Accessing On-Premises database from Azure Web App - azure

Please suggest if we can access on-premises MS SQL Server Database from Azure Web App behind ASE.
My understanding is that we just need to get sql port opened on firewall for connectivity from ASE subnet to on-premises subnet.

You could but there are other ways like Hybrid connections:
Within App Service, Hybrid Connections can be used to access application resources in other networks. It provides access from your app to an application endpoint. It does not enable an alternate capability to access your application. As used in App Service, each Hybrid Connection correlates to a single TCP host and port combination. This means that the Hybrid Connection endpoint can be on any operating system and any application, provided you are accessing a TCP listening port. The Hybrid Connections feature does not know or care what the application protocol is, or what you are accessing. It is simply providing network access.
https://learn.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections
Other choice is VPN or Expressroute
https://learn.microsoft.com/en-us/azure/app-service/environment/network-info

Related

What are some Architecture design consideration while choosing Azure HCM over Azure VPN S2S connection for application hosted on Azure App Service?

I am trying to deploy Hybrid Application on Azure. My Application will be hosted on Azure Cloud App Service and Database will be on company's private DC. I have some question on optimal architecture or optimum architecture solution on Azure in this scenario. I have an option to use VPN S2S connection or Azure Application Service Hybrid Connection Manager (HCM).
Since they both establish connection over public Internet they both will suffer from multiple hops connections and probably no SLA guarantees.
So what are the design consideration while choosing one over other and when would I choose Hybrid Connection manager (HCM) over VPN Site-to-site (S2S) when establishing hybrid connectivity from Azure hosed Application (PaaS) with the on-premise DB? Which one is faster?
As far as I know, in the case of connection from your app service to the on-premise database, the HCM features with app service is more easier deployed and without gateway needed than Azure app service over Site-to-site (S2S) connection. It's enough to use it for connecting resources in remote network. It's secure to makes outbound calls to Azure over port 443.
Each Hybrid Connection correlates to a single TCP host and port combination. It simply provides network access. See App Service Hybrid Connection benefits and Things you cannot do with Hybrid Connections
However, If you're using azure app service with virtual network and VPN connection, it makes a private connection from your web app service to your database and have more control of your network security rules. Also, there is preview feature to use Private Endpoints for Azure Web App.
You can use Private Endpoint for your Azure Web App to allow clients
located in your private network to securely access the app over
Private Link. The Private Endpoint uses an IP address from your Azure
VNet address space. Network traffic between a client on your private
network and the Web App traverses over the VNet and a Private Link on
the Microsoft backbone network, eliminating exposure from the public
Internet.

How to add multiple web apps into a single network so that vnet connected to one web app get accessed to other web apps as well

Purpose:
I am cracking an implementation done in Azure 2 years by my former coworker. I am not sure how I can make 3 different web apps use 3 unique DNS servers.
What do I need to achieve:
I have a virtual network in Azure which I have given DNS server as custom (I have added IP in VM DNS settings). I also have got 3 web apps under the same app server. Now I have connected VNet to web-app-1 via Networking settings.
I also need to link web-app-2 and web-app-3 to Vnet.
What I need to achieve:
Is it possible to make web-app-2 and web-app-3 access Vnet without adding that VNet to these web apps directly? Is there any way to make web-app-2 and web-app-3 to link with web-app-1 which is already connected to Vnet? Or is it only possible with connecting vnet to all web-apps via networking?
You can connect app 2 & 3 (or all apps) via hybrid connection to a VM on a vNET(or on-prem network) . That way the apps have access to resources on the same network as the VM since the VM becomes a proxy.
https://learn.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections
Within App Service, Hybrid Connections can be used to access application resources in other networks. It provides access from your app to an application endpoint. It does not enable an alternate capability to access your application. As used in App Service, each Hybrid Connection correlates to a single TCP host and port combination. This means that the Hybrid Connection endpoint can be on any operating system and any application, provided you are accessing a TCP listening port.

Changing Azure database port

Is it possible to change the port that the azure server uses? I currently only see the ability to add IP addresses that can be used to access the server. Or is it required that firewalls allow port 1433 outbound traffic?
Assuming you're referring to SQL Database Service and its associated firewall, no: You may only add IP addresses to the firewall, for access.
There is no ability to change the port that the service listens on. You'll need to allow for outbound traffic on port 1433, if you want to access the database remotely.
Also, just FYI - port 1433 is the standard SQL Server port.
Note: The inability to change the listening port is strictly for the SQL Database service. This restriction doesn't exist for SQL Server running in a VM, since you have total control of inbound ports and related port-mapping via network security groups.
A year+ later a lot has changed with Azure. There are a ton of offerings to help "bypass" internal firewalls for port 1433 and integrating with the services in Azure.
Azure is attempting to help developers with Synchronous Hybrid Connectivity to on premise datasources or visa versa. My personal opinion would be for you to use On-Premises Data Gateway. Here are a few options to help with the port 1433 constants:
WCF Relay
Service Bus offered relays almost from the beginning of Azure
Built on the WCF capability. Security was originally ACS, but now SAS
can be consumed by lots of different tech, eg biztalk, soap, rest, crm online and is very reusable
Hybrid Connections
Built on Web Sockets so not confined to Windows. API accessible for other scenarios.
Azure Virtual Network
Point-to-site virtual private network (VPN):
Established between a single PC connected to your network and the VNet.
Uses the SSTP protocol to provide encrypted communication over the Internet between the PC and the VNet. The latency for a point-to-site VPN is less predictable, since the traffic traverses the Internet.
Site-to-site VPN:
Established between your VPN device and an Azure VPN Gateway.
Connection is an IPSec/IKE VPN that provides encrypted communication over the Internet between your on-premises device and the Azure VPN gateway.
The latency for a site-to-site connection is less predictable, since the traffic traverses the Internet.
Azure ExpressRoute:
Established between your network and Azure, through an ExpressRoute partner.
This connection is private. Traffic does not traverse the Internet.
On-Premises Data Gateway
Acts as a bridge between Azure PaaS and on-prem resources. Works with connectors for Logic Apps, Power Apps, Flow & Power BI:
When you connect to SQL azure database,it connects through port 1433 by default and you can't change it..
You have to enable outbound rule to allow traffic for SSMS to connect with Azure

What ip address do you use to connect to a VM from a Web App through point-to-site VNET Integration?

I have a .Net Web API deployed as a Web App and am trying to connect it to a MySQL db on a VM in a virtual network, but it's responding with a 500 internal server error.
My VNET just consists of one VM with no DNS or site-to-site configuration.
The preview portal says VNET Integration is connected, my certificates are in sync and the gateway is online.
I gave my VM a static IP address which I'm using in my web.config connection string, thinking requests would be routed through the gateway to the VM, but according to my general mysql log their aren't any connection attempts to the mysql server.
The address I gave my VM is within the range of addresses being routed to the VNET, and I setup an endpoint on the VM for the port I'm trying to connect to mysql on with an access rule that allows all connections, so I'm not sure why the connection doesn't appear to be getting through the gateway to my VM.
You may check this link which provides instructions on how to connect Azure App Service - Web App with Azure Virtual Network, so that it can use resources visible within network itself:
https://azure.microsoft.com/en-us/documentation/articles/web-sites-integrate-with-vnet/
App Service supports three ways to connect to VNETs.
ASE - (App Service Environment) is a dedicated Cloud Service that includes all the needed pieces for App Service and as such can be joined to a VNET. A good starting point on ASE is this blog (https://azure.microsoft.com/en-us/blog/introducing-app-service-environment/).
Hybrid Connections - an agent based way to punch an application specific "wormhole" through network boundaries (https://azure.microsoft.com/en-us/documentation/articles/integration-hybrid-connection-overview/)
Virtual Networks - a way to "dial up" from an App Service App into an network (https://azure.microsoft.com/en-us/documentation/articles/web-sites-integrate-with-vnet/)

how to connect Microsoft Azure to on-premises sql database

Is it possible to connect a Microsoft Azure Web Site to a SQL Server Database hosted on-premises and, if so, what the steps that I need to follow?
Let any request in coming from you Azure Web Site IP and targeting TCP port 1433 through your firewall . Then change your connectionString on your Azure Web Site to point to the public gateway used on premsie.
As #qux mentioned, you need to allow for inbound traffic on port 1433. With Azure Web Sites, you won't have a dedicated outbound IP address, so you'll need to rely on a secure SQL Server configuration.
If you shift to Cloud Services (web role / worker role), then you will have an IP address to filter against. Same thing with Virtual Machines.
You can also set up a VPN (and there are many VPN appliances certified with Azure).

Resources