I want to use virtual network in order to limit access to Azure Database only from my App Service, so that I can turn of "Allow access to App Services" in firewall settings
However, I'm still getting
SqlException: Cannot open server 'my-sqlserver' requested by the login. Client with IP address '52.233..' is not allowed to access the server.:
What am I missing?
Unfortunately, you cannot achieve this scenario for now.
When you use VNET Integration with your Web App, your web App can communicate with the VNET like
Web App <---> VNET.
When you use SQL firewall to allow traffic from a specific VNet, so the traffic from the VNET address space can communicate with your SQL like
VNet <---> SQL server.
When all configurations are setup, your scenario should be
Web App <---> VNET <---> SQL server. The important thing is that the traffic from Web App cannot go trough the VNET to the SQL server, because the web App is not within the VNET, it's out side the VNET! So,When you use Web App try to access the SQL server, the traffic is not from the VNET.
The solution is that put your Web App into the VNet. So, you can use Azure ASE to achieve this.
VNet Integration gives your web app access to resources in your virtual network but does not grant private access to your web app from the virtual network. Private site access refers to making your app only accessible from a private network such as from within an Azure virtual network. Private site access is only available with an ASE configured with an Internal Load Balancer (ILB). For details on using an ILB ASE, start with the article here: Creating and using an ILB ASE.