Client application with Sql Server Cloud migration pattern

Question

Client application with Sql Server Cloud migration pattern

KK 191

Hi experts,

For migrating an application with client desktop + sql server db + webapp (both webapp and client only connect to the sql db) onto Azure Cloud, what would be the best practice with consideration of large amount of db table data with small transaction amount, decent security and small concurrent users?

My idea was to put the Sql server with TLS setup and an app service with certificate both in a vnet with security group protection, and desktop client directly connect to the Sql server by public IP and web users access the website through https.

But not sure if there is better way and is the vnet necessary in this case if the resources have to expose public ip to internet users.

Any advice would be highly appreciated.

1 answer

Your answer

Answer 1

Alberto Morillo 34,671 MVP Volunteer Moderator

Hi KK,

Please consider to use a private link between the App Service and the Azure SQL Database instead of exposing the database to the Internet. You may need a premium App Service plan to use VNET integration as Standard plan does not allow it.

Your desktop users would be able to connect to the Azure SQL Database using a VPN or using Express Route.

Here you will find how to migrate your web application to Azure App Service.

If your database has a size of a few hundreds of GBs you can consider migrating it to Azure SQL using Data Migration Assistant. For bigger databases, my suggestion is to use Data Migration Service.

KK 191 Reputation points

2022-10-26T13:43:48.94+00:00

Thanks so much, Alberto. Your answer is exactly what I want.
Alberto Morillo 34,671 Reputation points MVP Volunteer Moderator

2022-10-26T14:11:20.083+00:00

You are very welcome @KK ! Please accept my answer as correct when you have some time available. Have a great day!
KK 191 Reputation points

2022-10-26T14:15:36.46+00:00

If you do not mind, I would like to follow up a further question that if we have used vpn connection between the client app and the DB vnet, I guess the TLS setting on DB side would be redundant?
And if I also wanted to add dataware house service, web api or PowerBi etc.. for fetching data from the DB, is putting individual private link to each service still the best solution?
Thanks in advance.
KK 191 Reputation points

2022-10-26T14:43:54.69+00:00

Sure thing. Has accepted.
Alberto Morillo 34,671 Reputation points MVP Volunteer Moderator

2022-10-26T14:51:06.773+00:00

In-transit encryption is enforced at all times when you are connected to Azure services. If the client does not initiate the encryption, encryption will be enforced by Azure.

You can still use Power Bi when using private links as explained here. Same Azure Synapse (DWH) can participate on private links as explained here.

Multiple private endpoints can be created with the same private-link resource. For a single network using a common DNS server configuration, the recommended practice is to use a single private endpoint for a specified private-link resource. Use this practice to avoid duplicate entries or conflicts in DNS resolution.
KK 191 Reputation points

2022-10-26T14:59:22.217+00:00

Thanks so much. Have a lovely day!
Alberto Morillo 34,671 Reputation points MVP Volunteer Moderator

2022-10-26T22:39:17.753+00:00

You are very welcome @KK ! Please accept my answer as correct when you have some time available, it could help other OPs identify the question was answered and then they can benefit from it with confidence. Thank you in advance.

Share via

Client application with Sql Server Cloud migration pattern

1 answer

Your answer