We are developing a web API with Azure SQL for data persisting that is completely hosted on Azure. We need to push some data from on premise to Azure SQL. Our info-security team is not ready to open the port 1433 to provide outbound connectivity. What is the best approach to connect to Azure SQL from onprem securely. I did some research and found several ways to connect to on prem from Azure, but I need a secure connection to Azure Sql from on premise.
The Azure SQL Database service is only available through TCP port 1433. So you have to open the port 1433 to provide outbound connectivity.
To help secure your on-premises network environment, it’s a best practice to configure your on-premises firewall and allow outbound connections on port 1433 only to your target SQL DB IP addresses listed here. Read more explanation here.
Moreover, Azure SQL Database forces all client connections to be encrypted. You could get more details from an overview of Azure SQL Database security capabilities.
Related
thanks in advance
I have the following scenario:
SQL database on a SQL Server on premise (source)
SQL database on aAzure (target)
I access to my network from a VPN (F5 - Big IP Edge Client)
I created and configured an Azure VPN Gateway to connect to the VPN. With this configuration and the use of Azure Data Factory, it is possible to see my on-premise database and read the data.
I want to restrict access to the Azure SQL database only to clients from my on-premise network (or connected to the VPN). When i try to set the firewall ip rules, Azure only allow to register public ips address but not recognice IPs from my onpremise network.
Questions
1)It is possible to set access to only clients from insede my private network. How to get this?
2)Is there another better option to get this secure connection?
Regards
SQL Azure maintains a firewall for the SQL Azure servers, preventing anyone from connecting to your server if you do not give their IP address permissions. Permissions are granted by client IP address. Any user’s desktop application that connected to SQL Azure would need to have the SQL Azure firewall open for them in order to connect. The client IP would be the IP address of the desktop machine as seen by the Internet.
Any desktop computer can access SQL Azure as long as it has Internet access, and port 1433 open for outbound connections.
If you're trying to connect from within a corporate network, you can add user machine public IP or the VPN endpoint IP if all user connect through it. Further to allow access from specific on-premises machines, firewall rules can be used to limit connectivity only to your public (NAT) IPs.
A more secure option, you can set up server-level firewall rules (Server-level IP firewall rules apply to all databases within the same server) and Setup database firewall rules (Database-level firewall rules only apply to individual databases, can be configured using Transact-SQL statements, and only after you've configured a server-level firewall rule.)
Create server-level and database-level firewall rules
Configure an Azure Active Directory (AD) administrator
Manage user access with SQL authentication, Azure AD authentication,
and secure connection strings
Enable security features, such as Azure Defender for SQL, auditing,
data masking, and encryption
Refer: Create firewall rules & Configure your client computers
MS suggests these ways to allow Power BI Desktop to access an Azure DB
a) opening inbound connections of all Azure IP ranges to Azure SQL
b) opening inbound connections to certain IPs
c) use an Enterprise Gateway, even you are in Azure and not on-premise.
Concerns: is this as secure as a real VPN? Means no data can be sent to the DB Server port?
d) Is there no out of the Azure-box-service in place that works like a reverse proxy or application firewall with mfa?
e) is the Azure Application Proxy a solution?
What is the best security praxis?
a) and b) worries me, because of a huge Azure unknown user group that does not need to have access. And because the DB would not be protected against IP spoofing.
For c),d),e) I did not find a clear quote from MS about the security risk.
Thank you for clarifying and commenting my concerns.
From Power BI Desktop, option b) opening inbound connections to certain IPs, is the typical approach. There's typically a small, and fixed set of public IPs that your organization uses for outbound traffic, and these can be added to the Azure SQL Server's Firewall.
IP Spoofing is a non-issue, as Azure will never route return packets to the spoofer, even if they somehow got all the way to the SQL Server.
c) use an Enterprise Gateway Concerns: is this as secure as a real VPN? Means no data can be sent to the DB Server port?
Yes. The Power BI Gateway server runs on a private Azure VNet, and the SQL Server's firewall is configured to allow connections from this VNet. But Power BI Desktop can't connect directly using a Gateway. It's only a solution for connecting from Power BI Service to your data source. So if you publish a shared Data Set, you can connect using Power BI desktop to that. But you can't connect directly from Power BI Desktop to Azure SQL Database via the gateway. So you still need a firewall rule for the users designing the Power BI Data Sets (models) in Power BI Desktop.
Is there no out of the Azure-box-service in place that works like a reverse proxy or application firewall with mfa?
No. This is not an HTTP connection, so there's no reverse proxy. Although you can configure your Azure SQL Database to allow Azure Active Directory accounts, and then use your conditional access policies to force MFA. These are built-in to Azure SQL Database and Azure Active Directory, and are a layer of security after the firewall.
2021 Edit
Azure SQL Database now supports Private Link which enables Azure SQL Database to listen on an IP address on a private network in Azure. This network can be routed to your Power BI Desktop users using Site-to-Site VPN or ExpressRoute, or developers can deploy a Point-to-Site VPN to enable a single desktop to communicate directly with the target private network.
Please suggest if we can access on-premises MS SQL Server Database from Azure Web App behind ASE.
My understanding is that we just need to get sql port opened on firewall for connectivity from ASE subnet to on-premises subnet.
You could but there are other ways like Hybrid connections:
Within App Service, Hybrid Connections can be used to access application resources in other networks. It provides access from your app to an application endpoint. It does not enable an alternate capability to access your application. As used in App Service, each Hybrid Connection correlates to a single TCP host and port combination. This means that the Hybrid Connection endpoint can be on any operating system and any application, provided you are accessing a TCP listening port. The Hybrid Connections feature does not know or care what the application protocol is, or what you are accessing. It is simply providing network access.
https://learn.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections
Other choice is VPN or Expressroute
https://learn.microsoft.com/en-us/azure/app-service/environment/network-info
Is it possible to change the port that the azure server uses? I currently only see the ability to add IP addresses that can be used to access the server. Or is it required that firewalls allow port 1433 outbound traffic?
Assuming you're referring to SQL Database Service and its associated firewall, no: You may only add IP addresses to the firewall, for access.
There is no ability to change the port that the service listens on. You'll need to allow for outbound traffic on port 1433, if you want to access the database remotely.
Also, just FYI - port 1433 is the standard SQL Server port.
Note: The inability to change the listening port is strictly for the SQL Database service. This restriction doesn't exist for SQL Server running in a VM, since you have total control of inbound ports and related port-mapping via network security groups.
A year+ later a lot has changed with Azure. There are a ton of offerings to help "bypass" internal firewalls for port 1433 and integrating with the services in Azure.
Azure is attempting to help developers with Synchronous Hybrid Connectivity� to on premise datasources or visa versa. My personal opinion would be for you to use On-Premises Data Gateway. Here are a few options to help with the port 1433 constants:
WCF Relay
Service Bus offered relays almost from the beginning of Azure
Built on the WCF capability. Security was originally ACS, but now SAS
can be consumed by lots of different tech, eg biztalk, soap, rest, crm online and is very reusable
Hybrid Connections
Built on Web Sockets so not confined to Windows. API accessible for other scenarios.
Azure Virtual Network
Point-to-site virtual private network (VPN):
Established between a single PC connected to your network and the VNet.
Uses the SSTP protocol to provide encrypted communication over the Internet between the PC and the VNet. The latency for a point-to-site VPN is less predictable, since the traffic traverses the Internet.
Site-to-site VPN:
Established between your VPN device and an Azure VPN Gateway.
Connection is an IPSec/IKE VPN that provides encrypted communication over the Internet between your on-premises device and the Azure VPN gateway.
The latency for a site-to-site connection is less predictable, since the traffic traverses the Internet.
Azure ExpressRoute:
Established between your network and Azure, through an ExpressRoute partner.
This connection is private. Traffic does not traverse the Internet.
On-Premises Data Gateway
Acts as a bridge between Azure PaaS and on-prem resources. Works with connectors for Logic Apps, Power Apps, Flow & Power BI:
When you connect to SQL azure database,it connects through port 1433 by default and you can't change it..
You have to enable outbound rule to allow traffic for SSMS to connect with Azure
Is it possible to connect a Microsoft Azure Web Site to a SQL Server Database hosted on-premises and, if so, what the steps that I need to follow?
Let any request in coming from you Azure Web Site IP and targeting TCP port 1433 through your firewall . Then change your connectionString on your Azure Web Site to point to the public gateway used on premsie.
As #qux mentioned, you need to allow for inbound traffic on port 1433. With Azure Web Sites, you won't have a dedicated outbound IP address, so you'll need to rely on a secure SQL Server configuration.
If you shift to Cloud Services (web role / worker role), then you will have an IP address to filter against. Same thing with Virtual Machines.
You can also set up a VPN (and there are many VPN appliances certified with Azure).