Is there a way to connect from a web app (azure app service) to a SQL Server VM in Azure using Windows authentication? I'm not exactly sure if I need to impersonate or if the app needs to run under the identity that has access to the DB on the SQL Server.
I believe that you can do this - but you will need to share a Active Directory between the two - or have then in a private network together so that they are in the same broadcast subnet.
If you need to use your own Active Directory the create a network and a VPN to your site.
If you don't need to use Active Directory then use SQL Auth.
Looks like it is not possible, although it may be with Azure SQL. But not a VM running MSSQL. Ref links below.
SQL Server Integrated Security from an Azure Web Site
https://azure.microsoft.com/en-us/documentation/articles/sql-database-aad-authentication/
Related
I have an Azure App Service which already connects to a on-premises SQL Server database (VNet Integration is configured). I also need to access an on-premises fileshare, which is currently not working (access denied). How can this be achieved?
I already tried to use the SimpleImpersonation package (https://www.nuget.org/packages/SimpleImpersonation/), but this was not working. I'm not sure if this was package to work from an Azure App Service.
Thanks in advance.
We already have an express route configured between azure and our local domain. Local AD is also synced with Azure AD. Azure Function is under a VNet which can access on-premises resources.
The problem is when Azure Function tries to access on-premises SQL using Windows Authentication, it gets the error "Logon Failed" (which proves that the server is accessible but the user doesn't have permission). Event Log shows DWASSVC as the account trying to access DB.
Is there a way we can change the context of Azure Function to run under a specific user which has access to on-Premises SQL DB and any call from Azure Function is generated under that account?
Windows Authentication is not possible on Azure App service platform ( Azure web app, Azure Function).
To access on-prem SQL server, you can use Hybrid connection manager
https://learn.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections
Or Put Azure Function in VNET ( ASE) and then make site to site connection.
we have configured azure active directory pass-through authentication . Need to access on premise resources from the azure deployed application. can we do this by configuring application proxy?. so that on premise application authenticated with azure AD. so the communication between azure application and on premise application be seamless. Is it possible?
I'm not entirely sure if I understand you correctly but what you want is probably possible by using Azure Hybrid Connections: https://learn.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections
You install the Hybrid Connector on-prem, e.g. on a VM, and then for instance an Azure App Service can access certain resources on-prem.
Or for anything more advanced you might want to look at Azure VPN (or ExpressRoute in the long run).
For security concerns I'm planning to not allow Azure services to communicate with Azure services but the services it is only working with.
For example, I've some web apps that uses Azure SQL Databases. Should I only add the outbound IP addresses of Azure Web Apps in the Azure SQL server firewall?
or I need to do something else?
This is not as easy as it should be. SQL Azure is not designed to be virtual network friendly so your only options are "Allow all Azure services" or hard-coded IPs. Unless your web apps have static IPs however, this won't be possible without writing a custom updater for the database which picks up IP address changes.
You could install a SQL server onto a VM and use virtual private networks, otherwise, make sure the login credentials are secure and accept the fact that an Azure client from anyone could attempt to connect to your database server.
The best way to lock down your SQL Database is with AAD Integration, and Managed Service Identities. Azure will provision an AAD identity for your application, and only code running in that application will be able to generate an Access Token for that Identity. Then you can provision it as an AAD user in your SQL Server.
This has the (large) added benefit of removing the secrets from the application, so you don't have to configure your application with a Client Secret, or a SQL Login/Password.
You can also run your App on a VNet, and configure your SQL firewall to only permit access from that VNet using Virtual Network service Endpoints For Azure SQL Database.
Or use the newer and much better Private Link for Azure SQL Database.
Some of the ways to secure the connection to the sql database that could be considered in this case are -
As you mentioned you are already thinking of configuring a firewall to whitelist the allowed IP addresses. The firewall could be configured both on the sql server level and the database level(we can use SSMS to configure the firewall at the database level).
We can encrypt data. Of course this would be encryption at rest. And the good news is the application connecting to the database need not change to query encrypted data.
The third way would be the traditional way(even if we were not using azure db) we would prevent unauthorized access by creating users/roles/permissions.
A very nice feature I found Azure db provides is the Threat Detection Capability. If you turned that on we would be notified of the possible vulnerabilities of the current db/server setup. And also where can we make improvements to fix those issues.
Connect your Azure function with your SQL DB using private endpoints and VNET integration. Your app service will need to be standard or premium. Even Premium function plan will do. This LINK talks about it.
Authenticate your azure function on your SQL DB using managed identities. See this link for info on how to do that. Managed identities
In short yes.
You can possibly make this more secure by creating vnet connection from the web app and creating a service endpoint for SQL. I'm not sure that will work, but worth a try.
I azure we can create Hybrid connection to local sql server from Web Sites and Mobile Service. But I need to create Hybrid service to My Local SQL server from VM or cloud service. Is there anyway to achieve this one?
You can, actually.
The tool is called the Microsoft Azure Hybrid Connection Client
This runs as a service on your VM, and you add Hybrid Connections to it.
(That is, it = the VM that needs to talk to the on-prem asset.)
When a connection is added, a HOSTS file entry is made for the particular dns name and is routed through Azure to your on-prem Hybrid Connection Manager.
The Connection String you add will be the 'Application' one(s), which you will find in the old portal
According to Microsoft Hybrid connection will support only for WebSite and Mobile Web Services.
So I couldn't directly achieve my requirement. But alternative way is, implement the WCF service which can be hosted as WebSite.Now you can hosted your SQL database locally and create hybrid connection to the database from WCF service.Then you can call your WCF service from VM or cloud service.
Thanks,
Erandika