Azure function connectionstring for Azure SQL trough VNet

Question

I would like to know how to access my Azure SQL database in a secure way from my Azure Function App, meaning not via public Internet.

I have an Function App (Function App Plan - standard tier), using VNET/Gateway integration. I have specified a service EndPoint for Microsoft.SQL ... I enabled the Virtual network access on Azure SQL database ....

When the Azure function tries to connect to the sql db, it uses the 'normal' connectionstring, which includes the sql database server name as dns label, then I get the error that my ip address is not allowed access. The ip address is the outbound IP address of the Azure function app.

I think this error implies that the function app is trying to connect to the Azure SQL database via public internet. The idea is that this requests should reach the Azure SQL database through the VNet.

My guess is that the connection string should be different. Any suggestions?

Solution

When the Azure function tries to connect to the sql db, it uses the 'normal' connectionstring, which includes the sql database server name as dns label, then I get the error that my ip address is not allowed access.

When we try to connect the sql database, the network traffic will go through the Internet. Because Azure service resources can be secured to your virtual network. Securing service resources to a virtual network provide improved security by fully removing public Internet access to resources, and allowing traffic only from your virtual network.

Like this, Internet network traffic will can't access this service(SQL database): enter image description here

If you want to connect Azure function app and Azure SQL database, we should deploy Azure function app in Azure Vnet, we should use App Service Environment to deploy it.

More information about App Service environments, please refer to this article.