Azure App Service Environment has a unique capability of being deployed to a virtual network for a dedicated and isolated environment. And scale to many 100s of instances. However, one can not yet deploy an Azure SQL Database to this dedicated environment. So I’ll show the configuration of secure network connectivity from Azure App Service to Azure SQL using Vnet Service Endpoints
However, do note the ASE pricing that there is also a flat fee for each App Service Environment of $1.739/hour(~$1,269.17CAD/month).
Let’s look at a demo environment as follows:
| Specification | Purpose or Benefit |
| App Service Environment v2 to host Azure App Service | Secure isloated virtual network environment
High scalability |
| Azure Web App in an Isolated App Service Plan | By design deployed into an ASE |
| Azure SQL | Application relational data storage for Azure Web App |
| Azure SQL Firewall Virtual Network Rule with VNET | Secured network access from Azure App Service to Azure SQL DB.
No internet access. Network traffic is only in Azure backbone. |
Design
Configuration Walkthrough
App Service Environment
External ASE type with a public IP supporting internet access.
Virtual Network
The App Service is integrated into this virtual network.
Virtual Network Service endpoints
Microsoft.SQL service added to the subnet
Virtual Network service endpoints allow you to secure Azure service resources to your Azure Virtual Network and by removing Internet access to these resources.
Service endpoints provide connection from your virtual network and keep traffic within the Azure backbone.
App Service Plan
Associated with an App Service Environment
Selecting Scale up, the pricing tier is I1 Isolated which is only offered in an App Service Environment
Azure App Service / Web App
An overview of the settings confirming the web app is hosted in an Isolated App Service Plan and App Service Environment
SQL Server/Database Firewall Settings
Virtual network rules are one firewall security feature that controls whether your Azure SQL Database server accepts communications that are sent from particular subnets in virtual networks.
Set Allow access to Azure services to OFF so no azure service within all of azure has access.
Leave client IP addresses blank. Adding any IP from internet will allow access.
Add a virtual network rule by selecting subscription, virtual network and a subnet that has Microsoft.SQL service endpoint enabled.
Go to your web application and set the SQL connection string as you normally would (e.g. web.config) and test the connectivity.
References
Roy Kim on Azure and Microsoft 365 