Share via

securing database cluster with AAD

Rinshad R 1 Reputation point
2021-08-25T16:36:36.757+00:00

Hello,

We have a database cluster running on an Azure virtual machine. To access data present in this cluster we are using a proxy VM ( Custom war application deployed in Apache Tomcat) the Proxy VM has connected an Application gateway for load-balancing, and we shared the Application gateway URL to the organization's users to access data. Internal users use the App Gateway endpoint in Postman to query data from the database.

Internal user -> Postman -> Application gateway -> Proxy VM -> DB cluster.

As the Application gateway URL or IP is public anyone from outside the organization makes a request. So my questions are

  1. Is there a better way to configure the above scenario?
  2. How can I secure the Application gateway URL only accessible for internal users?
  3. We are using Azure AD service, can we set an authentication using Azure AD before making a POST request?

Thanks

Azure Application Gateway
Azure Application Gateway

An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. ChaitanyaNaykodi-MSFT 27,666 Reputation points Microsoft Employee Moderator
    2021-09-01T19:26:24.62+00:00

    Hello @Rinshad R , apologies for the delayed response here.
    As azure offers plenty of services using which above requirement can be achieved. I could think of the following flow which might be more secure

    Internal user -> Postman -> Application gateway & Azure Firewall -> Azure based Load balancing solution-> DB cluster

    1. Application gateway & Azure Firewall : You can go through this documentation to understand the advantages of using both in this scenario like Threat Intelligence provided by Azure Firewall, WAF for App Gateway etc.
    2. Azure based Load balancing solution: I am not familiar with Apache Tomcat and how it is used for load balancing. You can go through this document to understand different load balancing options in Azure and their advantages. You can also explore the option of using Azure Web Apps in this scenario as it also offers AAD authentication, easy integration with Application gateway.

    Currently Azure Application gateway does not support only private IP mode. If you want the users to access App Gateway only using Private IP, you can follow this documentation to achieve that.

    Additionally you can also refer to following Architectures which can help you with your decisions

    Please let me know if there are any concerns. Thank you!

    ----------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.