Reputation: 185
Harden the security between Azure Web Apps and Azure SQL Database
For security concerns I'm planning to not allow Azure services to communicate with Azure services but the services it is only working with.
For example, I've some web apps that uses Azure SQL Databases. Should I only add the outbound IP addresses of Azure Web Apps in the Azure SQL server firewall?
or I need to do something else?
Upvotes: 1
Views: 1516
Answers (5)
Reputation: 2662
- Connect your Azure function with your SQL DB using private endpoints and VNET integration. Your app service will need to be standard or premium. Even Premium function plan will do. This LINK talks about it.
- Authenticate your azure function on your SQL DB using managed identities. See this link for info on how to do that. Managed identities
Upvotes: 0
Reputation: 88852
The best way to lock down your SQL Database is with AAD Integration, and Managed Service Identities. Azure will provision an AAD identity for your application, and only code running in that application will be able to generate an Access Token for that Identity. Then you can provision it as an AAD user in your SQL Server.
This has the (large) added benefit of removing the secrets from the application, so you don't have to configure your application with a Client Secret, or a SQL Login/Password.
You can also run your App on a VNet, and configure your SQL firewall to only permit access from that VNet using Virtual Network service Endpoints For Azure SQL Database.
Or use the newer and much better Private Link for Azure SQL Database.
Upvotes: 2
Reputation: 345
Some of the ways to secure the connection to the sql database that could be considered in this case are -
As you mentioned you are already thinking of configuring a firewall to whitelist the allowed IP addresses. The firewall could be configured both on the sql server level and the database level(we can use SSMS to configure the firewall at the database level).
We can encrypt data. Of course this would be encryption at rest. And the good news is the application connecting to the database need not change to query encrypted data.
The third way would be the traditional way(even if we were not using azure db) we would prevent unauthorized access by creating users/roles/permissions.
A very nice feature I found Azure db provides is the Threat Detection Capability. If you turned that on we would be notified of the possible vulnerabilities of the current db/server setup. And also where can we make improvements to fix those issues.
Upvotes: 0
Reputation: 1852
This is not as easy as it should be. SQL Azure is not designed to be virtual network friendly so your only options are "Allow all Azure services" or hard-coded IPs. Unless your web apps have static IPs however, this won't be possible without writing a custom updater for the database which picks up IP address changes.
You could install a SQL server onto a VM and use virtual private networks, otherwise, make sure the login credentials are secure and accept the fact that an Azure client from anyone could attempt to connect to your database server.
Upvotes: 2
Reputation: 72151
In short yes.
You can possibly make this more secure by creating vnet connection from the web app and creating a service endpoint for SQL. I'm not sure that will work, but worth a try.
Upvotes: -1
Related Questions
- Allow Azure services to webapp?
- How to secure access from App Service To Azure Sql Database using virtual network?
- Limit sql azure access from an azure web app
- Limit access to Azure SQL Server to specific azure web apps
- secured environment for web App Azure
- SQL Server Integrated Security from an Azure Web Site
- How to secure Azure SQL database used by Web API and Application (Azure AD)
- How to secure credentials for SQL Azure DB connectivity?
- Filter access to sql Server hosted to Azure from Web App Azure
- Secure ASP.net application with Azure SQL Databases on Azure