Azure App Service connecting to Azure Sql Database

2
votes

I have a Web App (Azure App Service) and I have an Azure SQL Database that this Web App talks to. I have two questions regarding communication between the two.

  1. When connecting from the Web App to the Database (using the connection string), does the communication go out to the internet and then back into Azure or does Azure know to keep the traffic locally in Azure?

  2. I have been looking into V-Net Service Endpoints as a possible way to improve speed of communication between the two. It is said that when connecting from a VM on V-Net with Service Endpoints enabled to a SQL Database, that Azure knows to keep the traffic internal to the Azure network and not go out to the internet, is this the same for Azure App Services?

  3. Is it possible to keep traffic between an App Service and SQL Database internal to Azure?
    If so, how do I go about doing this?

    Any guidance on this is greatly appreciated.

2
sqlazureazure-sql-databaseazure-web-app-serviceazure-app-service-plans
These all appear to be variations of the same question. AFAIK if they are both located within the same Region then the traffic does not go across the public internet. But I could be wrong. Azure may have more specific documentation. What's your concern with this? Cost, or security, or both? I assume you're intending to encrypt the connection anyhow.ADyson
Our main concern at the moment is the speed of the communication. We were curious to know whether or not the traffic between the Web App and Database was going via the public internet or not. I was doing some further reading and seen the Azure Service App Environment, that deploys your apps to your virtual network, which would then allow you to communicate with the Database internally, but the price is too high to make it feasible for us.GavinSkippy
Have you identified the network comms as a bottleneck them? Are you using Application Insights (or similar) or tools in the Azure portal to watch the trafficADyson
I agree - first confirm that network is actually an issue.Nick.McDermaid
I will continue to investigate to see if the network comms is a bottleneck or not. The fact that you both mentioned that the traffic should be contained within the Azure Network (backbone), leaves me to believe that the traffic is probably not going externally to the internet. Many thanks for your help guys.GavinSkippy

2 Answers

2
votes

  1. It knows to keep it local on the "Azure backbone" (as per Azure doco). It doesn't go out to the public internet

  2. Yes

  3. Yes. It is already internal to the "Azure Backbone"

Having said that.... networks are really complicated.

As I understand it the main benefit of V-Net is that you can define your own network and add things to it like firewalls, security groups, subnets, peering between networks. Also it helps when setting up a hybrid network - i.e. connecting Azure resources to an on-premises network. When you can set up the same kind of structures as on premise, it's easier to 'transparently' make it part of the on-premises network. Lastly (rereading the doco), you can remove any incoming public IP firewall rules. These are "Azure backbone" IP addresses but they are also "public internet" addresses

There may be a performance improvement if the App Service and Azure SQL are on the same V-Net.

Azure SQL service endpoints are a bit mysterious. They "connect" to the VNET but you still need to connect to a public address. They don't actually take a up a local IP adress.

Depending on what you are really doing, you might want to look into private endpoint, which actually assigns a private IP to your Azure SQL.

0
votes

Yes, communication between Azure App Service and Azure SQL Database is "local" within the Azure Virtual Network and does not go out to the public internet.