加强Azure Web Apps和Azure SQL数据库之间的安全性
出于安全方面的考虑,我计划不允许Azure服务与Azure服务进行通信,但只能与Azure服务进行通信.
For security concerns I'm planning to not allow Azure services to communicate with Azure services but the services it is only working with.
例如,我有一些使用Azure SQL数据库的Web应用程序.我应该只在Azure SQL服务器防火墙中添加Azure Web Apps的出站IP地址吗?
For example, I've some web apps that uses Azure SQL Databases. Should I only add the outbound IP addresses of Azure Web Apps in the Azure SQL server firewall?
还是我需要做其他事情?
or I need to do something else?
锁定SQL数据库的最佳方法是使用AAD集成和 AAD SQL Server中的用户.
The best way to lock down your SQL Database is with AAD Integration, and Managed Service Identities. Azure will provision an AAD identity for your application, and only code running in that application will be able to generate an Access Token for that Identity. Then you can provision it as an AAD user in your SQL Server.
这具有从应用程序中删除机密的(大)附加优点,因此您不必使用客户端机密或SQL登录名/密码来配置应用程序.
This has the (large) added benefit of removing the secrets from the application, so you don't have to configure your application with a Client Secret, or a SQL Login/Password.
您还可以运行在VNet上安装应用程序,然后将您的SQL防火墙配置为仅允许使用
You can also run your App on a VNet, and configure your SQL firewall to only permit access from that VNet using Virtual Network service Endpoints For Azure SQL Database.