How to connect from Web App to SQL Database in another region “privately”?

0
votes

Is there a way to establish a connection from Azure Web App to Azure SQL Database in another region "privately", that is without having to leave database open to the public.

Specifically, I would like my database to have the following firewall options set on the database:

  • "Deny public network access" - YES
  • "Allow Azure services and resources to access this server" - NO

What I have tried unsuccessfully (it is possible that I got something wrong in my setup):

  • VNET-VNET peering - allows cross region VNET connection but does not seem to work for Web App
  • SQL Database Private Endpoint - Endpoint was created in VNET hosted in the same region as Web App.

Update: Tried to follow instructions in Azure Global VNet peering and WebApps but I am not sure what VNET should gateways be created in? Create a gateway first in the remote network then checked "App Service Plan" blade, then created Gateway in the Web App VNET, still no luck.

In the "App Service Plan" blade, all of the gateway related settings are greyed out and gateway status is "N/A". "Sync Network" button is greyed out.

2
azureazure-sql-databaseazure-web-app-servicevnet
Would this work? docs.microsoft.com/en-us/azure/vpn-gateway/…CSharpRocks
Did you check this? stackoverflow.com/questions/55267247/…Alex AIT
@CSharpRocks, thank you for your response. From what I can gather (including my experimentation) the link you provide is for OnPrem network connectivity. You have to connect to a different type of gateway than Virtual Gateway.Alex
@AlexAIT, thank you for your response. I have a question regarding instructions: on which network should the gateway be created on? On the VNET that Web App connects to or on the 2nd VNET where my database is? It seems you can only have one gateway, right?Alex
@AlexAIT, in the "App Service Plan" blade, all of the gateway related settings are greyed out and gateway status is "N/A", despite the fact that I have created a gateway on this VNET.Alex

2 Answers

0
votes

Firstly, your linked SO answer is used to access Azure VMs from Azure web app. The Azure VMs are Azure IaaS. However, the Azure SQL database is Azure PaaS. You don't need to follow it in this scenario.

If you want to connect from Web App to Azure SQL Database in another region in a security way, you could do the these two steps:

  1. Enable regional VNet Integration with app service in the same region.
  2. Add the integrated subnet in the firewall and virtual networks in the Azure SQL database server. If selected subnet does not have service endpoint enabled for Microsoft.Sql. Enabling access may take up to 15 minutes to complete.

For more information, you could refer to this blog.

The above method will add the integrated subnet in the SQL server firewall. If you don't like to add it, you may consider to use Azure Private Link and with gateway required VNet integration. See this blog for more information. You could make sure you have set up the gateway in your virtual network (it will have private endpoint for SQL database and in the same region as the SQL database) well. see Use cases of Private Link for Azure SQL Database for more details.

0
votes

You should be able to do this using a Private Link, there are instructions on the following Microsoft documentation: Multi-region web app with private connectivity to database

However, the part about adding the private link (i.e. part 3a of the "Deploy this scenario" section) isn't very clear as to what settings you need to select when actually creating the Private Link so I have created a blog post which helps to explain this part a bit better with screenshots: Connect from Azure Web App to Azure SQL Database in another region using Private Link