SQL

Securing API and SQL Server Access Using Azure Virtual Networks

by Daniel Wood
written by Daniel Wood

This guide explains how to secure API access to an Azure SQL Database by isolating traffic within a Virtual Network (VNet). It covers how VNets and subnets work, how to connect an Azure App Service (hosting the API) and Azure SQL Server to the VNet, and how to enable manual access to the database from outside the VNet when necessary.

Understanding Virtual Networks

An Azure Virtual Network (VNet) is a part of the Azure cloud where you can securely run your resources. It works similarly to a traditional on-premises network.

Address Space: A VNet has a defined IP address space (e.g. 10.0.0.0/16).

Subnets: This address space can be divided into subnets (e.g. 10.0.1.0/24) to organize and isolate different resources.

Service Endpoints: VNets can be configured to allow access to Azure services (like SQL Database) over the Azure backbone network instead of the public internet.

Resources connected to the same VNet or subnet can communicate securely and directly without exposing themselves to the internet.

Creating a Virtual Network and Subnet

  1. In the Azure Portal, go to Virtual Networks and select Create
  2. On the Basics tab, enter a name and select a region
  3. On the IP Addresses tab:
    • Define an address space (e.g. 10.0.0.0/16).
    • Under Subnets, create a new subnet (e.g. app-subnet) with a subnet range such as 10.0.1.0/24.
  4. Complete the rest of the steps and click Create.

This sets up the network structure required to isolate and secure communication between the API and the SQL Database.

Integrating the App Service with the VNet

To enable the App Service to communicate with resources inside the VNet:

Enable Service Endpoints for Microsoft.Web on the Subnet

  1. Go to Virtual Networks > select your VNet > Subnets
  2. Under Service Endpoints, click + Add.
  3. Select Microsoft.Web and click Add.

Configure the App Service to connect to the VIrtual Network

  1. Go to the App Service in the Azure Portal.
  2. Navigate to Networking > Virtual Network Integration.
  3. Click Network Integration.
  4. Select the previously created Virtual Network and the appropriate subnet (e.g. app-subnet)
  5. Click OK to apply the integration.

This allows the App Service to send outbound traffic into the VNet and access private Azure resources, including the SQL Server.

Configuring SQL Server to Restrict Access to the VNet

By default, Azure SQL Servers are publicly accessible. To restrict access so that only traffic from the VNet is allowed:

a. Enable Service Endpoints for Microsoft.Sql on the Subnet

  1. Go to Virtual Networks > select your VNet > Subnets.
  2. Click on the subnet used by the App Service.
  3. Under Service Endpoints, click + Add.
  4. Select Microsoft.Sql and click Add.

This allows the subnet to connect to Azure SQL via Azure’s private backbone network.

b. Configure the SQL Server Firewall to Allow Only VNet Access

  1. Go to your SQL Server resource (not the database).
  2. Navigate to Networking > Firewall and virtual networks.
  3. Under Virtual Networks, click + Add existing virtual network.
  4. Choose the same Virtual Network and subnet used by the App Service
  5. Under Public access, set Deny public network access to Yes.
  6. Click Save.

With these settings, only resources inside the specified VNet (such as your App Service) will be able to connect to the SQL Database. All public traffic will be blocked.

Accessing SQL Server Manually from Outside the VNet

To connect to the SQL Server from a local development machine or other external source (e.g., using SQL Server Management Studio):

Option 1: Whitelist the Client IP

  1. Go to the SQL Server > Networking > Firewall rules.
  2. Click + Add client IP to allow access from your current machine’s IP address.
  3. Click Save.

This grants temporary access to your machine. Remove the rule when access is no longer needed.

Option 2: VPN Access to the VNet

As an alternative, you can set up a VPN Gateway for your VNet. This allows remote machines to securely connect to the VNet and access private resources as if they were inside Azure. This method is more secure and scalable but is outside the scope of this tutorial.

Conclusion

Setting up your App Service and SQL Database inside a Virtual Network gives you a secure way for them to talk to each other without exposing anything to the public internet. It keeps your data protected while still letting you connect manually when needed, either by whitelisting your IP or using a VPN for more secure access.

Related Posts

Securing Sensitive Data with Azure Key Vault in...

Setting Up GitHub Actions for CI/CD with Azure

How to use SQL with Entity Framework –...

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.