Configure Azure SQL Database Firewall for just my Web App

5
votes

We use Azure Web Apps with Azure SQL and would like to make this setup more secure by configuring the database firewall to only allow connection from the specific web apps rather than any service in Azure. How can I limit connections to just my Azure services?

4
azureazure-sql-databasefirewallazure-web-app-service
Not sure if this applies: blogs.msdn.com/b/benjaminperkins/archive/2014/05/05/…. If you can get a static IP address for the webapp, then you should be able to configure the firewall for that specific IP address.Brendan Green

4 Answers

6
votes

Assuming that you have an ip address (hosting plan needs to be shared, basic or standard)**:

a) Navigate to SQL Databases >> Servers Tab >> Select the server hosting your database >> Configure Tab

b) Alternatively select your database >> Manage Allowed Ip Address (Right side Quick Glance bar)

  • Add your website ip to the list of allowed ip addresses
  • Change Windows Azure Services to "No" on "Allowed Services"

**You can view your ip address clicking Manage Domains on the Website Dashboard bottom bar.

5
votes

There are 4 outbound IP addresses for a Web App which you can look up on the Properties tab for the Web App in the management portal.

You need to add these outbound IP addresses to the Firewall rules.

0
votes

To get all possible outbound IP-addresses for your web app you can get them also via Azure CLI or Azure PowerShell, as described in this article.

Azure CLI:

az webapp show --resource-group <group_name> --name <app_name> --query possibleOutboundIpAddresses --output tsv

Azure PowerShell:

(Get-AzWebApp -ResourceGroup <group_name> -name <app_name>).PossibleOutboundIpAddresses
0
votes

Rather than use IP, you can use private endpoints via VNET integration LINK