Azure Web app using Azure SQL using Private Endpoints
Ok so this blog post covers deploying an Azure Web App that talks to an Azure SQL Server database which we will then secure access to the database using a VNet and a Private Endpoint.
First we will deploy the web application which talks to Azure SQL, this wont be using a VNet nor a Private Endpoint and is unsecure and open to the internet, then we will tighten it down by adding the VNet and Private endpoint.
What are Azure Private Endpoints?
An Azure Private Endpoint is a network interface that connects your virtual network privately to a service powered by Azure Private Link. This allows you to access Azure services over an Azure Private Link, which is a private endpoint in your virtual network. This means that traffic between your virtual network and the service traverses over the Microsoft Azure backbone network, eliminating exposure from the public internet.
Ok lets get to it.
Step 1
Firstly follow the steps in this Microsoft article which you follow to deploy a web app taking to a local db, and then you can deploy an Azure SQL Database once we deploy to Azure (all steps within the following link)
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-dotnet-sqldatabase
At this point you should have an Azure Resource Group, an Azure App service plan (hosting plan) and an Azure Web Application deployed and working.
Enable If the database has no tables then you need to Enable code migrations, so go to the Tools Menu and then select Nuget Package Manager and then Package Manager Console, in the console enable Code First Migrations by typing Enable-Migrations and then press enter.
Read the section titled Enable Code First Migrations in Azure in the above link of the tutorial from Microsoft, make sure to publish to Azure again after this step.
Step 2
Now we need to VNet integrate this so we will start off by creating a new Azure VNet, I created my VNet with a 10.1.0.0/16 address space and then I created subnets like so:-
webappsSubnet: 10.1.2.0.24
sqlSubnet: 10.1.1.0/24
And then I clicked save.
Now we have a VNet with 2 subnets, lets VNet integrate both the SQL Server and the Web Application.
Step 3
Go to the Web app you deployed to Azure and then select Networking and then choose VNET Integration and select your VNet and then choose the webappsSubnet.
Once you add VNet integration it should look something like the following:-
Step 4
Ok so next do the same for the Azure SQL Server you deployed from the Microsoft guide and VNet integrate your Azure SQL Server.
On the Networking tab of your Azure SQL Server, make sure Public Access is set to Disable like the following:-
Now click on the Private Access tab and select create a Private Endpoint.
Create a Private Endpoint in Azure
In the second screen, make sure to select the correct VNet and choose the sqlSubnet.
So now we have setup a Private Endpoint for Azure SQL and we have waited for a few seconds so that the connection-state is Approved we are all set.
Troubleshooting
At this point your web application should be able to communicate with your backend Azure SQL Server using a Private Endpoint, if you delete the Private Endpoint you will see this:-
You will also see this is you don’t have the database populated, you should see the following if you have enable-migrations and re-published the code.
Connecting to the Database from your local pc
If you want to check that we have tables and data you can use a number of tools to connect to your new Azure SQL Server. I tend to use SQL Server Management Studio because I am old π – but before you can connect we need to change the Azure SQL Server firewall to allow my IP Address to connect to the database. To do this go to the Azure SQL server and then Networking and click on Public Access and fill it in like so:-
Give the Rule Name a decent name so you know who’s IP address you have whitelisted, in case you need to add several.
Note – Don’t tick the Box that says Allow Azure Services and resources to access this server, its not recommended to do this.
Once you connect you should see something like this:-
Summary
To summarise this blog post we initially deploy an Azure App Service with a SQL Server backend Database. Then we VNet integrate the Web App and SQL Server and then we use a Private Endpoint so that the communication from the Web App to Azure SQL traverses over the Microsoft Azure backbone network, eliminating exposure from the public internet.
If you have questions reach out to me here in the comments below or on twitter.
Donβt forget to subscribe to my YouTube Channel.
[…] Azure Web app using Azure SQL using Private Endpoints (Gregor Suttie) […]
[…] AZURE WEB APP USING AZURE SQL USING PRIVATE ENDPOINTS […]