5

We use Azure Web Apps with Azure SQL and would like to make this setup more secure by configuring the database firewall to only allow connection from the specific web apps rather than any service in Azure. How can I limit connections to just my Azure services?

Cameron Taggart
  • 5,771
  • 4
  • 45
  • 70
  • Not sure if this applies: http://blogs.msdn.com/b/benjaminperkins/archive/2014/05/05/how-to-get-a-static-ip-address-for-your-microsoft-azure-web-site.aspx. If you can get a static IP address for the webapp, then you should be able to configure the firewall for that specific IP address. – Brendan Green Mar 25 '15 at 21:58

4 Answers4

6

Assuming that you have an ip address (hosting plan needs to be shared, basic or standard)**:

a) Navigate to SQL Databases >> Servers Tab >> Select the server hosting your database >> Configure Tab

b) Alternatively select your database >> Manage Allowed Ip Address (Right side Quick Glance bar)

  • Add your website ip to the list of allowed ip addresses
  • Change Windows Azure Services to "No" on "Allowed Services"

**You can view your ip address clicking Manage Domains on the Website Dashboard bottom bar.

Bruno Faria
  • 5,219
  • 3
  • 24
  • 27
  • Thanks! The IP Address is so hidden. I didn't know it was there. It is also accessible via the https://portal.azure.com/ > Web App > Settings > Custom domains and SSL. I'll try this out and mark this as the answer if it works. – Cameron Taggart Mar 26 '15 at 00:39
  • Using that IP address does not appear to allow the database connection to work. I am still investigating. I thought it was working yesterday, but this morning we had an outage and I rolled back this change. – Cameron Taggart Mar 26 '15 at 20:52
  • 1
    when the web app and database are in the same region, the web app might connect to the database using a internal ip, which i think you can find out from the management portal – liuhongbo Mar 26 '15 at 21:51
  • That appears to be the problem. The error message from the logs has a different IP address. It must be the internal one. How do I get the internal IP address, except reactively from the error messages? I tried using Kudu, but ipconfig isn't allowed and this node javascript returns yet a different IP: http://stackoverflow.com/a/16605483/23059 – Cameron Taggart Mar 27 '15 at 00:10
  • I wrote a web app that allows me to use curl to get the private IP. What I don't know is how dynamic/valid that IP is. Blogged about it here: http://blog.ctaggart.com/2015/03/nodejs-azure-web-app-built-with-atom.html – Cameron Taggart Mar 28 '15 at 03:50
  • The private IP addresses changed for the first time since posting this on April 3rd. they appear to be dynamic. :( – Cameron Taggart Apr 04 '15 at 18:12
5

There are 4 outbound IP addresses for a Web App which you can look up on the Properties tab for the Web App in the management portal.

You need to add these outbound IP addresses to the Firewall rules.

bgx
  • 751
  • 10
  • 14
  • This adds virtually no extra secuity. These outbound IP addresses are shared by many other Azure App Services. – Josh Noe Feb 26 '21 at 00:18
0

To get all possible outbound IP-addresses for your web app you can get them also via Azure CLI or Azure PowerShell, as described in this article.

Azure CLI:

az webapp show --resource-group <group_name> --name <app_name> --query possibleOutboundIpAddresses --output tsv

Azure PowerShell:

(Get-AzWebApp -ResourceGroup <group_name> -name <app_name>).PossibleOutboundIpAddresses
manhil
  • 1
  • 2
0

Rather than use IP, you can use private endpoints via VNET integration LINK

Anupam Chand
  • 2,209
  • 1
  • 5
  • 14