Multi-region web app security & private connectivity to DB in Azure
This article explains a highly available solution in Azure for a web app with private connectivity to a SQL server. In modern development techniques, we keep the presentation separate from the backend API’s. We make the presentation web app available to users and keep the backend API’s secured which usually checks for the authenticated token and based on the token, it allows to consume the APIs.
In case if the API is only consumed by presentation web app then we can further improve the security by allowing the network traffic only from presentation web app and block the network traffic from all other IP addresses.
In this article, we’ll see how to allow only presentation web app to consume API web app and allow API app to connect with database on private endpoint.
Use case
This solution has applications deployed in multi-region and has a SQL DB with failover configuration. Using the multi-region web app deployment where both regions are either in active — active mode or in active — passive mode along with failover DB configuration, we can achieve following:
· Both regions web app connects to either Primary or Secondary region database while maintain the private connectivity.
This arrangement is useful in case of partial or complete region failure as the other region connectivity remain in place.
Architecture
Traffic flow
1. Azure Front Doors routes the request from internet to either region presentation web app which will connect with the API web app of same region.
2. By using Azure App Service regional VNET Integration, both the web apps connect to a delegated subnet named AppSvcSubnet in Azure Virtual Network.
3. Azure Private Link sets up a private endpoint for the Azure SQL Database in a virtual network subnet named PrivateLinkSubnet. The web apps connect to this private endpoint.
4. The database firewall only lets in traffic coming from the PrivateLinkSubnet private endpoint.
The database is inaccessible from the public internet. Only components inside or connected to the virtual network can reach the database.
Configuration steps
For the web app to work with Azure DNS private zones, we are using App service VNET integration. When the web app and database run in same region, the configuration is straightforward. For cross region connectivity, we need different private endpoint to connect with another region database. For this configuration, we’ll assign 2 private endpoints to each region Database to achieve the cross-region connectivity. To setup this security configuration, we need to perform below steps.
Create VNET in Primary region
1. Create a VNET “primary-vnet” in your primary region by selecting the resource group of Primary regions.
2. Add the IP range as 10.1.0.0/16
3. Add 2 subnets
a. PrivateLinkSubnet with the range 10.1.1.0/24
b. AppSvcSubnet with the range 10.1.2.0/24
Create VNET in Secondary region
Due to the multi region deployment, we need to create VNET in secondary region also. In this region, we’ll keep the IP range different from primary region to avoid confusion.
1. Create a VNET “secondary-vnet” in the secondary region by selecting the resource group of secondary regions.
2. Add the IP range as 10.2.0.0/16
3. Add 2 subnets
a. PrivateLinkSubnet with the range 10.2.1.0/24
b. AppSvcSubnet with the range 10.2.2.0/24
Create Private End Point for Primary region DB
1. In Azure portal, navigate to Primary region DB server
2. Select “Private endpoint connections” available under Security section in left navigation panel
3. Click on “Add private Endpoint”
4. Enter the basic details by selecting the appropriate resource group and region
5. For Resource type select Microsoft.Sql/servers, for Resource select the logical SQL Server to expose, and for Target sub-resource select sqlServer.
6. On the Configuration page, select Integrate with private DNS zone, which will register the database server’s private IP address in the privatelink.database.windows.net private Azure DNS zone.
7. Review and create the private endpoint
Create Private End Point for Secondary region DB
1. In Azure portal, navigate to Secondary region DB server
2. Select “Private endpoint connections” under Security section in left navigation panel
3. Click on “Add private endpoint”
4. Enter the basic details by selecting the appropriate resource group and region
5. For Resource type select Microsoft.Sql/servers, for Resource select the logical SQL Server to expose, and for Target sub-resource select sqlServer.
6. On the Configuration page, select Integrate with private DNS zone, which will register the database server’s private IP address in the privatelink.database.windows.net private Azure DNS zone.
7. Review and create the private endpoint
Enable VNET integration with Web App (API) of Primary region
1. In the Azure portal, go to API Web App and select “Networking” section under “Settings” in left navigation panel
2. On the Networking page, under VNet Integration, select Click here to configure
3. On the VNet Integration page, select Add VNet
4. On the Network Feature Status page, under Virtual Network, select your Virtual Network from the dropdown. Under Subnet, select Select existing, and then select AppSvcSubnet from the dropdown. Click on OK.
5. The VNet Integration page now shows the Virtual Network configuration details.
6. In the web app’s left navigation, under Settings, select Configuration, and select New application setting
7. On the Add/Edit application setting page, under Name enter WEBSITE_VNET_ROUTE_ALL and enter 1 as Value and click on OK
8. On the Application settings page, select New application setting again. On the Add/Edit application setting page, under Name enter WEBSITE_DNS_SERVER, and under Value enter 168.63.129.16. Click on OK
9. At the top of the Application settings page, select Save, and then select Continue.
10. After this, our API web App should be able to connect the DB over Private Endpoint. To validate, set the database firewall to Deny public network access, to test that traffic is allowed only over the private endpoint.
Allow Primary Web App (Application) to connect to Web App (API) securely
The above configuration we did for API web app to connect to DB over Private Endpoint. We also need to secure the connectivity of Front-end Web App with API web app by configuring VNET and restricting the network access using the IP address configuration.
After setting this restriction, APIs will only be accessed through our Front-end Web App.
1. In the Azure portal, Open the Front-end Web App. Go to “Networking” and add the VNET of same region
2. In the Azure portal, Open the API Web App. Go to “Networking” and add the “Access Restriction” by selecting the appropriate Virtual Network.
After this configuration, API web app will only allow traffic generated from VNET only and there shouldn’t be any public access available.
Repeat the VNET Integration steps to configure the secondary region VNET with secondary region web apps. Also configure the App access restriction for secondary region using the above steps.
After performing these steps, we now have 2 regions working independently where each region web app is connecting with same region DB.
In our case, only 1 region DB will act as read / write endpoint and the other will work only as read only endpoint. We now need to establish a cross region DB connectivity so that both regions API web apps should be able to connect with the DB that has the read / write endpoint. This is required for seamless connectivity with the DB in case of DB failover.
Add Private Endpoint for Primary region DB in Secondary region
- Login into Azure portal and go to Primary region DB
2. Select “Private endpoint connections” under “Security” in left navigation panel
3. Click on Add
4. Since we need to establish the connectivity from secondary region VNET hence select the Secondary region resource group
5. Provide the meaningful name and Click on “Resource”
6. Select the resource type as “Microsoft.Sql/servers”
7. Select the Primary region DB as “Resource” and “sub-resource” as sqlServer
8. On Configuration screen, select the secondary region Virtual Network and “PrivateLinkSubnet” in Subnet field
9. Select “Integrate with private DNS zone”
10. Click on “Review + create” and create the private link
We need to repeat the same steps to create additional private endpoint for secondary region DB by selecting the Primary region resource group and primary region Virtual Network.
After performing above steps for both DBs, it will create an entry in “Private DNS Zone” as below
- In the primary region, sql-secondary to 10.1.1.5
- 2. In the secondary region, sql-primary to 10.2.1.5
Once we have this configuration, both regions should connect to both databases over their private endpoints. Both apps should continue to function even if the database fails over to the other region.
Summary
Below scenarios are achieved in this article.
1. Azure Front Door routes the traffic to Primary region Web App which connects to primary region DB over private endpoint
2. Azure Front Door routes traffic to Primary region Web App which connects to Secondary region DB over private endpoint in case of DB failover
3. Azure Front Door routes traffic to Secondary region Web App which connects to Primary region DB over private endpoint
4. Azure Front Door routes traffic to Secondary region Web App which connects to Secondary region DB over private endpoint in case of DB failover
