Access Azure SQL from Azure WebApp via Managed Identity and Private EndPoint

0
votes

I have an AspNetCore3.1 app hosted on Linux Azure WebApp. I have enabled Private Endpoint on the same. All works like a charm. Now to add DB interaction, I have enabled system assigned Managed Identity(MI) for the web app and added that as contained user to my Azure SQL PaaS. However, I'm getting errors while DB connection:

Connection was denied since Deny Public Network Access is set to Yes (https://docs.microsoft.com/azure/azure-sql/database/connectivity-settings#deny-public-network-access). To connect to this server, use the Private Endpoint from inside your virtual network (https://docs.microsoft.com/azure/sql-database/sql-database-private-endpoint-overview#how-to-set-up-private-link-for-azure-sql-database). at Microsoft.Data.ProviderBase.DbConnectionPool.CheckPoolBlockingPeriod(Exception e)

There is Private Endpoint configured for SQL DB too. This one is in different subnet but same VNet as webapp's private endpoint is in.

-Update: I have verified that the error is still thrown even if I remove Private Endpoint from webApp.

What am I missng here?

1
azureazure-web-app-serviceazure-sql-databaseazure-virtual-network

1 Answers

1
votes

The error message indicates that you are trying to access the SQL server over the public network from your web app. You need to restrict the outgoing traffic from the web app in a VNet then you can use a private endpoint for your SQL server. Read using Private Endpoints for Azure Web App.

Private Endpoint is only used for incoming flows to your Web App. Outgoing flows will not use this Private Endpoint, but you can inject outgoing flows to your network in a different subnet through the VNet integration feature.

When you add an private endpoint connection in your SQL server, you will see there are Service endpoints for Microsoft.Sql and Private endpoints in the VNet that you create a private endpoint for your SQL server.

To access the Azure web app to SQL server within a private network over a private link. You need to enable VNet Integration for your web app in another empty subnet in the same VNet. By default, your app won't work with Azure DNS Private Zones. To work with Azure DNS Private Zones you need to add the following app settings:

WEBSITE_DNS_SERVER with value 168.63.129.16
WEBSITE_VNET_ROUTE_ALL with value 1

Test result in native Windows apps

From web app to SQL db with the two above app settings WEBSITE_DNS_SERVER and WEBSITE_VNET_ROUTE_ALL condigured, it resolves to a private IP address.

enter image description here

From web app to SQL db with the app settings WEBSITE_DNS_SERVER with value 168.63.129.16 by using private DNS zone and without WEBSITE_VNET_ROUTE_ALL condigured. It resolves to public IP address.

enter image description here