How to secure database and storage services from public access?

Question

I have the below services and they have public access.
Note: The virtual Machine is on-premise.

Now, I want to remove public access and add some limited access policies.

1. Regarding my research, In my opinion, I should add two Virtual networks and create two separate zones.
2. Only APP services can access vNet1 services.
3. Add an Azure Firewall to add limit IP rule for accessing Virtual machine to APP service 1 and other limitation
4. Add an Azure Application gateway for using WAF.

I need your feedback about this scenario and are there other suggestions?

I used normal security policies, such as 2FA and HTTPS.

Answer 1

@Mohsen Akhavan , please go through the inline comments,

1.Regarding my research, In my opinion, I should add two Virtual networks and create two separate zones. Only APP services can access vNet1 services.

--> You can avoid splitting the networks here by deploying Private link between App Service and SQL/Storage.

2.Add an Azure Firewall to add limit IP rule for accessing Virtual machine to APP service 1 and other limitation

--> You don't deploy a Azure Firewall here just for the purpose of allowing the whitelisted IP's. Instead, you can utilize the access restriction feature in Azure App Service.

3.Add an Azure Application gateway for using WAF.

--> If you are looking to remove the public access for App Service then try Azure Front door Premium to connect your webapp origin with private link.

----------

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.