Submit a request

Nerdio Help Center

Hardening the NMM install: SQL Server


Applies to: Nerdio Manager for MSP (NMM)


Nerdio Manager relies on communication between two Azure PaaS services: Azure App Service and Azure SQL Database. By default, this communication is encrypted with Transport Layer Security, and data at rest is also encrypted using Transparent Data Encryption. 
 
In order to further protect communication between the App Service instance and the SQL database, it is possible to restrict network traffic in two different ways, detailed in this article.  
  1. Add the App Service’s Outbound IP addresses to the Azure SQL Server’s firewall. This method ensures that only requests from your NMM instance’s IPs are able to reach the server. However, the Azure App Service is hosted on shared infrastructure. Any other App Services deployed to the same cluster as NMM will share the same outbound IPs. 
  2. Create an empty VNet and route traffic from the App Service to the VNet. Create an Azure SQL service endpoint in the VNet. Traffic to SQL Server can then be restricted to allow only traffic coming from the VNet.

 

Restrict SQL traffic to App Service Outbound IPs

In order to restrict SQL traffic to the App Service's IP addresses, we first must discover the IPs the app  is using. This requires a PowerShell command:

Login-AzAccount
(Get-AzWebApp -ResourceGroup <group_name> -name <app_name>).OutboundIpAddresses

This will return several IPs associated with your NMM App Service. Outbound requests might come from any of the IPs shown.

In Azure Portal, search for SQL Servers, and locate NMM SQL Server. Typically the name has the format sql-server-******.  Select "Firewall and virtual networks" in the left menu. Enter a rule for each IP address associated with your App Service. Set "Allow Azure services and resources to access this server" to "No." Note that the setting called "Deny public network access" should still be set to "No." Once you have entered the IPs, traffic to SQL Server will be restricted to those addresses. Click Save.

mceclip0.png

 

Routing App Service Traffic through a VNet

If restricting traffic to your App Service's outbound IPs is not adequate for your security needs, you can route all App Service traffic through a VNet, and restrict SQL traffic to that VNet. 

Create a new VNet in Azure. There will be no resources hosted in this VNet, so the range can be as small as /28 to accommodate a subnet.

mceclip2.png

Create a subnet at the same time. It can be as small as /29. Add a SQL Service Endpoint.

mceclip4.png

Click Review and Create. Create the Vnet.

mceclip5.png

 

In the Azure portal, find and select your App Service. In the left menu, select Networking. Under VNet Integration, click "Click here to configure"

mceclip6.png

Under VNet Configuration, click Add VNet. Select the VNet and subnet you created previously and click OK.

mceclip7.png

In Azure Portal, search for SQL Servers and and locate NMM SQL Server. Typically the name has the format sql-server-******. In the left menu, select Firewalls and Virtual Networks. Click "Add existing virtual network." Select the network you created previously and click OK.

mceclip0.png

Additionally, in the Firewalls and virtual networks settings, set "Allow Azure services and resources to access this server" to "No." Note that the setting called "Deny public network access" should still be set to "No." Traffic from the NMM App Service will now route through your virtual network to the SQL Server service endpoint. Only traffic from your virtual network will be allowed to connect to the database.

Was this article helpful?
0 out of 0 found this helpful
Important Notification for NFA Partners Only
  • Microsoft is sunsetting Azure Classic (not Azure Virtual Desktop (AVD)) - Microsoft Article
  • NFA sunset occurs February 20th, 2023
  • Only new account creation will be unavailable on November 30th 2022
  • NFA will be fully supported until the official sunset - nfa.support@getnerdio.com

Comments

Article is closed for comments.