Azure 应用服务 (ASE) SQL Azure 连接

Question

I have an app service located inside the app service environment(ASE). I have a virtual network which I have put ASE into the subnet in the Vnet.

What I am trying to do is, I am trying to connect SQL Azure endpoint which is not in Vnet or my azure tenant. ASE has an outbound IP address and when I try to tcpping to azure SQL endpoint, it is responding me without any issue.

The problem is when I try to connect SQL endpoint inside the application, I am getting "Cannot open server" error. It usually happens when there is firewall in SQL Azure endpoint. I have checked log analytics (in target SQL endpoint) and saw my app connection is blocked but when I check the client IP, it shows me private IP of ASE. I really don't understand how it can be possible? I would see my public ip in there, since ASE is external ASE.

Do you have any idea how that can be possible?

Answer 1

If you have enabled the virtual network service endpoint for Microsoft.Sql in the ASE subnet, When you connect to your Azure SQL server with service endpoints turned on, the source IP of SQL connections will switch to the private IP space of your VNet.

If so, you need to allow the given VNet/subnet by specifying it in the VNet firewall rules of the SQL server. If you do not want to use a virtual network service endpoint, you can whitelist the outbound IP address of the application in the firewall of the SQL server.

For more information, you could read the blog1 and blog2 .