For security concerns I'm planning to not allow Azure services to communicate with Azure services but the services it is only working with.
For example, I've some web apps that uses Azure SQL Databases. Should I only add the outbound IP addresses of Azure Web Apps in the Azure SQL server firewall?
or I need to do something else?
This is not as easy as it should be. SQL Azure is not designed to be virtual network friendly so your only options are "Allow all Azure services" or hard-coded IPs. Unless your web apps have static IPs however, this won't be possible without writing a custom updater for the database which picks up IP address changes.
You could install a SQL server onto a VM and use virtual private networks, otherwise, make sure the login credentials are secure and accept the fact that an Azure client from anyone could attempt to connect to your database server.
The best way to lock down your SQL Database is with AAD Integration, and Managed Service Identities. Azure will provision an AAD identity for your application, and only code running in that application will be able to generate an Access Token for that Identity. Then you can provision it as an AAD user in your SQL Server.
This has the (large) added benefit of removing the secrets from the application, so you don't have to configure your application with a Client Secret, or a SQL Login/Password.
You can also run your App on a VNet, and configure your SQL firewall to only permit access from that VNet using Virtual Network service Endpoints For Azure SQL Database.
Or use the newer and much better Private Link for Azure SQL Database.
Some of the ways to secure the connection to the sql database that could be considered in this case are -
As you mentioned you are already thinking of configuring a firewall to whitelist the allowed IP addresses. The firewall could be configured both on the sql server level and the database level(we can use SSMS to configure the firewall at the database level).
We can encrypt data. Of course this would be encryption at rest. And the good news is the application connecting to the database need not change to query encrypted data.
The third way would be the traditional way(even if we were not using azure db) we would prevent unauthorized access by creating users/roles/permissions.
A very nice feature I found Azure db provides is the Threat Detection Capability. If you turned that on we would be notified of the possible vulnerabilities of the current db/server setup. And also where can we make improvements to fix those issues.
Connect your Azure function with your SQL DB using private endpoints and VNET integration. Your app service will need to be standard or premium. Even Premium function plan will do. This LINK talks about it.
Authenticate your azure function on your SQL DB using managed identities. See this link for info on how to do that. Managed identities
In short yes.
You can possibly make this more secure by creating vnet connection from the web app and creating a service endpoint for SQL. I'm not sure that will work, but worth a try.
Related
When connecting a .net application to a local database we have always used a trusted connection connection string.
We are porting our platform over to Azure with:
Apps on Virtual Machines
Azure Domain Services
Sql Managed Instance
We have multiple Apps each run as a specific domain user and use trusted connection to the corresponding database on SQL Managed instance.
Attempting to use trusted connection from a domain joined virtual machine however (for example via SSMS results in the erro 'Azure Active Directory - Integrated' gives the error:
'Integrated Windows authentication supported only in federation flow.'
Looking at the Microsoft documentation it suggests it is possible to have trusted connections to SQL Managed Instance with 'seamless single sign-on' however the documentation only talks about an on premise domain connecting to Azure Active Directory.
Can anyone steer me in the right direction? are trusted connections possible in this setup? If not what is 'best practice' around connection strings to a SQL Managed Instance?
Thanks in advance
The best practice for Azure-native applications is to use Managed Identities to connect to Managed Instance. See eg: Connecting from your application to resources without handling credentials
Each Azure Virtual Machine, App Service App, Function App, etc can be provisioned with an AAD identity. Code running then can generate access tokens for resources (like Managed Instance) without ever touching a password or client secret.
Several Authentication strategies have been added to the SQL Client libraries to facilitate this. Or you can use Azure.Identity, or the local managed identity token endpoint library to fetch your own access token, and leverage that in the SQL Server client.
An alternative for lift-and-shift apps is to use Domain-joined VMs and use Windows Authentication for Managed Instance. This lets you continue to use traditional "Trusted Connection=true" from your VMs running in Azure to Managed Instance.
I have the "Allow Azure Services to access this server" option turned on for my Azure Database. The reason for me having turned it on is because I have a Function App that accesses the database to do inserts etc.
My question is, is having this option turned on a security issue at all? If it is, what is the best practice method to keep my database secure while still being able to access it myself through my Function App.
Assuming you are connecting to your SQL databases using username/password combination, there's always a security risk in case your username/password are leaked.
A better approach would be to use Managed Identity. What you will do is assign an identity to your Function app and then allow that identity to connect to your database. That way only your Function App will be able to connect to your database. You would still need to keep "Allow Azure Services to access this server" option turned on though.
Please see this link on connecting an Azure WebApp to a SQL Database using Managed Identity: https://learn.microsoft.com/en-us/azure/app-service/tutorial-connect-msi-sql-database?tabs=windowsclient%2Cef%2Cdotnet
I am searching for a solution to expose an Azure SQL DB table over the Azure API Management and then allow a Kubernetes hosted app to talk with the Azure SQL DB over this API. What would be the less time consuming approach for building this API to expose the table?
I have found doc for couple of solution, but coming from the BigData world, I couldn't figure it out which is worth to invest the time and to build it. Any suggestion where should I take a closer look?
For example this one: https://www.youtube.com/watch?v=U6SlmoXWf3o
What is the configuration of your Azure SQL server. By default the networking configuration of the server is always "Allow all".
This setting can be found at Firewalls and virtual networks.
When Deny public network access is set to Yes, only connections via private endpoints are allowed. When this setting is No (default), customers can connect by using either public endpoints (with IP-based firewall rules or with virtual-network-based firewall rules) or private endpoints (by using Azure Private Link)
I have a large SQL server hosted in our infrastructure, and an Azure resource set up with VPN access to our servers.
I want to create an Azure Function that connects to this SQL server. It's going to be a webhook endpoint to save to that DB. I don't need the overhead of an App Service Plan, I want the lightweight Function and the cheaper consumption pricing model.
All the tutorials online refer to App Services and Hybrid Connections that don't appear to be available in to Azure Functions on Consumption Plans.
I also want to keep the connection string configuration in Azure, and not hard-coded in the source or publish (which will ultimately be via CI).
The Azure Function is currently coded in C# in VS2019, but I can change that if it helps.
How do I set this up?
This option is not available on consumption plan. There is a already user voice open for this.
https://feedback.azure.com/forums/355860-azure-functions/suggestions/33398398-add-support-for-hybrid-connections-to-consumption
Yes it is possible. You would need to use something like Hybrid Connection. Does not matter which IDE you used to create the function.Check out the following link.
The Hybrid Connections feature requires a relay agent in the network
that hosts your Hybrid Connection endpoint. That relay agent is called
the Hybrid Connection Manager (HCM). To download HCM, from your app in
the Azure portal, select Networking > Configure your Hybrid Connection
endpoints.
Azure App Service Hybrid Connections
Is there a way to connect from a web app (azure app service) to a SQL Server VM in Azure using Windows authentication? I'm not exactly sure if I need to impersonate or if the app needs to run under the identity that has access to the DB on the SQL Server.
I believe that you can do this - but you will need to share a Active Directory between the two - or have then in a private network together so that they are in the same broadcast subnet.
If you need to use your own Active Directory the create a network and a VPN to your site.
If you don't need to use Active Directory then use SQL Auth.
Looks like it is not possible, although it may be with Azure SQL. But not a VM running MSSQL. Ref links below.
SQL Server Integrated Security from an Azure Web Site
https://azure.microsoft.com/en-us/documentation/articles/sql-database-aad-authentication/