如何将 Azure SQL 数据库中的函数应用列入白名单 [英] How to whitelist the Function app in Azure SQL Database

问题描述

我需要配置 Azure SQL 数据库 防火墙设置，以便它只能由我的 Azure 函数 应用程序访问.问题是我在消费计划中运行应用程序，据我所知，即使我不采取任何行动，出站 IP 地址也会发生变化.

有没有办法将应用程序列入白名单，以便保护数据库免受不必要的连接?

由于所有内容都托管在同一区域中，因此我想到了按 Azure 区域列入白名单，但是如何防范同一区域中的其他应用程序?这就是为什么我正在考虑使用特定的 IP 地址.我对这种方法的唯一担心是，我不知道其他功能应用是否可以共享与我自己相同的出站 IP 地址.

附:目前，我的防火墙设置拒绝公共网络访问，只允许 Azure 服务连接.

解决方案

有几种方法可以实现这一点.

您可能希望为 Azure Functions 集成 VNet 或获取静态 IP 地址

图片来自:

但是，我从您的评论中看到您不想使用高级计划.

我建议您实施托管服务标识的最后一件事.

这背后的想法是，不是使用连接字符串连接数据库，而是使用您授予的访问令牌连接到数据库.如果您不在同一个身份中，则无法获取访问令牌.

本教程解释了应用服务的一般概念:https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi

本教程几乎涵盖了您真正想要实现的目标.

https://www.azurecorner.com/using-managed-service-identity-in-azure-functions-to-access-azure-sql-database/

祝你好运！

I need to configure Azure SQL Database firewall settings so that it can only be accessed by my Azure Function app. The problem is I'm running the app in a consumption plan, and as far as I know, the outbound IP address(es) can change even when I don't take any actions.

Is there a way to whitelist the app so that I protect the database from unwanted connections?

I thought of whitelisting by Azure region since everything is hosted in the same region, but then how do I guard against other apps in the same region? That's why I'm thinking of using specific IP addresses. My only concern with this approach is, I don't know if other function apps can share the same outbound IP addresses as my own.

P.S. Currently, my firewall settings deny public network access and allow Azure services to connect only.

解决方案

There are several ways to achieve this.

You may want to integrate VNet or get static IP addresses for your Azure Functions

Image from: https://docs.microsoft.com/en-us/azure/azure-functions/functions-networking-options

However, what I've seen from your comments you don't want to go the premium plan.

The last thing I can suggest you implement Managed Service Identity.

The idea behind this, instead of connecting the database with connection string, you connect to the database with the access token that you granted. You can't get the access token if you are not in the same Identity.

This tutorial explains the general idea with App Service: https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi

and this tutorial pretty much covers what do you really want to achieve.

https://www.azurecorner.com/using-managed-service-identity-in-azure-functions-to-access-azure-sql-database/

Good luck!

这篇关于如何将 Azure SQL 数据库中的函数应用列入白名单的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！