I have a couple of questions about firewall rules ...
# azurel
little-library-54601
05/27/2022, 2:39 PMI have a couple of questions about firewall rules for Azure SQL Servers:
1. Per these docs: https://www.pulumi.com/registry/packages/azure-native/api-docs/sql/firewallrule/ - is setting the "ServerName" property on the args object sufficient to "connect" the firewall rule to the desired Azure SQL Server instance?
2. Using Pulumi, how do I accomplish the equivalent of checking the "Allow Azure services and resources..." checkbox as seen in this Azure portal screenshot:
little-library-54601
05/27/2022, 2:40 PMI'm successfully creating the "server" using this AzureNative type:
https://www.pulumi.com/registry/packages/azure-native/api-docs/sql/server/
...
little-library-54601
05/27/2022, 2:41 PMNow I need to allow an app service (also created via Pulumi) access to the Azure SQL server so it can establish a database connection.
Any direct answers to my questions as well as any advice on best practice would be appreciated.
Thanks.
c
clean-truck-93285
05/27/2022, 6:13 PMQuick tip: When wondering how Azure does it go to export template on an already deployed resource. The settings will then be there in JSON.
resourceGroup and sqlServer are variables, replace as needed with your code.
ResourceGroupName = resourceGroup,
FirewallRuleName = "AllowAllWindowsAzureIps",
ServerName = sqlServer.Name,
StartIpAddress = "0.0.0.0",
EndIpAddress = "0.0.0.0"
l
little-library-54601
05/27/2022, 6:14 PMThanks, that's what I've been doing. That, or
pulumi importlittle-library-54601
05/27/2022, 6:16 PMI did get your code to work, so that's good. But the export template for the server, while it includes the "AllowAllWindowsAzureIps" firewall rule as a name, it does not include the IP addresses, etc., themselves.
I'd love to know where I can find those firewall rules as standalone objects within the Azure portal so that I can see what their full resource IDs are.
little-library-54601
05/27/2022, 6:17 PMReally appreciate the reply. My app service is working.
I am left wondering if there's a better / more rigorous way to configure the reachability. But this is for a dev environment, so it at least lets me keep moving forward.
c
clean-truck-93285
05/27/2022, 6:32 PMIf you want to restrict to your specific web app then you need to VNET integrate your app service. Then use service endpoint on the SQL firewall rule. As it is now any web app in all Azure can reach your SQL database.
l
little-library-54601
05/27/2022, 6:50 PMRight. That's what I understood to be the case. So I'd love to do it "right", but given my novice status with Azure networking let alone with Pulumi to configure that, I'd definitely need to see some examples to clarify how all that works.
If I understand right, that would also set me on a path to use AAD for permissions to the db from the app service rather than a connection string.
Thanks again.
c
clean-truck-93285
05/27/2022, 6:58 PMI haven't figured out the configuring of the Azure AD contained database user with pulumi yet. I manually go in after deployment, add the Azure AD user, and configure the permissions.
I need to find time to try the sql provider listed the other day in the channel.
👁️ 1
s
silly-smartphone-71988
05/31/2022, 5:19 PM@clean-truck-93285 Here is a snippet for how we configure security for sqlserver
new Sql.ServerArgs(){Administrators = new Sql.Inputs.ServerExternalAdministratorArgs{AzureADOnlyAuthentication = false,PrincipalType = "Group",Sid = "SID of your AzureAD Group",TenantId = "Azure AD TEnant ID",Login = "Username in SQLServer",}}👍 1
9 Views