azure web app dmz to SQL VM

prasantc 876 Reputation points
2020-10-07T00:19:48.943+00:00

WE setup the azure DMZ using ASP and vnet integration on separate subnet and vnet address space. Looking at the current on prem DMZ web we had iis virtual directory calling SQL db referece, it was easy to isolate traffic with on prem firewall. On azure we do not have NVA on hub vnet.

To fix the issue I am planning to peer vnet from DMZ to SQL VM which is not good security but may temporarily get me going if I use NSG on each subnet on SQL to deny all traffic from DMZ accept from DMZ https/SQL (443/1433)
This is the only we to get the Azure sites up and running next week deadline and plan on NVA few months down the line.

How much of security I am exposing advertising route among the peer from DMZ to SQL?

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,267 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,284 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. TravisCragg-MSFT 5,681 Reputation points Microsoft Employee
    2020-10-16T16:34:35.953+00:00

    If you are using NSGs to only allow traffic from your database from the Web VMs, then you are in line for security best practices. Your SQL ports will not be open to the internet, and will only be able to receive expected requests from your web VMs.

    I would double check that your SQL server is not open to the internet via port 1433 via public IPs as well.

    0 comments