Networking is a key pillar for every IT environment. In this session, you will learn how to make use of Azure networking to properly secure and control the traffic flow to/from your databases whether they are on-premises SQL Server or Azure SQL .
3. Agenda
Azure SQL Connectivity
Azure SQL Firewall Rules
VNet Service Endpoints
Secure the Connection between Azure App Services and Databases
On-Prem SQL Server with App Service
Azure Private Link
Q&A
4. Azure SQL Connectivity Process
• Using the public IP address on port 1433 of the database, the
client connect to gateway.
• Based on the applied connection policy, the traffic will be
redirected or proxied to the DB cluster.
• Within the DB cluster the traffic will be forwarded to the right
database.
6. Azure SQL Connection Policies
• Redirect: The traffic originating from the client goes directly to
the node hosting the database resulting in lower latency and
higher throughput.
• Proxy: The traffic originating from the client has to be proxied
via Azure SQL Database gateways resulting in higher latency and
lower throughput.
• Default: Unless you are explicitly specifying the connection policy, it
would be “Redirect” for the traffic originating from within Azure, and
“Proxy” for the traffic originating from outside Azure.
8. Server-level vs Database-level Firewall rules
• Allows access to all databases within the
server.
• The rules are stored in the master database.
• Can be configured via:
• Azure Portal
• PowerShell
• Transact-SQL statements
Server-level
• Allows access to specific databases within the
server.
• The rules are stored in the individual database.
• You can’t configure it until you configure first the
server-level database.
• Can be configured via Transact-SQL statements.
• If the IP address range configured at the
database-level is different than the range on
server-level, only the clients with IP address from
the range of the database-level can access the
database.
Database-level
9. How the Firewall works for Azure SQL?
• When the client initiate the connection, it verifies whether the client
IP address is in the allowed range or not at the database level.
• If the client IP address is in range, the connection would be forwarded
to the appropriate database in Azure SQL Server.
• If not, it verifies whether the client IP address is in the allowed range
or not at the server level.
• If allowed, the connection would be forwarded to the appropriate
server where he can connect to database he wants within the server.
• If not, the connection would be refused.
11. VNet Service Endpoints
• Extend VNet to Azure Services
• Make use of Microsoft Azure backbone network
• Faster, Reliable and Secure
12. How Service Endpoints Works?
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#securing-azure-services-to-virtual-networks
13. Services
support
Service
Endpoints
Azure Storage
Azure SQL Database
Azure SQL Data Warehouse
Azure Database for PostgreSQL server
Azure Database for MySQL server
Azure Database for MariaDB
Azure Cosmos DB
Azure Key Vault
Azure Service Bus
Azure Event Hub
Azure Data Lake Store Gen 1
Azure App Service
Azure Container Registry Preview!
16. Securing Web App to DB Connection Patterns
App Service
Internet
Azure Virtual Network
Point to Site VPN
App Service
Environment
Azure Virtual Network
Azure Storage
Azure SQL
Service Endpoints
Pattern 1: VNet Integration
Pattern 2: Extending VNets
17. New VNet Integration
• No gateway needed
• Support for ExpressRoute and Service Endpoints
• Require Subnet delegation to allow the access between App service
and Azure SQL
App Service
Internet
Azure Virtual
Network
Azure SQL
Service Endpoints
Delegated subnet
20. App Service Hybrid Connection
• Allow App Service to access on-prem services securely
• The on-prem service doesn’t has to be internet accessible
• The single app service can provide access in multiple networks
• All the connections are outbound over standard web ports.
Therefore, no firewall holes needed
22. Azure Private Link
• Provides private connectivity from
VNet, peered networks and on-
premises
• Built-in exfiltration protection
• Improved control over the services by
having a predictable IP address space to
consume the services, integration with
Azure DNS private zone, and having an
approval workflow