How to secure access from App Service To Azure Sql Database using virtual network?

Question

Scenario

I want to use virtual network in order to limit access to Azure Database only from my App Service, so that I can turn of "Allow access to App Services" in firewall settings

Allow access to App Services screenshot

What I have done:

  1. I went to App Service -> Networking -> VNET Integration -> Setup -> Create New Virtual Network
  2. I've created new VNET with default settings.
  3. When VNET was created I went to App Service -> Networking -> VNET Integration and ensured that the VNET is connected
  4. I went to SQL Firewall settigs -> Virtual Network -> Add existing Virtual Newtork and selected my VNET. I've left default subnet and address space: "default / 10.0.0.0/24" and I've left IgnoreMissingServiceEndpoint flag unchecked.

I can now see Microsoft.Sql service endpoint in my VNET: enter image description here

Question

However, I'm still getting

SqlException: Cannot open server 'my-sqlserver' requested by the login. Client with IP address '52.233..' is not allowed to access the server.:

What am I missing?

Solution

Unfortunately, you cannot achieve this scenario for now.

Why:

  1. When you use VNET Integration with your Web App, your web App can communicate with the VNET like Web App <---> VNET.

  2. When you use SQL firewall to allow traffic from a specific VNet, so the traffic from the VNET address space can communicate with your SQL like VNet <---> SQL server.

  3. When all configurations are setup, your scenario should be Web App <---> VNET <---> SQL server. The important thing is that the traffic from Web App cannot go trough the VNET to the SQL server, because the web App is not within the VNET, it's out side the VNET! So,When you use Web App try to access the SQL server, the traffic is not from the VNET.

Solution:

The solution is that put your Web App into the VNet. So, you can use Azure ASE to achieve this.

Reference:

VNet Integration gives your web app access to resources in your virtual network but does not grant private access to your web app from the virtual network. Private site access refers to making your app only accessible from a private network such as from within an Azure virtual network. Private site access is only available with an ASE configured with an Internal Load Balancer (ILB). For details on using an ILB ASE, start with the article here: Creating and using an ILB ASE.

Similar case:App Service VNet Integration with Azure Storage Service Endpoint