简体繁体 English

允许 Azure 服务到 webapp？

[英]Allow Azure services to webapp?

原文 2022-02-21 09:50:07 5 2 azure/ azure-web-app-service/ azure-sql-database/ firewall

I have setup a free tier azure web app and also basic tier azure database.我已经设置了一个免费层 azure web 应用程序以及基本层 azure 数据库。 However i noticed that I have to enable Allow Azure Services in the sql database firewall settings to allow database connectivity to my webapp.但是我注意到我必须在 sql 数据库防火墙设置中启用允许 Azure 服务，以允许数据库连接到我的 webapp。 I am not sure if this is safe as i have read that other azure subscriptions can have access to my db and also my db server.我不确定这是否安全，因为我读过其他 azure 订阅可以访问我的数据库以及我的数据库服务器。

Is there a setting or security rule where I can implement or configure without enabling 'allow azure services'?是否存在可以在不启用“允许 azure 服务”的情况下实施或配置的设置或安全规则？

Any information will be grateful.任何信息将不胜感激。

2 个解决方案

You can connect your web app to the Azure SQL database by using private connectivity.您可以使用专用连接将 web 应用程序连接到 Azure SQL 数据库。

The web app can securely connect to a backend database over a fully private connection. web 应用程序可以通过完全私有的连接安全地连接到后端数据库。 The public inte.net can't reach the database, which eliminates a common attack vector.公共互联网无法访问数据库，从而消除了常见的攻击媒介。

Also, you have other options to connect your web app securely to the Database:此外，您还有其他选项可以将您的 web 应用程序安全地连接到数据库：

An alternative approach for private connectivity is an App Service Environment for hosting the web application within an isolated environment, and Azure SQL Managed Instance as the database engine.专用连接的另一种方法是应用服务环境，用于在隔离环境中托管 web 应用程序，Azure SQL 托管实例作为数据库引擎。

As an alternative to the Private Endpoint, you can use a Service Endpoint to secure the database.作为专用终结点的替代方法，您可以使用服务终结点来保护数据库。 With a Service Endpoint, the private endpoint, PrivateLinkSu.net, and configuring the Route All regional VNet integration setting are unnecessary.使用服务终结点，不需要专用终结点、PrivateLinkSu.net 和配置路由所有区域 VNet 集成设置。 You still need regional VNet Integration to route incoming traffic through the Virtual Network.你仍然需要区域 VNet 集成来通过虚拟网络路由传入流量。

For complete information check the Microsoft document Web app private connectivity to Azure SQL database which has information about Web App connecting securely.有关完整信息，请查看 Microsoft 文档Web app private connectivity to Azure SQL 数据库，其中包含有关 Web App 安全连接的信息。

Yes, if you enable "Allow Azure Services" on your Azure SQL database, this enables services that run on Azure to access your database from a firewall perspective.是的，如果您在 Azure SQL 数据库上启用“允许 Azure 服务”，这将使运行在 Azure 上的服务能够从防火墙的角度访问您的数据库。 Even if those services are not yours.即使这些服务不是您的。 Still, to access the database, one would still need to know:尽管如此，要访问数据库，仍然需要知道：

The name of the server hosting the database托管数据库的服务器的名称
The name of the database数据库名称
Valid credentials for access有效的访问凭据

If you do want an added layer of security, there are several solutions available like SaiSakethGuduru-MT mentioned in their answer .如果您确实想要增加一层安全性，可以使用多种解决方案，例如他们的回答中提到的 SaiSakethGuduru-MT。

Another alternative which might be easiest to accomplish is probably to have your application use a Managed Identity and configuring the database to Use only Azure Active Directory (Azure AD) authentication .另一个可能最容易完成的替代方案可能是让您的应用程序使用托管标识并将数据库配置为仅使用 Azure Active Directory (Azure AD) 身份验证。

With Azure AD authentication, you can centrally manage the identities of database users and other Microsoft services in one central location.通过 Azure AD 身份验证，您可以在一个中心位置集中管理数据库用户和其他 Microsoft 服务的身份。 Central ID management provides a single place to manage database users and simplifies permission management.中央 ID 管理提供单一位置来管理数据库用户并简化权限管理。

This way, a connection string will not give access to the database.这样，连接字符串将无法访问数据库。 The identities that do have access are manageable in your own Azure AD tenant.具有访问权限的身份可在您自己的 Azure AD 租户中进行管理。