Harden SQL

Nerdio Manager relies on communication between two Azure PaaS services: Azure App Service and Azure SQL Database. By default, this communication is encrypted with Transport Layer Security, and data at rest is also encrypted using Transparent Data Encryption.

In order to further protect communication between the App Service instance and the SQL database, it is possible to restrict network traffic in two different ways, as detailed in this article.

  • Add the App Service’s Outbound IP addresses to the Azure SQL Server’s firewall. This method ensures that only requests from your Nerdio Manager instance’s IPs are able to reach the server. However, the Azure App Service is hosted on shared infrastructure. Any other App Services deployed to the same cluster as Nerdio Manager shares the same outbound IPs.

    Note: IP addresses associated with the app service cluster may change or update over time. It may be required to periodically update the firewall with any changes to cluster IP addresses. We recommend using VNet and Subnet whitelisting to avoid this inconvenience.

  • Route traffic from the App Service using a VNet. Create an Azure SQL service endpoint in the VNet. Traffic to the SQL Server can then be restricted to allow only traffic coming from the VNet.

Restrict SQL Traffic to App Service Outbound IPs

In order to restrict SQL traffic to the App Service's IP addresses, we first must discover the IPs the app is using.

  1. Optionally, run the following PowerShell or CloudShell command:

    Login-AzAccount

    (Get-AzWebApp -ResourceGroup <group_name> -name <app_name>).OutboundIpAddresses

    This returns several IPs associated with your Nerdio Manager App Service. Outbound requests might come from any of the IPs shown.

  2. In Azure portal, search for SQL Servers, and find the nmw-app-sql-* server.

  3. Within the menu on the left-hand side of the SQL Server blade, scroll down to the Security section.

  4. Select Networking.

  5. In the Public access tab, enter the following information:

    • Select Selected networks. (default option)

    • Enter a rule for each IP address associated with your App Service.

    • Unselect Allow Azure services and resources to access this server.

  6. Once you have entered all the IPs, select Save.

    Traffic to the SQL Server is now restricted to these addresses.

Routing App Service Traffic through a VNet

If restricting traffic to your App Service's outbound IPs is not adequate for your security needs, you can route all App Service traffic through a VNet, and restrict SQL traffic to that VNet.

Notes:

  • VNet integration requires the App Service to be a Standard plan or higher. See Upgrade the Azure App Service for details.

  • An existing or new VNet may be used for the VNet integration.

Enable VNet Integration for Nerdio Manager's App Service

See Enable VNet Integration for Nerdio Manager's App Service for details.

Harden the SQL Server

  1. In Azure portal, search for SQL Servers, and find the nmw-app-sql-* server.

  2. Within the menu on the left-hand side of the SQL Server blade, scroll down to the Security section.

  3. Select Networking.

  4. In the Public access tab, enter the following information:

    • Select Selected networks. (default option)

    • Add the desired Virtual networks and Firewall rules.

    • Unselect Allow Azure services and resources to access this server.

  5. Once you have entered all the desired information, select Save.

    Traffic from the Nerdio Manager App Service is now routed through your virtual network to the SQL Server service endpoint. Only traffic from your virtual network is allowed to connect to the database.

Related Topics

Harden Nerdio Manager

Harden App Service

Harden Azure Storage Account