App Service Environment with App Service and Azure SQL using Virtual Network Service Endpoints

Azure App Service Environment has a unique capability of being deployed to a virtual network for a dedicated and isolated environment. And scale to many 100s of instances. However, one can not yet deploy an Azure SQL Database to this dedicated environment. So I’ll show the configuration of secure network connectivity from Azure App Service to Azure SQL using Vnet Service Endpoints

However, do note the ASE pricing that there is also a flat fee for each App Service Environment of $1.739/hour(~$1,269.17CAD/month).

Let’s look at a demo environment as follows:

Specification Purpose or Benefit
App Service Environment v2 to host Azure App Service Secure isloated virtual network environment

High scalability

Azure Web App in an Isolated App Service Plan By design deployed into an ASE
Azure SQL Application relational data storage for Azure Web App
Azure SQL Firewall Virtual Network Rule with VNET Secured network access from Azure App Service to Azure SQL DB.

No internet access.

Network traffic is only in Azure backbone.


Configuration Walkthrough

App Service Environment

External ASE type with a public IP supporting internet access.asesql2

Virtual Network

The App Service is integrated into this virtual network.asesql3

Virtual Network Service endpoints

Microsoft.SQL service added to the subnet

Virtual Network service endpoints allow you to secure Azure service resources to your Azure Virtual Network and by removing Internet access to these resources.
Service endpoints provide connection from your virtual network and keep traffic within the Azure backbone.

App Service Plan

Associated with an App Service Environment

Selecting Scale up, the pricing tier is I1 Isolated which is only offered in an App Service Environment

Azure App Service / Web App

An overview of the settings confirming the web app is hosted in an Isolated App Service Plan and App Service Environmentasesql7

SQL Server/Database Firewall Settings

Virtual network rules are one firewall security feature that controls whether your Azure SQL Database server accepts communications that are sent from particular subnets in virtual networks.

Set Allow access to Azure services to OFF so no azure service within all of azure has access.
Leave client IP addresses blank. Adding any IP from internet will allow access.
Add a virtual network rule by selecting subscription, virtual network and a subnet that has Microsoft.SQL service endpoint enabled.asesql8

Go to your web application and set the SQL connection string as you normally would (e.g. web.config) and test the connectivity.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s