Share via

Azure function app on consumption plan connection to Azure MySQL database for flexible servers

Vladyslav Mikhalskyi 0 Reputation points
2023-12-26T12:45:22.7833333+00:00

Hello!

Is there any way to connect securely (without exposing the Database to 0.0.0.0 or to ALL Azure services) from the Azure function app to the Azure MySQL database for flexible servers?

I tried whitelisting all "Outbound IP addresses" and "Possible Outbound IP addresses", but it is not working.

Thank you!

Azure SQL Database
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andriy Bilous 12,076 Reputation points MVP Volunteer Moderator
    2023-12-27T06:03:57.4633333+00:00

    Hello @Vladyslav Mikhalskyi

    There couple of option how you can achieve secure connection from the Azure function app to the Azure MySQL database for flexible servers without whitelisting all "Outbound IP addresses

    User's image

    Virtual network integration(Switch from Consumption to Dedicated or App Service Environment)

    Virtual network integration allows your function app to access resources inside a virtual network. Azure Functions supports two kinds of virtual network integration:

    • The dedicated compute pricing tiers, which include the Basic, Standard, Premium, Premium v2, and Premium v3.
    • The App Service Environment, which deploys directly into your virtual network with dedicated supporting infrastructure and is using the Isolated and Isolated v2 pricing tiers.

    Outbound IP restrictions(Switch from Consumption to Premium)

    Outbound IP restrictions are available in a Premium plan, App Service plan, or App Service Environment. You can configure outbound restrictions for the virtual network where your App Service Environment is deployed.

    NAT Gateway(Switch from Consumption to Premium)
    Virtual network address translation (NAT) simplifies outbound-only internet connectivity for virtual networks. When configured on a subnet, all outbound connectivity uses your specified static public IP addresses.
    UI for NAT gateway integration

    Outbound IP addresses
    It is recommended that you find the outgoing IP address of any application or service and explicitly allow access to those individual IP addresses or ranges. For example, you can find the outgoing IP address of an Azure App Service

    https://learn.microsoft.com/en-us/azure/azure-functions/functions-how-to-use-nat-gateway
    https://learn.microsoft.com/en-us/azure/azure-functions/functions-networking-options?tabs=azure-cli#enable-virtual-network-integration

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.