Azure SQL Database Application

Question

I am building a desktop application that requires a SQL Database. I wish to offer clients 2 options: On Premises and Cloud database. For cloud databases I intend to use azure sql server. The requirements are:

1. I wish to have some sort of "Azure DB Credentials" for clients to use, that can only access their database (which I will provide).
2. I do not wish for the clients to have to install any other software to use the application.

My problem is, in testing I have run into the "IP Address not allowed to connect to server". This poses a problem:

1. Clients will have many different IP addresses, therefore I cannot allow individual IP addresses.
2. I do not want to open all IP Addresses due to security concerns.

As bizarre as this sounds, I cannot find a ready-to-use solution to this problem. I am a new programmer, and maybe have not googled enough... That being said, this seems like a simple problem without a simple obvious solution.

The best solution I have come up with is an embedded Open-VPN Client within the application. However, that seems unnecessarily complicated. Is there a better way?

Answer 1

Use token-based authentication on your application for simplicity.

public async Task<string> GetAccessTokenAsync(string clientId, string clientSecret, string authority, string resource, string scope)
{
    var authContext = new AuthenticationContext(authority, TokenCache.DefaultShared);
    var clientCred = new ClientCredential(clientId, clientSecret);
    var result = await authContext.AcquireTokenAsync(resource, clientCred);

    if (result == null)
    {
        throw new InvalidOperationException("Could not get token");
    }

    return result.AccessToken;
}

Creating a SQL Connection using token.

public async Task<SqlConnection> GetSqlConnectionAsync(string tenantId, string clientId, string clientSecret, string dbServer, string dbName)
{
    var authority = string.Format("https://login.windows.net/{0}", tenantId);
    var resource = "https://database.windows.net/";
    var scope = "";
    var token = await GetTokenAsync(clientId, clientSecret, authority, resource, scope);

    var builder = new SqlConnectionStringBuilder();
    builder["Data Source"] = $"{dbServer}.database.windows.net";
    builder["Initial Catalog"] = dbName;
    builder["Connect Timeout"] = 30;
    builder["Persist Security Info"] = false;
    builder["TrustServerCertificate"] = false;
    builder["Encrypt"] = true;
    builder["MultipleActiveResultSets"] = false;

    var con = new SqlConnection(builder.ToString());
    con.AccessToken = token;
    return con;
}

You don't even need to worry about token expiration since AzureServiceTokenProvider takes care of caching.

Learn about it on this article.

Answer 2

Did you think about the Azure firewall? To add the client IP or IP address range to limit the access of Azure SQL database.

Set server firewall on portal:

Firewall settings: to add the client IP or IP address range to provides the access the database.

Fore more details, please see:

1. Azure SQL Database and SQL Data Warehouse IP firewall rules .
2. Create a server-level IP firewall rule using Azure Portal .

Hope this helps.