Azure App Service / SQL - Allow access to Azure Services disabled

Question

I have an Azure App Service.

The App Service relies on databases held on my Azure SQL Server.

I am attempting to disable 'Allow access to Azure Services' on the Azure SQL server to prevent malicious users in other Azure subscriptions connecting to my database, however when I do this the App Service can no longer connect to the Azure SQL server / database.

I have attempted to connect the app service to a VNET that has been granted access to the SQL Server however still cannot get a connection.

Point to Site and service endpoints have been enabled.

Is it possible to have App Services talk to the Azure SQL when 'Allow access to Azure Services' is disabled. Or would I have to host my App Service in an App Service Environment? Iʻve saw mention of configuring a proxy server, but donʻt know how to set that up.

Thanks David

Answer 1

You can lock it down just to outbound IP addresses used by your web app. The IP addresses are listed in the portal under "Properties" if you navigate to your app. An example is shown at https://blogs.msdn.microsoft.com/waws/2017/02/01/how-do-i-determine-the-outbound-ip-addresses-of-my-azure-app-service/ .

This solution is not perfect though as outbound IP addresses are shared with some other apps hosted in the same region by App Service, but it still greatly reduces the space of IPs which can access your database.

Answer 2

If you are looking for more security consider using virtual network rules, This way you can remove Allow all Azure Services from your Azure SQL Servers and replace it with a VNet Firewall Rule. However, this affect some Azure SQL Database features like: Query Editor, Import/Export service, table auditing and SQL Data Sync. For more information, please read this documentation.