Thumbnail image

5 Steps to Secure Communication Using Azure App Service and Azure SQL

When we design our architecture in Azure which involves database often we doesn’t catch one small detail. The default behavior of database service in Azure when come to traffic is to move all communication using public internet exposed endpoint. In other words our data is moved using public internet.

Private endpoints

But what is a private endpoint? According to Microsoft documentation it is

A private endpoint is a network interface that uses a private IP address from your virtual network. This network interface connects you privately and securely to a service that’s powered by Azure Private Link. By enabling a private endpoint, you’re bringing the service into your virtual network.

Basically this is a private IP address received from our Virtual Network which we can use for connection to one of many services like:

As last point mention we can even use own service for connection such example will usage of Azure Data Factory which connects to on-premises database servers using Managed Virtual Network and Private Link Service.

Secure communication in 5 steps

So we have an application architecture like on below diagram which is a most common and simple approach when we deploy application to Azure.

HLD architecture

What services do we have here:

  • Azure App Service as compute platform which utilize Standard tier for production workload
  • Azure SQL as database where we store our relational data

Step 1 - Creation of VNET and Subnets

As first step we should create in our Resource Group a new Virtual Network and at least two subnets. In my sample I create VNET adv001-vnet with address range In this VNET I have two subnets adv001-app-snet and adv001-private-snet into this subnet I will add my Private Endpoint interface later.

In application subnet adv001-app-snet we should remember on Service Endpoint to Microsoft.Sql As @mgrabarz mention Service endpoint is not required in this scenario when we are using Private Link. Maybe it is worth it to write comparison between Service Endpoints & Private Link in context of App Service.

Service Endpoint

Step 2 - Change Network settings on Azure SQL

We need to disable feature All Azure services for our Azure SQL instance. This setting blocks all communication from Azure services using public endpoints of DB server.

Allow Azure Services

Under Private endpoints connection tab we need to create a Private endpoint connection with Private DNS Zone. This interface should be created in subnet adv001-private-snet.

Step 3 - App Service Standard tier

To have an option to use App Service VNET integration and use Private interface which we create in previous step we need to Scale up to one of Production tiers.

Step 4 - App Service VNET integration

App Service integration with a VNET is a quite simple task we need only to remember about few settings Route All and select correct subnet which is in our case adv001-app-snet.

Route All setting give us solution how App Service resolves DNS name to Private Interface IP of our Azure SQL instance.

App Service VNET

Step 5 - Use of contained user or managed identity

To secure our database we have two options use of contained user

Contained user access to contained databases - SQL Server

Another option even more secure is to use Managed Identity and authorize our DB use using Azure AD

Tutorial: Access data with managed identity - Azure App Service

Photo by FLY:D on Unsplash