- Add the App Service’s Outbound IP addresses to the Azure SQL Server’s firewall. This method ensures that only requests from your NMW instance’s IPs are able to reach the server. However, the Azure App Service is hosted on shared infrastructure. Any other App Services deployed to the same cluster as NMW will share the same outbound IPs.
- Create an empty VNet and route traffic from the App Service to the VNet. Create an Azure SQL service endpoint in the VNet. Traffic to SQL Server can then be restricted to allow only traffic coming from the VNet.
Restrict SQL traffic to App Service Outbound IPs
In order to restrict SQL traffic to the App Service's IP addresses, we first must discover the IPs the app is using. This requires a PowerShell command:
(Get-AzWebApp -ResourceGroup <group_name> -name <app_name>).OutboundIpAddresses
This will return several IPs associated with your NMW App Service. Outbound requests might come from any of the IPs shown.
In Azure Portal, search for SQL Servers, and find the nmw-app server.
Select "Firewall and virtual networks" in the left menu. Enter a rule for each IP address associated with your App Service. Set "Allow Azure services and resources to access this server" to "No." Note that the setting called "Deny public network access" should still be set to "No." Once you have entered the IPs, traffic to SQL Server will be restricted to those addresses. Click Save.
Routing App Service Traffic through a VNet
If restricting traffic to your App Service's outbound IPs is not adequate for your security needs, you can route all App Service traffic through a VNet, and restrict SQL traffic to that VNet.
Create a new VNet in Azure. There will be no resources hosted in this VNet, so the range can be as small as /28 to accommodate a subnet.
Create a subnet at the same time. It can be as small as /29. Add a SQL Service Endpoint.
Click Review and Create. Create the Vnet.
In the Azure portal, find and select your nmw App Service. In the left menu, select Networking. Under VNet Integration, click "Click here to configure"
Under VNet Configuration, click Add VNet. Select the VNet and subnet you created previously and click OK.
In Azure Portal, search for SQL Servers and click on the one named nmw-app. In the left menu, select Firewalls and Virtual Networks. Click "Add existing virtual network." Select the network you created previously and click OK.
Additionally, in the Firewalls and virtual networks settings, set "Allow Azure services and resources to access this server" to "No." Note that the setting called "Deny public network access" should still be set to "No." Traffic from the NMW App Service will now route through your virtual network to the SQL Server service endpoint. Only traffic from your virtual network will be allowed to connect to the database.