0

I believe i'm trying to do simple pretty basic with Azure, yet so far I didn't found anything "safe".

Basically, I just want to have a Azure WebApp and a Azure SQL Server (no VMs) communicating to each other, the WebApp been public on internet, and the SQL Server been accessible ONLY by THAT specific webapp.

I found 3 ways to "secure" the communication to an Azure SQL Server:

  1. Allow Azure Services
  2. Whitelisting IP Addresses
  3. Accepting VNet connections

The issues i have with 1, is that anyone that have a azure subscription can reach my DB via multiple components...

With 2, is that the "most secure" is allowing the outbound IPs for the WebApp in the Datacenter, as far as i understand it, anyone could create a WebApp in the same datacenter I choose for my webapp and they will have a chance to be in the same "IP Groups", which means they could reach my DB...

And with 3, maybe it's just me, but went i did that, I could managed to found a way to communicate to my WebApp from Internet...

I believe it's a pretty basic requirement I have...

How do I do it?

Thanks in advances!

frank
  • 133
  • 1
  • 1
  • 5
  • 1
    FYI, your outbound IP's are not the same for the whole datacentre, they are the same for apps deployed to the same cluster as you. Granted this is >1 but not on the scale of the whole data centre. – Sam Cogan Jan 13 '19 at 18:51
  • Yeah that makes senses , thanks for the precision, but it still a problem – frank Jan 14 '19 at 16:33

1 Answers1

0

You can have more granular network access control if you use Service Endpoints. See our documentation here: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview

Ken W MSFT
  • 594
  • 2
  • 6
  • Ain't that the option 3? If yes, how can you make the webapp public? When I try that I can't access my web app, since it's behind the vnet – frank Jan 12 '19 at 23:26
  • 1
    you can use an App Gateway to expose your web app to the public. https://docs.microsoft.com/en-us/azure/app-service/environment/integrate-with-application-gateway – Ken W MSFT Jan 14 '19 at 18:15
  • So I have no choice but use the ASE to make sure that only my apps can access my database? Is that right? – frank Jan 28 '19 at 19:45
  • Yes, looking at your requirement that says only your web app can talk to your DB then the only PaaS option is an ASE which isolates your app to a dedicated environment. – Ken W MSFT Jan 29 '19 at 13:01
  • hmmm, ok, that been said, is it me or this is a weird concept/specification? I believe what I intend to do is pretty basic and a lot of people have this "architecture" and requirement no? WebApp talking securely to its database? Why do we need a "special service" for that? Shouldn't that be a basic functionnality of Azure WebApp? – frank Jan 29 '19 at 19:14