Azure-docs: Limitations

@pmcilreavy We are looking into this and we will get back to you.

@pmcilreavy your feedback is valid. Vnet firewall rules work well to limit traffic that is coming from a particular Vnet: subnet. However there are exceptions to this i.e. services like Web App or Power BI that are not in a Vnet cannot take advantage of this feature

@rohitnayakmsft Just want to be clear that the web app is in a vnet. It's just that the traffic from the web app to the azure db _always_ arrives via the web apps public ip. I guess there is some techincal reason that the traffic from the vnet'd web app can't present as the private vnet ip when it arrives at the azure db? and hence the limitation? Is this limitation likely to be resolved ?

AFAIK Web Apps has two deployment models :- ASE abd vnet integrated Web App. ASE is vnet injected so Vnet Firewall Rules should work & your comment above should be applicable only to "vnet integrated Web App" Is that correct?

@rohitnayakmsft ASE is another way to isolate resources (including Web Apps) in a vnet but from what I can see it is a _heavyweight_ and _costly_ solution. It provides true physical isolation which for my project is overkill.

I'm just trying to understand the value proposition of regular vnets. Perhaps if I didn't have a Web App and my vnet was comprised soley of VMs and Db then it would provide the isolation I'm looking for. But it seems that as soon as you introduce a Web App into the solution this then forces the Db to have to enable "Allow Azure services to access server on the server" which really renders the vnet useless - or at least severely comprimises the intergrity of it.

To summarise. If I have 3 environments DEV, UAT, PROD and the solution is comprised of a Web App, a Db and a VM; there seems to be no point in trying to isolate them in their own vnet as due to the _above_ limitation the Db _has_ to be exposed outside of the vnet, and therefore becomes reachable by other Azure services. So there'd be nothing to stop the DEV Web App being able to access the PROD Db.

@NavtejSaini-MSFT please reassign this item to Azure Web Apps team for comment on the above limitation called out by @pmcilreavy

@pmcilreavy Please find the additional information regarding Web App and VNet integration.
https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet

Azure SQL DB(PaaS) is currently going to publish with a public IP. Adding a Vnet to a Azure SQL DB does not give it any private service endpoint. There is a feature request to allow adding a Vnet that will provide a private IP mapping.

@ccompy Can you please help us out as @rohitnayakmsft is requesting an engineer from WebApps team to look into users comment and respond with your insights and guidance.

Hi @pmcilreavy I was also working on this issue. I am from Microsoft CSS Azure Web Apps Team.

I have set up a repro where my Web App is in a VNET ( new Regional VNET ) and Azure SQL DB is configured as a service endpoint. Only subnet of the Web App is allowed to access Azure SQL DB in firewall.

I am able to connect without issues, I have confirmed with Azure SQL team that the IP hitting them is private IP.

I believe the above document needs to be updated?

@abhilashmk does this mean we can delete the above sentence from limitations now? i.e. any Web App will connect over SE( when it is enabled) and customer can then set Allow Azure Services to OFF. Please confirm and I can update the doc accordingly.

Interesting timing, I opened a support ticket just yesterday because our Web App to Azure SQL Database connectivity suddenly broke unexpectedly. We had been using the configuration that @abhilashmk describes above with great success for the past couple of months. There were no configuration changes made by us leading up to this breaking. Happened at around 2019-08-24 UTC5:00. Ticket number: 119082423000048

Yes @rohitnayakmsft customer can set 'Allow Azure Services to OFF' , they can use Azure SQL as SE and allow only Web App VNET to access the DB. Please go ahead and update the document.

@SaltyDH took a look at the Support case and connection time out might be a little different issue here. If issue was with firewall, we would see error something like client with IP 'x.x.x.x' not allowed to access the DB. I will connect with case owner and we can continue troubleshooting this issue on the support case

@rohitnayakmsft Can this edit be made to the document. Please let us know if any other information is required in this regard.

Deleted the section from docs and submitted change as part of PR https://github.com/MicrosoftDocs/azure-docs-pr/pull/87328

@pmcilreavy The section has been deleted. We are going ahead and closing this issue. Please get back to us if any other question.

Hi @rohitnayakmsft , what do we need to do if want Power BI service to access Azure SQL DBs without enabling "Allow Azure services to access server on the server"? i understand that we can go for On_Prem Data gateway in one of the VMs in the VNet and then enable Virtual Network rule. Please suggest some other alternative if any.

From the VM you can use Private Link to SQL Db and thus connect over Private IP without having toe sett Allow Azure Services to On