Filter access to sql Server hosted to Azure from Web App Azure

Question

I created a virtual machine sql server on Azure. Also, I added a rule in the firewall for filter access to the sql server port for a specific IP(My Ip).

But how can I add a rule in the firewall to enable authorized access for webApp hosted in Azure?

Answer 1

Each web app running on Azure App Service has a pool of outbound IP addresses that can be used when making outbound calls to other addresses. The set of outbound IP addresses can be found using the "new" azure portal (portal.azure.com) or the Azure Resource Explorer. You can configure your firewall, endpoint ACL, etc.. to allow access from those addresses.

However an important note: the pool of outbound IP addresses is shared across many different web apps (not just your web app). Although the set of outbound IP addresses is much smaller than the entire Azure IP address range, the addresses are still pooled and shared across multiple apps. As a result the outbound addresses aren't dedicated exclusively just for your app.

Specific details on how to lookup the outbound IP address pool used by your web app can be found here: Outbound IP Addresses for Web Apps

Answer 2

Web Apps don't get unique outbound IP addresses, so you can't add the IP address to an inbound VM's endpoint Access Control Lists (ACL's) or firewall (well, you can, but you'd be opening the port to all web apps behind that IP address, and also no guarantee the IP address will remain the same). Instead, you'd need to add the Web App and Virtual Machine to the same virtual network. Then, the Web App's connection string can point directly to the SQL Server VM's internal IP address, rather than its external VIP (or name.cloudapp.net).