How to connect a local ASP.NET website to a remote Azure SQL Server database?

Question

I've got an ASP.NET 4.6.2 website under development and it would be convenient to connect this to an existing Azure database.

Obviously I could put in the connection string with login credentials locally, but it seems likely that this would then expose those clear text credentials during tcp communications.

I thought of using aspnet_regiis to encrypt the connection strings, but AFIK this is intended for local machine encryption, not remote connections.

Answer 1

Take a look at the connection string provided by Azure. You'll see Encrypt=true and TrustServerCertificate=false in there. The Encrypt setting forces an SSL connection before anything is transmitted, and TrustServerCertificate requires the server's SSL cert name to match the connection string's server name.

So it isn't really an issue, security-wise.

That being said, I store all my secrets like connection strings (database, storage accounts, and even serialized X509 certificates) as Azure Key Vault Secrets. Key Vault is an extremely low-cost service and this way you only need to store the base URI of your key vault (which isn't sensitive, you can store it in a plaintext config somewhere).

At runtime it's secured by policies authorizing app access to the data, and locally during development your Azure account provides access.

It's important to cache Key Vault results, Key Vault isn't meant for high-throughput access. Last month I blogged about how to do this here if you want some code to get you started.