Most secure way to connect Power BI Desktop to Azure SQL

Question

MS suggests these ways to allow Power BI Desktop to access an Azure DB

a) opening inbound connections of all Azure IP ranges to Azure SQL

b) opening inbound connections to certain IPs

c) use an Enterprise Gateway, even you are in Azure and not on-premise. Concerns: is this as secure as a real VPN? Means no data can be sent to the DB Server port?

d) Is there no out of the Azure-box-service in place that works like a reverse proxy or application firewall with mfa?

e) is the Azure Application Proxy a solution?

What is the best security praxis? a) and b) worries me, because of a huge Azure unknown user group that does not need to have access. And because the DB would not be protected against IP spoofing.

For c),d),e) I did not find a clear quote from MS about the security risk.

Thank you for clarifying and commenting my concerns.

Answer 1

From Power BI Desktop, option b) opening inbound connections to certain IPs , is the typical approach. There's typically a small, and fixed set of public IPs that your organization uses for outbound traffic, and these can be added to the Azure SQL Server's Firewall.

IP Spoofing is a non-issue, as Azure will never route return packets to the spoofer, even if they somehow got all the way to the SQL Server.

c) use an Enterprise Gateway Concerns: is this as secure as a real VPN? Means no data can be sent to the DB Server port?

Yes. The Power BI Gateway server runs on a private Azure VNet, and the SQL Server's firewall is configured to allow connections from this VNet . But Power BI Desktop can't connect directly using a Gateway. It's only a solution for connecting from Power BI Service to your data source. So if you publish a shared Data Set, you can connect using Power BI desktop to that. But you can't connect directly from Power BI Desktop to Azure SQL Database via the gateway. So you still need a firewall rule for the users designing the Power BI Data Sets (models) in Power BI Desktop.

Is there no out of the Azure-box-service in place that works like a reverse proxy or application firewall with mfa?

No. This is not an HTTP connection, so there's no reverse proxy. Although you can configure your Azure SQL Database to allow Azure Active Directory accounts, and then use your conditional access policies to force MFA. These are built-in to Azure SQL Database and Azure Active Directory, and are a layer of security after the firewall.

2021 Edit

Azure SQL Database now supports Private Link which enables Azure SQL Database to listen on an IP address on a private network in Azure. This network can be routed to your Power BI Desktop users using Site-to-Site VPN or ExpressRoute, or developers can deploy a Point-to-Site VPN to enable a single desktop to communicate directly with the target private network.