This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 79%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
So I'm working on an application where a Blazor frontend calls a coreFx backend, which in turn handles data in a sql server.
I would like to securely connect the web app to the database.
So far I found two options that don't involve completely opening the DB server to azure services or the internet itself:
1) Add all the outgoing IP addresses from the web app to the server's firewall. Cumbersome, and seems a very not-straight-forward solution.
2) Make a V-NET. Put db in a subnet, web app in another subnet, make private endpoint on the db, have web app access private endpoint.
This seems like the "right" way to do it on a production level. But in dev, this would mean scaling the web app to S1, which is way overpowered for what it's used for and also too expensive. I was gonna go with B1/2 maximum.
Any better ideas?
Edit: The DB is a basic 5 DTU Database on an Azure SQL Server instance on database.windows.net
You are correct that you will need to upgrade to S1 to integrate your Web App with a VNET, but you should be able to lock down the access with outgoing IP Addresses. Are you using a VM with a SQL Server installed, or are you using an Azure SQL instance?
@BryanTrachMSFT can you advise on the web app outbound addresses?
I'm using an Azure SQL Instance; trying to go as serverless as possible.
@Metallkiller-2862 I would suggest you look into using a hybrid connection. It's supported on the basic tier and allows you to securely connect your web app to a database. More information here.
Please let me know if you have any questions regarding hybrid connections.
Indeed I have a question: That link shows me how to install HCM on a Windows Server. How do I use it for an Azure SQL Database on an Azure SQL Server? There's no VM to install it on. I'm trying to make the whole thing work serverlessly.
Edit: I have a small diagram, longer explanation of what I tried and where I am now in this serverfault-post: https://serverfault.com/questions/1010457/connect-azure-app-service-to-azure-sql-server-db
That post went on longer than expected, and didn't yield the kind of solution I'm looking for.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 27%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
My apologies for the confusion. Since you mentioned that it's Azure SQL, HCM will not work. Your option is to add the web apps outbound IP addresses to the firewall.
May I ask why adding the IP addresses for your web app to the firewall is cumbersome?
I'm still learning so I'm not sure if there is a better way, but currently going to the SQL Serve's firewall settings and manually adding 10 IP ranges, giving them 10 names (in my case Backend1-Backend10) seems like way too much work.
I have only one WebApp now, but if I were to build a bigger infrastructure, I had to add those 1 IPs from each WebApp to every server that WebApp needs to access. By then I'd probably use the command line anyway, but even that will feel like a hack, either iterating over 10 copy-pasted IP addresses or putting another command into the command to retrieve the addresses.
There has got to be a way of telling the SQL Server "This WebApp right here may get through your firewall" without jumping through hoops.
I'm afraid that's the path you might have to take if you do not want to use the S tier.
I was getting ready to recommend service endpoints but realized that it requires the S tier.
Let me check internally tomorrow morning to see if anyone else has any ideas, otherwise if you wish to remain at the B1 tier, you'll likely need to add the three to four outbound IPs.
I checked around and unfortunately, you'll need to upgrade to the S tier if you're looking for a more automated solution. We recommend a minimum of S tier for production apps to begin with so I'd highly advise you consider upgrading if you are running a production app.
Please share your feedback here so that the product group sees it and can understand your need. We apologize for the frustration that the current setup causes. Let me know if you have any further questions.