How to secure access from App Service To Azure Sql Database using virtual network?

If you want to lock down access from your app to a service such as Azure SQL, Storage, Cosmos DB, etc with service endpoints, you can use the new VNet Integration feature. The earlier form of the feature requires a gateway and builds on point to site VPN. The source IP from your app will be one of the point to site addresses. Service endpoints only works if your source IP is one of the VNet addresses.

With the new VNet Integration, your app backend will make calls with IPs in the selected subnet. That means you can set service endpoints on that subnet.

This is not to be confused with service endpoints TO your app. That is the recently released capability to lock traffic to your app down to selected VNet/subnets.


I believe Azure has now included support for your scenario, allowing connections like this one Web App <---> VNET <---> SQL server, contrary to @Waine Yang's response. I've just configured my Azure Functions to talk through a private VNET to a SQL Server only accessible via that VNET.

Now, when you try to set up VNET integration in your App Service, Azure displays the following message (notice it also says or through your Azure VNET): enter image description here

Here is an example on how to create it using Terraform: