Harden SQL Server
Nerdio Manager relies on communication between two Azure PaaS services: Azure App Service and Azure SQL Database. By default, this communication is encrypted with Transport Layer Security, and data at rest is also encrypted using Transparent Data Encryption.
In order to further protect communication between the App Service instance and the SQL database, it is possible to restrict network traffic in two different ways, as detailed in this article.
Add the App Service’s Outbound IP addresses to the Azure SQL Server’s firewall. This method ensures that only requests from your Nerdio Manager instance’s IPs are able to reach the server. However, the Azure App Service is hosted on shared infrastructure. Any other App Services deployed to the same cluster as Nerdio Manager shares the same outbound IPs.
Note: IP addresses associated with the app service cluster may change or update over time. It may be required to periodically update the firewall with any changes to cluster IP addresses. We recommend using VNet and Subnet whitelisting to avoid this inconvenience.
Route traffic from the App Service using a VNet. Create an Azure SQL service endpoint in the VNet. Traffic to the SQL Server can then be restricted to allow only traffic coming from the VNet.
Restrict SQL Traffic to App Service Outbound IPs
In order to restrict SQL traffic to the App Service's IP addresses, we first must discover the IPs the app is using.
Optionally, run the following PowerShell or CloudShell command:
Login-AzAccount
(Get-AzWebApp -ResourceGroup <group_name> -name <app_name>).OutboundIpAddresses
This returns several IPs associated with your Nerdio Manager App Service. Outbound requests might come from any of the IPs shown.
In Azure portal, search for SQL Servers, and find the sql-server-**** server.
Within the menu on the left-hand side of the SQL Server blade, scroll down to the Security section.
Select Firewalls and virtual networks.
Enter a rule for each IP address associated with your App Service.
Allow Azure services and resources to access this server: Set this option to Yes.
Note: This option must be set to Yes in order to permit app services within Azure access to the SQL server over public endpoints Even with all app service IPs whitelisted, Azure SQL rejects all connections from Azure services, if it is not set to Yes.
Deny public network access: Set this option to No.
Once you have entered all the IPs, select Save.
Traffic to the SQL Server is now restricted to these addresses.
Routing App Service Traffic through a VNet
If restricting traffic to your App Service's outbound IPs is not adequate for your security needs, you can route all App Service traffic through a VNet, and restrict SQL traffic to that VNet.
Enable VNet Integration for Nerdio Manager's App Service
In the Azure portal, locate the Nerdio Manager App Service resource.
Note: It typically has a name in the following format: web-admin-portal-xxxxxxxxx.
Within the menu on the left-hand side of the App Service blade, scroll down to the Settings section.
Select Networking.
In VNet Integration, select Click here to configure.
In VNet Configuration, select Add VNet.
Select the VNet you wish to use.
Select OK.
Note: VNet integration requires a subnet delegated specifically for use with app services. This cannot be shared with any other Azure resources. The subnet selected for integration needs to be /28 or larger. It may be necessary to add an additional subnet that is compatible for the integration if there are no unused subnets or subnets not delegated for other services. In this example, there was already a VNet used for session hosts, which still had unallocated IP address ranges within the address block, so a new subnet was created specifically for the app service VNet integration.
When the VNet is successfully integrated, the page should look something like this:
Harden the SQL Server
In Azure portal, search for SQL Servers, and find the sql-server-**** server.
Within the menu on the left-hand side of the SQL Server blade, scroll down to the Security section.
Select Firewalls and virtual networks.
Select Add existing virtual network.
Select the desired VNet.
Allow Azure services and resources to access this server: Set this option to No.
Note: This is set to No to block all inbound connections over Azure public endpoints. Using VNet integration, the App Service reaches the SQL Server over private / internal IP addresses instead.
Deny public network access: Set this option to Yes.
Once you have entered all the desired information, select Save.
Traffic from the Nerdio Manager App Service is now routed through your virtual network to the SQL Server service endpoint. Only traffic from your virtual network is allowed to connect to the database.
Comments (0 comments)