Web App should use private IP in a VNet with Service Endpoints
Remove the limitation that prevents us from using Web Apps with Service Endpoints to limit access to Azure SQL database.
Limitation is described here: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview?toc=%2fazure%2fvirtual-network%2ftoc.json#limitations
"•A Web App can be mapped to a private IP in a VNet/subnet. Even if service endpoints are turned ON from the given VNet/subnet, connections from the Web App to the server will have an Azure public IP source, not a VNet/subnet source. To enable connectivity from a Web App to a server that has VNet firewall rules, you must Allow all Azure services on the server."
We are currently working on items that will enable service endpoints for multi-tenant App service. We will share the news of the features we deliver on the App Service Blog here: aka.ms/AppServiceBlog.
We also expect to speak about this topic at the Ignite conference in September in Orlando.
Agreed with the comment below. It seems pointless at the moment as you still have to have the firewall open to all Azure services. When will an update be provided? Thanks,
What's the status on this? I set up a test environment today exactly as mentioned in the linked video (https://youtu.be/hTsspH9hzec?t=432) and while it works, it requires the database to still be open to all Azure services, which seems to defeat the point of having it and an app service attached to the same vnet.
Is this supported in the UK yet? If not, is there a date for it?
Found a link:
Web Apps can be attached to a virtual network (with a private IP - and not using a VPN).
The Web App can talk to service endpoints via the virtual network. (eg; use Azure SQL database).
Preview in East US/North Europe
Worldwide by late October (no production workloads yet)
GA time frame not talked about
Can you please share the link to the new feature that enable the service end point for App Service?
Any link to the Ignite announcement regarding this?
Shahid Iqbal commented
I didn't see any announcement at Ignite? Or am I missing something
Costa Christodoulou commented
Did anything get announced?
I am eagerly waiting for it.
Excellent news!! Will this feature allow outgoing WebApp traffic to be passed through a NVA with UDR rules?
Excellent!!! Have been getting around it by putting storage and sql in a different region than the app service and using public ip filtering.
I also support your idea and it should be raised. Visit https://geek-squad.us/webroot-geek-squad-support/
Absolutely. Your own document describes the required setup as "This ON setting is probably more open than you want your SQL Database to be."
critical requirement to not open up SQL databases more than necessary
I too support the request to fix this issue.
I support the request to fix this issue.