Reputation: 5157
How to connect from Web App to SQL Database in another region "privately"?
Is there a way to establish a connection from Azure Web App to Azure SQL Database in another region "privately", that is without having to leave database open to the public.
Specifically, I would like my database to have the following firewall options set on the database:
- "Deny public network access" - YES
- "Allow Azure services and resources to access this server" - NO
What I have tried unsuccessfully (it is possible that I got something wrong in my setup):
- VNET-VNET peering - allows cross region VNET connection but does not seem to work for Web App
- SQL Database Private Endpoint - Endpoint was created in VNET hosted in the same region as Web App.
Update: Tried to follow instructions in Azure Global VNet peering and WebApps but I am not sure what VNET should gateways be created in? Create a gateway first in the remote network then checked "App Service Plan" blade, then created Gateway in the Web App VNET, still no luck.
In the "App Service Plan" blade, all of the gateway related settings are greyed out and gateway status is "N/A". "Sync Network" button is greyed out.
Upvotes: 0
Views: 3318
Answers (2)
Reputation: 312
You should be able to do this using a Private Link, there are instructions on the following Microsoft documentation: Multi-region web app with private connectivity to database
However, the part about adding the private link (i.e. part 3a of the "Deploy this scenario" section) isn't very clear as to what settings you need to select when actually creating the Private Link so I have created a blog post which helps to explain this part a bit better with screenshots: Connect from Azure Web App to Azure SQL Database in another region using Private Link
Upvotes: 1
Reputation: 28234
Firstly, your linked SO answer is used to access Azure VMs from Azure web app. The Azure VMs are Azure IaaS. However, the Azure SQL database is Azure PaaS. You don't need to follow it in this scenario.
If you want to connect from Web App to Azure SQL Database in another region in a security way, you could do the these two steps:
- Enable regional VNet Integration with app service in the same region.
- Add the integrated subnet in the firewall and virtual networks in the Azure SQL database server. If selected subnet does not have service endpoint enabled for
Microsoft.Sql. Enabling access may take up to 15 minutes to complete.
For more information, you could refer to this blog.
The above method will add the integrated subnet in the SQL server firewall. If you don't like to add it, you may consider to use Azure Private Link and with gateway required VNet integration. See this blog for more information. You could make sure you have set up the gateway in your virtual network (it will have private endpoint for SQL database and in the same region as the SQL database) well. see Use cases of Private Link for Azure SQL Database for more details.
Upvotes: 0
Related Questions
- How do I connect to Azure SQL Database using Private Endpoint trough VPN gateway
- Limit Azure Sql Database to only be accessible from certain Azure App Service, in different regions
- Access Azure SQL from Azure WebApp via Managed Identity and Private EndPoint
- Allow Azure Web App to Access Database on the VM Without Exposing that VM to the World
- How to secure access from App Service To Azure Sql Database using virtual network?
- How to connect to a Sql Server VM via private IP with Azure Website
- Accessing Azure SQL database from anywhere
- Accessing Azure SQL Database with on-premises web application(s)
- Azure website need to connect on-premises SQL
- Connect to a database from Azure Website using Integrated Security