Home > Enterprise >  Allow Azure services to webapp?
Allow Azure services to webapp?

Time:02-22

I have setup a free tier azure web app and also basic tier azure database. However i noticed that I have to enable Allow Azure Services in the sql database firewall settings to allow database connectivity to my webapp. I am not sure if this is safe as i have read that other azure subscriptions can have access to my db and also my db server.

Is there a setting or security rule where I can implement or configure without enabling 'allow azure services'?

Any information will be grateful.

CodePudding user response:

You can connect your web app to the Azure SQL database by using private connectivity.

The web app can securely connect to a backend database over a fully private connection. The public internet can't reach the database, which eliminates a common attack vector.

Also, you have other options to connect your web app securely to the Database:

  • An alternative approach for private connectivity is an App Service Environment for hosting the web application within an isolated environment, and Azure SQL Managed Instance as the database engine.

  • As an alternative to the Private Endpoint, you can use a Service Endpoint to secure the database. With a Service Endpoint, the private endpoint, PrivateLinkSubnet, and configuring the Route All regional VNet integration setting are unnecessary. You still need regional VNet Integration to route incoming traffic through the Virtual Network.

For complete information check the Microsoft document Web app private connectivity to Azure SQL database which has information about Web App connecting securely.

CodePudding user response:

Yes, if you enable "Allow Azure Services" on your Azure SQL database, this enables services that run on Azure to access your database from a firewall perspective. Even if those services are not yours. Still, to access the database, one would still need to know:

  1. The name of the server hosting the database
  2. The name of the database
  3. Valid credentials for access

If you do want an added layer of security, there are several solutions available like SaiSakethGuduru-MT mentioned in their answer.

Another alternative which might be easiest to accomplish is probably to have your application use a Managed Identity and configuring the database to Use only Azure Active Directory (Azure AD) authentication.

With Azure AD authentication, you can centrally manage the identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage database users and simplifies permission management.

This way, a connection string will not give access to the database. The identities that do have access are manageable in your own Azure AD tenant.

  • Related