I have an AppService deployed and running on Azure. It connects to a Google Cloud PostreSQL database and have no problems.
In order to remove the connection string from the appSettings.config, I want to use an Azure connection string, which should override the appSettings.config value. I wrote should because I did it, but the value set in Azure is completely ignored.
This is my appSettings:
{
"ConnectionStrings": {
"postgres": "Host=XX.XX.XXX.XXX;Database=production;Username=portal;Password=myPassword"
}
}
As I mentioned before, it is running. IF I add a value postgres with value "Host=XX.XX.XXX.XXX;Database=production;Username=portal;Password=wrongPassword", it still works, even if it souldn't.
What am I missing?
I found the # jan-hernandez solution which can help to fix your issue.
To connect Google Cloud SQL/PostgreSQL of google you need to enable the Public IP of your Database and whitelist the Public IP of your Azure app to Allow connections between Azure app and Cloud SQL/PostgreSQL
The only way to connect to Cloud SQL/PostgreSQL from the external services is via IP connection in this document is explained step by step how to enable Public IP for your SQL server and how to whitelist the incoming IP addresses.
Refer this article about how to create a connection string using public IP
Refer here
Related
I am trying to access resources that are secured behind private endpoint from a remote location using an Azure VPN Point-to-Site connection.
So far I have setup a conditional forwarder to send DNS requests to Azure's internal DNS IP address (168.63.129.16). With my setup I can resolve all my private endpoints using nslookup to their private IP addresses. I can also connect to services such as SQL server from my local machine (using SQL Server Management Studio in the case of SQL server).
The problem I am facing is that I can only access resources if I use a desktop client for a given service. If I try to do anything using the Azure Portal, I get an error stating that I cannot access resources using my Public IP address without adding it as an inbound IP address. Whilst this is certainly an option, I don't want to go down this road.
I am hoping there is an option where I can connect to private endpoint resources from Azure Portal whilst connected to my point-to-site VPN. Any ideas?
So far I have setup a conditional forwarder to send DNS requests toAzure's internal DNS IP address (168.63.129.16). With my setup I can resolve all my private endpoints using nslookup to their private IP addresses. I can also connect to services such as SQL server from my local machine (using SQL Server Management Studio in the case of SQL server.
AfAIK, the process which you are doing is correct, To fix this issue try to update the local host file on client desktop to deploy a recourse with private endpoint please refer this link for more in detail
By default when you create a Private Endpoint in the Azure Portal it will automatically lock out public access. Service Endpoints operate by adding routes to allow traffic out of the virtual network to reach the public endpoint of the service selected. If you are access resources error, update firewall rules to communicate with your Azure resources you really need to configure v-net traffic on the firewall settings
Next option is conditional forwarder, in your scenario the ble from every v-net, its public ip it won't overlap with any private ips, it available from inside of azure v-net unique to each
In conditional for forwarder, client asks the ip of a host like www.seraltos.com .The dns server looks to see the answer if knows, if not a lookup will done based on root servers or forwarder to find the ip address returns that to the client
For more information in detail, please refer below links:
Private Endpoints and DNS in Azure & Cannot access my own public IP
https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints
https://learn.microsoft.com/en-us/azure/private-link/manage-private-endpoint?tabs=manage-private-link-powershell
ADF with AIR connected to external SFTP server to grab file. This SFTP have firewall that have to whitelist IP address where connection come from. Trafix should be routed via Managed NET private endpoint and then some how to NAT gateway and public IP.
Is it possible to implement such thing ?
We want to avoid using any IaaS/VMs.
• Yes, you surely can implement such thing in your Azure environment considering that the SFTP server from which you have to grab a file is also hosted in Azure protected by an Azure firewall or even if it is not and if the SFTP server is hosted in on-premises protected by a hardware firewall, then also the setup for implementing this is quite possible.
For the above purpose, you will have to deploy a private link service and a load balancer with public IP address enabled in your tenant. Also, ensure that the load balancer is hosted in a virtual network subnet created in the same region and resource group where Azure Data Factory with Azure Integrated runtime is deployed. Since you have already deployed the ADF with AIR in the managed virtual network with private endpoints, it is possible for this managed private endpoint in an approved state to send traffic to a given private link resource.
• Once you create a private endpoint connection, it is in a ‘Pending’ state unless approved by the resource owner. If the owner approves the connection, a private link is established. Otherwise, the private link won't be established. In either case, the managed private endpoint will be updated with the status of the connection. Once, the private endpoint is setup, then you can setup the load balancer with the SFTP server’s public IP address as the backend and the private endpoint of the ADF with AIR as the frontend for you to fetch the file from the SFTP server and initiate the connection from the ADF. Kindly refer to the below reference diagram and documentation link given for more information in this regard as to how to implement the said setup using the above stated Azure resources.
https://learn.microsoft.com/en-us/azure/data-factory/tutorial-managed-virtual-network-on-premise-sql-server
In the above link, you have to connect to an on-premises SQL server instead of a SFTP server and the ADF managed private endpoint is shown connecting to another allowed Azure service resources for which instead, in your case, you can directly connect it to the Private Link service deployed in as stated earlier.
I found two options to do this:
Run SHIR at VMSS with custom extention installation.
Run SHIR at Windows Container at AKS. However AKS use VMSS behind, so VMSS looks more simple for some cases.
My goal was avoid using IaaS services to connect to external (non-Azure) SFTP server.
I have SQL Azure Database Server (not managed instance). When setup last year, I added Azure Virtual Network Gateway, and I could access the database via the VPN connection, without whitelisting the IP.
We didn't use this connection via gateway since Jan 2020. There was only couple of developers connection but had their IP whitelisted.
Recently, we tried accessing the database using this connection, and it doesn't work. Prompting to whitelist the IP. Has something changed?
It seems that you just enable Azure virtual network service endpoints for your Azure SQL database server (not managed instance) and add this subnet to your SQL network rules. With service endpoint, the traffics go over the Internet but restrict over the network. Service endpoints and Private endpoints are two different things.
To connect to your Azure SQL database via a VPN connection, you could use a private link. Private Link allows you to connect to various PaaS services in Azure via a private endpoint. You could get the detailed steps from https://learn.microsoft.com/en-us/azure/azure-sql/database/private-endpoint-overview
Alternatively, you could try to use a TCP proxy server to forward traffic to the public IP address for SQL Database. Reference: https://argonsys.com/microsoft-cloud/library/using-a-tcp-proxy-to-connect-to-sql-database-over-vpn/
I've created a SQL Server and then created a private link with my TESTVNET/SUBNET1 with private IP 10.1.1.4. I've now disabled Public access for the SQL server.
I have an Azure function running on App Service which I've VNET Integrated with VNET/SUBNET2.
Subnet 2 shows it's delegated to server farms. (also if someone can explain what does delegate to means, I found I cannot create any VM in that subnet as well, probably it's just can't be useful for any other purpose)
Now when my azure function tries to connect to DB. it fails with below error:
2020-08-30T15:25:45.216 [Error] Unhandled rejection SequelizeAccessDeniedError: Cannot open server "10.1.1.4" requested by the login. The login failed.
However, if I give the public FQDN it gives me below error.
2020-08-30T15:29:43.654 [Error] Unhandled rejection SequelizeAccessDeniedError: Reason: An instance-specific error occurred while establishing a connection to SQL Server. The public network interface on this server is not accessible. To connect to this server, use the Private Endpoint from inside your virtual network.
Here the Private DNS created by Private endpoint should have been ideally used to get the private IP of the SQL database, but it seems the function is not using the private DNS probably because not running in an isolated environment.
Now in my Azure function Application settings, I've added WEBSITE_VNET_ROUTE_ALL =1 which should mean that all the requests should be routed to VNET. So now If I enable public access internet, and allow Azure services to access DB (I think azure added the public IP by default). The function gets connected to the DB.
Now I want to understand where I'm going wrong and why is the private endpoint connection not working. Any help is appreciated.
In the DB firewall settings, I've allowed traffic from below to subnets:
Network Configuration
TESTVNET: 10.1.0.0/16
SUBNET 1: 10.1.1.0/24
SUBNET 2: 10.1.2.0/24
I've disabled Service endpoint for SQL in both SUBNET 1 and SUBNET 2. My NSG has default settings i.e.
AllowVnetInBound, AllowAzureLoadBalancerInBound, DenyAllInBound
AllowVnetOutBound, AllowInternetOutBound, DenyAllOutBound.
Since my private link has a private IP present in the same VNET I don't think NSG should have any impact.
New to Azure, testing things out. Thank you for your patience.
To make Azure Function connect to a private endpoint you will need to use VNET integration.
After your app integrates with your VNet, it uses the same DNS server that your VNet is configured with. By default, your app won't work with Azure DNS Private Zones. To work with Azure DNS Private Zones you need to add the following app settings:
WEBSITE_DNS_SERVER with value 168.63.129.16
WEBSITE_VNET_ROUTE_ALL with value 1
These settings will send all of your outbound calls from your app into your VNet in addition to enabling your app to use Azure DNS private zones. Reference here.
Then you could set up Private Link for Azure SQL Database. You can create an Azure VM from a new subnet in the same VNet to check connectivity using SQL Server Management Studio (SSMS). If you enable the private endpoint, you should get a client private IP from that Azure VM to connect the Azure SQL database with its FQDN.
For more information, you could read private endpoint VS service endpoint in this blog.
I need to configure Azure SQL Database firewall settings so that it can only be accessed by my Azure Function app. The problem is I'm running the app in a consumption plan, and as far as I know, the outbound IP address(es) can change even when I don't take any actions.
Is there a way to whitelist the app so that I protect the database from unwanted connections?
I thought of whitelisting by Azure region since everything is hosted in the same region, but then how do I guard against other apps in the same region? That's why I'm thinking of using specific IP addresses. My only concern with this approach is, I don't know if other function apps can share the same outbound IP addresses as my own.
P.S. Currently, my firewall settings deny public network access and allow Azure services to connect only.
There are several ways to achieve this.
You may want to integrate VNet or get static IP addresses for your Azure Functions
Image from: https://learn.microsoft.com/en-us/azure/azure-functions/functions-networking-options
However, what I've seen from your comments you don't want to go the premium plan.
The last thing I can suggest you implement Managed Service Identity.
The idea behind this, instead of connecting the database with connection string, you connect to the database with the access token that you granted. You can't get the access token if you are not in the same Identity.
This tutorial explains the general idea with App Service:
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi
and this tutorial pretty much covers what do you really want to achieve.
https://www.azurecorner.com/using-managed-service-identity-in-azure-functions-to-access-azure-sql-database/
Good luck!
I had the same issue but managed identity didn't make much difference.
In the firewall setting for the SQL server there is an option to allow azure resources to access the server. For me this was set to no, but needed to be set to yes.
One thing you can do is assign a managed identity to your function. It will retrieve a token from Azure AD, and it will be used to connect to Azure SQL:
if (accessToken != null) {
string connectionString = "Data Source=<AZURE-SQL-SERVERNAME>; Initial Catalog=<DATABASE>;";
SqlConnection conn = new SqlConnection(connectionString);
conn.AccessToken = accessToken;
conn.Open();
}
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql
You can do this by assigning a static IP to the function app and whitelist at the SQL Server -INbound Networking side and Deny all requests. However you have to change the consumption plan to Appservice to assign a static IP.
https://learn.microsoft.com/en-us/azure/azure-functions/ip-addresses#dedicated-ip-addresses
Also, you can try creating a Vnet peering for those services and block other requests.
I can't find where i got the answer (so not my answer but sharing it here), your Azure Functions have a list of outboundIpAddresses and possibleoutboundIpAddresses that you can add to your Azure SQL firewall rules (mine had about 10).
You can find them by...
Go to https://resources.azure.com
Expand Subscriptions -> [Expand your Subscription] -> Providers -> Microsoft.Web -> Sites
Find your Azure Function Site in the JSON, and locate the outboundIpAddresses and possibleoutboundIpAddresses, these will contain a list of IP addresses.
Add all of them to your SQL server's firewall.
While I'm not positive if these will ever change, so far they haven't for me and the person who originally posted this solution also noted that they haven't run into issues with this.
Virtual networks do not work on Azure the same way as they work on premises
If you create a vnet, add your Azure function in a subnet and in sql server you allow this subnet to access it will unfortunately not work.
If it is ok for you to allow "public access" and/or "azure resources access" then things are simple. You log in with sql credentials and you have access.
If you block public access I am not sure that your resources would be able to access your database, because all your connection go to SQL server from the internet not from your internal network.
Solution that worked for me is
Create a vnet
Create a private endpoint for Sql server in this vnet (custom DNS records were created by the IT-OPS people).
Azure function uses a subnet of this vnet.
Now, you can close public and azure resources access in your database.
All your calls will go through your virtual network (not through the internet anymore) and only applications that use a subnet of this vnet would be able to connect to the database.