (see link below). I run PowerShell scripts as part of a VSTS release process that updates the firewall rules. (If you also manage your resources and their scale through your release process rather than the Azure portal, this approach seems reliable.)

  2. I haven't been able to find any information to confirm whether these IPs are unique to your App Service. This is a risk to consider.

https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-addresses



回答4:

With the latest launch of new service named Private Link, you can now setup private endpoint to access Azure SQL database.

With today’s announcement of Azure Private Link, you can simply create a private endpoint in your VNet and map it to your PaaS resource (Your Azure Storage account blob or SQL Database server).