We're having some issues with Azure Sql Databases, and their host name from sp_who reports back something like 'RD000xxxxxxx' for the hostname.
How can you determine the app service that is connecting to the database from this hostname?
RD000* is the VM hostname if not set explicitly. If you have the access to your deployments, you may be able to check it using APIs (or in case of VM RDP for example). If you suspect that it is not from your deployment, then, i strongly suspect, there is no way to detect who is it (perhaps, technical support may, but i doubt). With some possibility, it will change as well.
I've found it, but not through the management api or the portals.
https://[your-app-name].scm.azurewebsites.net/Env
It's under Machine Name.
Related
I am new to Cloud and looking to cut down cost on Azure. I already have a database on the hostinger platform and would like to use it for the python script that I want to run on the Azure Logic Apps platform. Is it possible to do this or does Azure prevent any such connections? Do I need to create any connector on Azure for this purpose? I have no idea of running python script on Azure. If this is possible then it can be a great cost cutting measure for me.
One of the workarounds is you can try using Remote MySQL from the Databases of the Hostinger platform.
Type the IP address of your remote server in the IP (IPv4 or IPv6) area on the Remote MySQL page, or check the Any Host box to connect from any IP.
Then choose the database you wish to access from afar. Click Create when you're finished.
Make sure that a MySQL user must use their MySQL server hostname for remote connections - the hostname may be found at the top of the same page.
You may now use the same connection to make your own logic app connector and utilize the same connector for additional database manipulations.
would like to use it for the python script that I want to run on the Azure Logic Apps platform.
Depending on your requirements, you may utilize a variety of connectors for this. For example following the custom connector that you are using to retrieve the database from your hostinger, you can use azure functions in order to while coding with python.
For more information, you can refer to this example.
REFERENCES:
How to Allow Remote Connections to MySQL Database (hostinger.in)
I am creating a WebService with C# Core 3.0 that is using MySQL and Redis, but I am not so familiar with Azure so I need advice about configuring everything.
I had MySQL hosted on AWS, but I am transferring it to Azure because I think that performance (speed) will be better on Azure because they will be on same data center. Right?
But, on my MySQL page Host is like '*.mysql.database.azure.com'. That means that every connection will go out of Azure, and than come back? I don't have some local IP for connection? Same question for Redis.
Do I need to configure some local network on Azure and will that impact speed on the app? And, is MySQL a good choice for Azure or should I try with another one?
I am just reading about Azure Virtual Networks. But as I understand it, VN's sole purpose is to isolate elements from the outside network?
You will get better performance if your my-sql instance and your app service are in the same region (basically the same data centre).
The connection string is mysql.database.azure.com, but remember the connection will be a TCP/IP connection, so the DNS lookup will realise that this address mysql.database.azure.com is in the same region (same data center). Then the TCP/IP connection will go to an internal IP.
You could use tcpping in your app service's kudo console to try this and see the result.
The basic rule is that you should group your app and database in the same region for better performance and cheaper cost (as Microsoft doesn't charge traffic within the same region).
Azure Virtual network is for a different purpose. For example, if you have some on premise database servers and you want to call these servers from azure, then VM could be helpful. But for the scenario you described, it is not really needed.
The company I work for has Microsoft azure support included, and if you or your company have support contract with them, you can raise questions directly to them and get really quick responses.
For security concerns I'm planning to not allow Azure services to communicate with Azure services but the services it is only working with.
For example, I've some web apps that uses Azure SQL Databases. Should I only add the outbound IP addresses of Azure Web Apps in the Azure SQL server firewall?
or I need to do something else?
This is not as easy as it should be. SQL Azure is not designed to be virtual network friendly so your only options are "Allow all Azure services" or hard-coded IPs. Unless your web apps have static IPs however, this won't be possible without writing a custom updater for the database which picks up IP address changes.
You could install a SQL server onto a VM and use virtual private networks, otherwise, make sure the login credentials are secure and accept the fact that an Azure client from anyone could attempt to connect to your database server.
The best way to lock down your SQL Database is with AAD Integration, and Managed Service Identities. Azure will provision an AAD identity for your application, and only code running in that application will be able to generate an Access Token for that Identity. Then you can provision it as an AAD user in your SQL Server.
This has the (large) added benefit of removing the secrets from the application, so you don't have to configure your application with a Client Secret, or a SQL Login/Password.
You can also run your App on a VNet, and configure your SQL firewall to only permit access from that VNet using Virtual Network service Endpoints For Azure SQL Database.
Or use the newer and much better Private Link for Azure SQL Database.
Some of the ways to secure the connection to the sql database that could be considered in this case are -
As you mentioned you are already thinking of configuring a firewall to whitelist the allowed IP addresses. The firewall could be configured both on the sql server level and the database level(we can use SSMS to configure the firewall at the database level).
We can encrypt data. Of course this would be encryption at rest. And the good news is the application connecting to the database need not change to query encrypted data.
The third way would be the traditional way(even if we were not using azure db) we would prevent unauthorized access by creating users/roles/permissions.
A very nice feature I found Azure db provides is the Threat Detection Capability. If you turned that on we would be notified of the possible vulnerabilities of the current db/server setup. And also where can we make improvements to fix those issues.
Connect your Azure function with your SQL DB using private endpoints and VNET integration. Your app service will need to be standard or premium. Even Premium function plan will do. This LINK talks about it.
Authenticate your azure function on your SQL DB using managed identities. See this link for info on how to do that. Managed identities
In short yes.
You can possibly make this more secure by creating vnet connection from the web app and creating a service endpoint for SQL. I'm not sure that will work, but worth a try.
I am new to Azure and just trying to get my head around some things.
I have a web app running locally that now connects to a windows azure SQL database. I want to move my local web app into an azure web role. I have two questions:
Do I need to change my connection string or does it just work?
I am assuming windows azure is smart enough to now know that they are both hosted on azure so each request no longer needs to go over the internet?
Cheers
Do I need to change my connection string or does it just work?
No, this is still that same connection string.
I am assuming windows azure is smart enough to now know that they are both hosted on azure so each request no longer needs to go over the internet?
You're both web site and SQL Azure database will be in Azure data center. It depends in which region your web site and database will be. If they are in the same region you'll have low latencies because it will be in the same data center, however if they are in two different regions, then at one point it has to go through connections between data centers called backbones. Even if those are special very fast connections you'll notice higher latencies.
http://www.azurespeed.com/ web site allows you to check what are the latencies between Azure data centers. This gives you a kind of idea.
Answer 1 : Since you are already connecting to SQL azure from local,
you don't need to change the connection string.
Answer 2: If both your Web Role, and SQL azure are in same Geo
Location (say SoutCentral US) then there will not be much internet
traffic, but it will use azure's network to communicate.
I have a azure cloud service (a server) where i host a Redis database. I also have a web site hosted in azure web sites. I want the web site to be able to talk to the Redis DB on port 6379. I know I can configure a public endpoint for that port on my server but that would open it for whole Internet. I want it opened only for azure web sites (or even better, only for my web site). How can i do this?
Windows Azure Web Sites is in an isolation bubble separate from your Cloud Services and there's no way to bridge that gap. Ideally you'd do this by connecting the web site machine to other Azure services via a Virtual Network, but this FAQ confirms you can't do that right now:
Can I use Windows Azure websites with Virtual Network?
No. We do not support websites with virtual networks.
Opening Redis up over the internet shouldn't even be considered as it doesn't have the kind of security you'd want out of the box to be opening up its port publicly as it is meant to be co-located with your application, so you really wouldn't want to do that. Never mind the added network overhead which will eat into the performance you expect to get by leveraging something like Redis anyway.
I believe your best bet given your current configuration is to add a Web Role that's part of the same Azure Cloud Service and run your web based application out of that so that it can communicate with worker role. It only requires a little bit of configuration to get this going (i.e. adding an InternalEndpoint to the Redis Worker Role). While I realize Web Roles don't offer as frictionless a development model as Web Sites, you have to choose the right tool for the job.
Another option, if you want to setup your Redis on a VM instead of tying it to the Cloud Service directly, is that you can setup a Virtual Network, put the Redis VM on the virtual network and then configure the Cloud Service so that it's part of the same affinity group and add the NetworkConfiguration/VirtualNetworkSite configuration section to the Cloud Service's .cscfg.
Which approach makes more sense all depends on how you leverage your Redis instance, but the main benefit of the latter approach is that the Redis instance is not recreated each time you deploy your Cloud Service and, so, any data that's in it will stay available between deployments. Another benefit is if you want to build and leverage a Redis cluster across multiple Cloud Services this enables you to do that.