Access Restritions on Azure App API leads to slowness, timeouts, and high CPU usage

Vinson Yuen 121 Reputation points
2021-03-26T04:25:16.437+00:00

I have an Api App on Azure that pulls data from an Azure SQL Server. I want to limit access to the Api App to specific IP Addresses. If I allow all traffic I see no problems with the Api App. When I add an "Allow" record in the Access restriction found under the networking protocol Azure correctly blocks all other traffic from accessing the site but also causes extreme slowness and high CPU usage when called from the "Allowed" IP Address. The lag/slowness/high cpu usage is so extreme it often crashes the application that is performing the API call. I've tried allowing 0.0.0.0/32 and the Azure SQL Gateways for my region (A list of IP addresses listed by Microsoft for outbound IP Address with Azure databases) as well thinking that the firewall/access restrictions could have inadvertently blocked legitimate SQL traffic but the problem persists. I would prefer not to go down the rabbit hole of setting up a vNet at this time as I'm not confident that would solve my problem.

Azure SQL Database
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
600 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,002 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,280 questions
Accepted answer
  1. Vinson Yuen 121 Reputation points
    2021-04-01T21:14:21.97+00:00

    After working with support to confirm my problem I believe I've found a solution. Thank you @GitaraniSharma-MSFT for answering this questions about Service Tags. (https://video2.skills-academy.com/en-us/answers/questions/48025/questions-about-service-tags.html)

    The Access Restrictions was blocking in bound traffic from the Azure SQL Servers causing time outs and crashing my App API. Adding the SQL gateways IP addresses for the appropriate region did not help because the Web API is situated on the Azure Network and does not need to go through the gateways (different IP external vs internal). I instead add an Access Restriction with type Service Tags https://video2.skills-academy.com/en-us/azure/app-service/app-service-ip-restrictions#set-a-service-tag-based-rule Each service tag represents a list of IP ranges from Azure services. I added AzureCloud is an available Service Tag and it seems to cover ALL Azure products.
    Although SQL is a valid Service Tag, SQL was not deemed a common Service Tag and is not available in the drop down. (Perhaps this could be added in the future as it should be fairly common that an Azure Web API communicates with an Azure SQL Server)

    Note: You must create a new access restriction and set the type to Service Tag. The Portal does not allow you Edit an existing Access Restriction from one type to another (EG: IPv4 to Service Tag)

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest