How to secure Azure VM connections to Azure SQL (Elastic Pool)? RRS feed

  • Question

  • Hi,

    I am new to Azure. I created a VNET with one VM for running custom webapps. The VNET has service endpoint Microsoft.sql set. I also created Azure SQL DBs in an elastic pool. My goal is to ensure the VM's apps can connect to the Azure SQL DBs with no problem. The VM also has a public IP assigned by a FW. However, I notice when one of our apps connect to Azure SQL DBs, the app complains (or rather returned, from Azure SQL?) that the IP 40.112.x.x is not allowed to access the DB. Note what's strange is this IP is not the public IP assigned by the FW. It's also not the IP I get when I, from within the VM, point to a browser to what's my IP. Does this make sense?

    It looks like adding the VNET to Azure SQL server's FW list is insufficient. Once I've added 40.112.x.x to the Azure SQL's FW allow list, the app runs ok. I really want to understand the best practice for this kind of setup is (which I think is a very common setup) but there are many MS documents and it becomes confusing. mentions with service endpoints, the traffic travels through MS backbone networks. So in my case, even though they are public IPs, how do I know whether the traffic is going through MS backbone networks or not?

    Any help is very much appreciated. Thanks!

    Monday, July 15, 2019 1:02 AM


All replies