I've written a pretty basic SQL Backed VSTO Outlook addin, which will eventually be used by about 20 people in several offices of the company I work for. All will also be working from home periodically.
The tutorials I've followed so far go through adding "your own" IP address to the server firewall rules:
https://learn.microsoft.com/en-gb/azure/sql-database/sql-database-get-started-portal-firewall
As does a similar question I came across during my research for this question:
SQL Azure Firewall Rules on New Portal
This wasn't a problem when it was just me using the app, I followed the tutorial once to add my office IP address, and once to add my home IP address. It would be very awkward though if I had to get everyone to collect their IP addresses and set each of them up on the firewall.
This would be my first application to use remote resources, so I'm unsure of the next steps with the firewall, and so struggling to find a guide. Should I be:
Opening up the firewall to all, but creating a strong password stored within the app
Creating an initialisation step within the app to grant new users access through the firewall
Create some kind of proxy so that all of the SQL requests come from the same IP address.
In the case of (2) creating an initialisation step - azure sql server firewall settings appears to change a firewall rule - wouldn't that mean only one person can connect at once?
The best option would be:
1a. Opening up the firewall to all, but requiring Azure Active Directory Authentication for the users.
You can create a small application that can remotely update an Azure SQL firewall rule with a local PC IP address. For that you will need Microsoft Management Fluent library and Resource Group and Resource Management (Fluent) capabilities for Microsoft Azure. Here you will find a sample application.
You may also need to register the application as an Azure Active Directory application as explained here and assign a corresponding role for it. Then you will be able to create an authorization file for the application as explained here.
subscription=########-####-####-####-############
client=########-####-####-####-############
tenant=########-####-####-####-############
key=XXXXXXXXXXXXXXXX
managementURI=https\://management.core.windows.net/
baseURL=https\://management.azure.com/
authURL=https\://login.microsoftonline.com/
graphURL=https\://graph.windows.net/
You can also also provide all users with a PowerShell script that can get authenticated on its own to SQL Azure using an Azure Active Directory authentication token as explained here and then update a firewall rule or create a new one using the following script.
New-AzureRmSqlServerFirewallRule -ResourceGroupName "myResourceGroup"
-ServerName $servername -FirewallRuleName "AllowSome" -StartIpAddress "0.0.0.0" -EndIpAddress "0.0.0.0"
Related
I'm trying to find an answer to the fact that everytime I want to connect an organizations account in the Account settings in VM, I cannot RDP anymore.
During the creation of the VM, I enable the Azure AD join extension.
Does this has to do anything about user log -in conflict.
I log in to the VM with my Admninistrator credentials.
Any idea would be highly recommended.
The VM is Windows 10 OS.
To avoid these issues, you can use Windows 10 Fall Creators update (1709) is a separate app that provide updated version systems current and safer defense-in-depth features that prevent evolving malware and other vulnerabilities from impacting your device,
To connect RDP, you need to add inbound port rule
In azure portal -> virtual machine -> Networking -> Add inbound port rule -> Add
Note : if you are using port 3389 kindly update destination port ranges as 3389 and name as port_3389
If you already added inbound rule and still you are facing issue refer this Microsoft document for more information
I need to configure Azure SQL Database firewall settings so that it can only be accessed by my Azure Function app. The problem is I'm running the app in a consumption plan, and as far as I know, the outbound IP address(es) can change even when I don't take any actions.
Is there a way to whitelist the app so that I protect the database from unwanted connections?
I thought of whitelisting by Azure region since everything is hosted in the same region, but then how do I guard against other apps in the same region? That's why I'm thinking of using specific IP addresses. My only concern with this approach is, I don't know if other function apps can share the same outbound IP addresses as my own.
P.S. Currently, my firewall settings deny public network access and allow Azure services to connect only.
There are several ways to achieve this.
You may want to integrate VNet or get static IP addresses for your Azure Functions
Image from: https://learn.microsoft.com/en-us/azure/azure-functions/functions-networking-options
However, what I've seen from your comments you don't want to go the premium plan.
The last thing I can suggest you implement Managed Service Identity.
The idea behind this, instead of connecting the database with connection string, you connect to the database with the access token that you granted. You can't get the access token if you are not in the same Identity.
This tutorial explains the general idea with App Service:
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi
and this tutorial pretty much covers what do you really want to achieve.
https://www.azurecorner.com/using-managed-service-identity-in-azure-functions-to-access-azure-sql-database/
Good luck!
I had the same issue but managed identity didn't make much difference.
In the firewall setting for the SQL server there is an option to allow azure resources to access the server. For me this was set to no, but needed to be set to yes.
One thing you can do is assign a managed identity to your function. It will retrieve a token from Azure AD, and it will be used to connect to Azure SQL:
if (accessToken != null) {
string connectionString = "Data Source=<AZURE-SQL-SERVERNAME>; Initial Catalog=<DATABASE>;";
SqlConnection conn = new SqlConnection(connectionString);
conn.AccessToken = accessToken;
conn.Open();
}
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql
You can do this by assigning a static IP to the function app and whitelist at the SQL Server -INbound Networking side and Deny all requests. However you have to change the consumption plan to Appservice to assign a static IP.
https://learn.microsoft.com/en-us/azure/azure-functions/ip-addresses#dedicated-ip-addresses
Also, you can try creating a Vnet peering for those services and block other requests.
I can't find where i got the answer (so not my answer but sharing it here), your Azure Functions have a list of outboundIpAddresses and possibleoutboundIpAddresses that you can add to your Azure SQL firewall rules (mine had about 10).
You can find them by...
Go to https://resources.azure.com
Expand Subscriptions -> [Expand your Subscription] -> Providers -> Microsoft.Web -> Sites
Find your Azure Function Site in the JSON, and locate the outboundIpAddresses and possibleoutboundIpAddresses, these will contain a list of IP addresses.
Add all of them to your SQL server's firewall.
While I'm not positive if these will ever change, so far they haven't for me and the person who originally posted this solution also noted that they haven't run into issues with this.
Virtual networks do not work on Azure the same way as they work on premises
If you create a vnet, add your Azure function in a subnet and in sql server you allow this subnet to access it will unfortunately not work.
If it is ok for you to allow "public access" and/or "azure resources access" then things are simple. You log in with sql credentials and you have access.
If you block public access I am not sure that your resources would be able to access your database, because all your connection go to SQL server from the internet not from your internal network.
Solution that worked for me is
Create a vnet
Create a private endpoint for Sql server in this vnet (custom DNS records were created by the IT-OPS people).
Azure function uses a subnet of this vnet.
Now, you can close public and azure resources access in your database.
All your calls will go through your virtual network (not through the internet anymore) and only applications that use a subnet of this vnet would be able to connect to the database.
I want to have the following setup in Azure.
* Main Traffic manager
- WebAppA (West Europe)
- Nested Endpoint
* WebAppB (West Europe)
WebappA has a custom domain name linked with a CName to the main traffic manager.
Now WebAppB also needs this custom domain name, but I'm not possible to add this.
I receive the message "Hostname is already being used in the following App WebAppA".
What I want to achieve is to have 2 WebApps running in the same datacenter with a Traffic manager on top to have better control control over the setup while doing BlueGreen deployments.
We currently have a setup spread over 2 datacenters, but we experience a lot of latency while hopping to the SQL server in WestEurope from UKSouth?
Is there any setup what can make this work?
I would suggest you to raise a support ticket where MS engineers can force add the Custom Domain if you are able to prove your Domain ownership.
The error which you are getting has nothing to do with the Traffic Manager Nested configuration. Since you have added the Custom Domain to the WebApp A, you are not able to add it to the Web App B due to some validation check.
There are probably two methods.
You could associate the same hostname to multiple web apps regardless of subscription (or even AAD tenant!) using the awverify method of validating domains. That is to create two TXT records for your two web app services.
Hostname — awverify.targethostname.yourdomain.com
Set type = TXT
value = <yourwebappname>.azurewebsites.net
TTL — short. Like seconds or minutes.
You could get more details from this blog: Azure Traffic Manager with Web Apps in different subscriptions.
Another option is to assign the same hostname to Web Apps in different app service plans. Bear in mind that if you're using IP addresses/A records in your DNS, you'd need both web apps to have different IP addresses for the DNS to be able to differentiate between your web apps. Read the details in the the SO answer.
I have an Azure VM that has an NSG which needs to restrict outbound Internet access to only necessary services and applications (start with most restrictive then add rules). The Team Services agent extension also will get installed with an ARM template (which fails to download with the Deny all outbound Internet rule).
Does the weekly change of IP addresses used by VSTS apply for Deployment Groups? There is a similar question for IPs of Hosted Build.
I'm creating the VMs in a VSTS release definition. In the link above, I found an answer posted that you can call the REST API to get the IP address which would be easiest, but when I try this in a browser it looks like this is deprecated. ("Sorry! Our services aren't available right now.") Any other ideas on how I can apply the IPs for the NSG whenever I run the release to create the VMs?
"You can get the IP address of current build agent dynamically and
create a security group dynamically (by using AWS SDK for .NET)
Open build definition > Select Options tab> Check Allow Scripts to
Access OAuth Token Add PowerShell step/task (Arguments: -RestAddress
https://starain.vsdtl.visualstudio.com/DefaultCollection/_apis/vslabs/ipaddress
-Token $(System.AccessToken))."
If I read this right, you want to create a VM using VSTS pipeline and this new VM should host a VSTS Agent that calls back VSTS any time later.
I think there are no solutions. While it would be easy to get a valid IP for a VSTS instance at creation time, you have no guarantee that this IP will be valid for long time. You may be lucky in being able to setup the agent but the link to VSTS may stop any minute.
The question is interesting in itself and can be solved using the Azure PowerShell task. The script will:
resolve the name to the IP address using the Resolve-DnsName cmdlet
add or update the NSG rule using Set-AzureRmNetworkSecurityGroup etc.
That API is unavailable now, you can try to get the IP and update NSG through PowerShell task directly (e.g. $ip = Invoke-RestMethod http://ipinfo.io/json | Select -exp ip) PowerShell One Liner: Get External/Public IP Address.
On the other hand, you use a private agent: Deploy an agent on Windows
In azure, i created 3 Windows server VM i.e. one for Azure Backup Server (let say BackupServer), one for Active Directory on VM (let say ADServer), and last SQL Server on Windows Server(let say SQLServer) . All three are on same Domain. Now while adding SQLServer to Protection Group in Azure Backup Server Configuration, then it is giving me error as attached in the screenshot.
Tried many links available on the internet but no luck.
Any suggestions?
But is it ok to disable firewalls for security concern?
You are right, disable firewall just for test, we should follow this official article to config firewall settings for DPM.
By the way, Azure VM have NSG to block outside network traffic.