How to best design secure network setup where ACI must write to SQL Server

Hi Dan

Thank you for the assistance. In answer to the question re the DNS, the configuration is:

Virtual Network: All resources are enclosed within a single virtual network, with specific subnets tailored for different purposes:

• SQL Subnet: This is exclusively for the Azure SQL Database.
• ACI Subnet: The Azure Container Instance (ACI) is hosted here. This container runs a Python application, which is designed to write data to the Azure SQL Database. It targets the database using its Fully Qualified Domain Name (FQDN), specifically arc-azure-postgresql-server.database.windows.net.
• Private Endpoint Subnet: Here, the private endpoint for the Azure SQL Database is provisioned.

Azure SQL Database Configuration: The database resides in its designated SQL Subnet and has a server name of arc-azure-sql-server. To enhance security and limit public access, we've connected this database to our VNet using a private endpoint situated in the Private Endpoint Subnet, making it accessible only from within the VNet. I've opted for Private Link as my preferred connectivity method, instead of service endpoints or public endpoints, to ensure private connectivity to the database. Azure Container Instance (ACI) Configuration: The container is hosted in the ACI Subnet and is configured to reach the Azure SQL Database by targeting its FQDN. Within the container environment variables, we have a DB_HOST that points to the SQL server's FQDN, which is expected to resolve to the private IP address of the SQL server due to our Private DNS setup. The container's application tries to communicate with the database over this private address. Private DNS Zone Integration: To ensure name resolution within the VNet, a Private DNS Zone for 'privatelink.database.windows.net' is set up. This DNS zone, associated with the primary virtual network, makes sure that any request to the SQL server's FQDN gets resolved to the private endpoint's IP address and not the public one.

With this architecture, my aim is for the ACI, residing in its dedicated subnet, to communicate securely with the Azure SQL Database via the private endpoint, with the Private DNS facilitating the correct name resolution. Should the Python app in the ACI trying to connect directly to arc-azure-sql-server.database.windows.net is correct given the private endpoint setup? Or should the connection string point somewhere else?

I haven't enabled the system-assigned managed identity on the ACI. I believe this could potentially be the next thing to explore, given your recommendation. I will proceed to enable it and then associate the identity with the SQL with the appropriate permissions.

Thanks for the information. Yes it should use the FQDN to communicate, then this will resolve to the private DNS zone A record that is setup for the private endpoint, and know where to route for the internal private address of the virtual network IP, so that is good.

I think once you have the ACI managed identity enabled, you can look to add the managed identity's application ID from the entra enterprise app IP with the role. Double check my post, I edited as I pasted incorrectly the SQL command but the link to the docs details it anyway.

Then it should work, although I'm not proficient my Python so you may need to tweak the connectivity mechanism in the Python to use the MSI auth to the FQDN for it to work. Take a look at this: https://video2.skills-academy.com/en-us/azure/app-service/tutorial-connect-msi-azure-database?tabs=postgresql%2Csystemassigned%2Cpython%2Cwindowsclient#3-modify-your-code

and: https://video2.skills-academy.com/en-us/python/api/overview/azure/identity-readme?view=azure-python

Under the Python tab, Azure Database for PostgreSQL you will see some sample code to configure it to use a managed identity, hope this helps.