How to connect your Linux Web Application to a SQL database via Private Endpoint

By: Microtek Learning

340

Connect Linux Web Application to a SQL database via Private Endpoint

As we are concentrating more on security aspects, one of the key considerations is to restrict public access to the database. By keeping the above-mentioned point in mind, how can I connect my Web App to a database privately?  

This scenario is possible in Azure with the help of Private Endpoint. But there are few key prerequisites or limitations which comes along with setup. Let me list them here.  

  • VNET which you integrate with Web App, and the Web App must be in the same region.  

  • Web App must be Linux based deployment. 

  • App Service SKU needs to be Premium.  

 Setup:

Setup

 

  • All resources VNET, Private Endpoint, Cosmos DB, App Service are deployed in the same region Canada East.

    Setup 

  • VNET integration needs to be configured between App Service and the Virtual Network where the Private Endpoint are deployed.  
     

VNet Integration

 Setup 

  • During the creation of Private Endpoint, Private DNS Zone named “privatelink.documents.azure.com” gets created. You can find A record with the name of your Cosmos DP pointing to a Private IP address of Private Endpoint. Based on the number of replications you select; corresponding Private Endpoints gets created. 

    privatelink.documents.azure.com 

  • If you have RBAC to both Private endpoint and the Cosmos DB, connection from Private Endpoint to the Cosmos DB gets approved automatically. 

    Private Endpoint 

  • In order to get this setup working, you need to forward DNS queries to Azure DNS by configuring “WEBSITE_DNS_SERVER” in App setting.

    microtekdemo 

  • You should also force all the traffic from the Web App to the Virtual Network to get this setup working. To do that configure “WEBSITE_VNET_ROUTE_ALL = 1” in App Setting.  
     

microtekdemo

 

With this setup, lets test and check how it works.  

 

  1. In order to test, navigate to the Advance tool of the Web App. This will land you to a new window where you can select Bash console.  

  1. Use tcpping tool to check layer 4 connectivity to the Cosmos DB 
     

Kudu Remote Execution Console

 

  1. In order to prove that the traffic is going via Private Endpoint, navigate to the Cosmos DB and select Firewall and virtual Networks. You can see there is no public access as we have enabled Private Endpoint. 
    Microtek - Firewall and virtual network 

Hope this blob is useful to secure your Infrastructure by leveraging Azure Private Endpoints. 

Visit our site for more useful blogs.

If you still have any doubt, watch How to connect your Linux Web Application to a SQL database via Private Endpoint video on our YouTube channel.

Leave a message here