0

I believe i'm trying to do simple pretty basic with Azure, yet so far I didn't found anything "safe".

Basically, I just want to have a Azure WebApp and a Azure SQL Server (no VMs) communicating to each other, the WebApp been public on internet, and the SQL Server been accessible ONLY by THAT specific webapp.

I found 3 ways to "secure" the communication to an Azure SQL Server:

  1. Allow Azure Services
  2. Whitelisting IP Addresses
  3. Accepting VNet connections

The issues i have with 1, is that anyone that have a azure subscription can reach my DB via multiple components...

With 2, is that the "most secure" is allowing the outbound IPs for the WebApp in the Datacenter, as far as i understand it, anyone could create a WebApp in the same datacenter I choose for my webapp and they will have a chance to be in the same "IP Groups", which means they could reach my DB...

And with 3, maybe it's just me, but went i did that, I could managed to found a way to communicate to my WebApp from Internet...

I believe it's a pretty basic requirement I have...

How do I do it?

Thanks in advances!

Improve this question
2
  • 1
    FYI, your outbound IP's are not the same for the whole datacentre, they are the same for apps deployed to the same cluster as you. Granted this is >1 but not on the scale of the whole data centre. Commented Jan 13, 2019 at 18:51
  • Yeah that makes senses , thanks for the precision, but it still a problem Commented Jan 14, 2019 at 16:33

1 Answer 1

Reset to default
0

You can have more granular network access control if you use Service Endpoints. See our documentation here: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview

Improve this answer
5
  • Ain't that the option 3? If yes, how can you make the webapp public? When I try that I can't access my web app, since it's behind the vnet Commented Jan 12, 2019 at 23:26
  • 1
    you can use an App Gateway to expose your web app to the public. docs.microsoft.com/en-us/azure/app-service/environment/… Commented Jan 14, 2019 at 18:15
  • So I have no choice but use the ASE to make sure that only my apps can access my database? Is that right? Commented Jan 28, 2019 at 19:45
  • Yes, looking at your requirement that says only your web app can talk to your DB then the only PaaS option is an ASE which isolates your app to a dedicated environment. Commented Jan 29, 2019 at 13:01
  • hmmm, ok, that been said, is it me or this is a weird concept/specification? I believe what I intend to do is pretty basic and a lot of people have this "architecture" and requirement no? WebApp talking securely to its database? Why do we need a "special service" for that? Shouldn't that be a basic functionnality of Azure WebApp? Commented Jan 29, 2019 at 19:14

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.