Action recommended: Allow communication with existing Azure SQL Database gateways by 15 September 2020

Behdad 126

Hi,

I have received and email with the title:

Action recommended: Allow communication with existing Azure SQL Database gateways by 15 September 2020

And the body says:

Update your network configuration to allow communication with existing Azure SQL Database gateways by 15 September 2020
You're receiving this email because you use Azure SQL Database.
To improve performance and reduce login latency, existing SQL Database gateways in your regions will begin accepting traffic on 15 September 2020:
• Australia Southeast
• Central US
• East Asia
• East US
• East US 2
• France Central
• Japan West
• North Central US
• Southeast Asia
• West US
As a result, the public IP addresses of your SQL databases may change.
Recommended action
To avoid service disruptions, update your network configuration to allow communication with existing SQL Database gateways in your regions by 15 September 2020:

[table with region IP addresses]

Now I have got a web app and an SQL database where the web app uses the connection string to communicate with the database.

Do I need to do anything for September? Does this apply to my site?

Thank you for guidance.
Behdad.

Chua Khoon Yong 46 Reputation points

2020-08-17T00:47:28.397+00:00

Any updates, i think many of us are confused by this.
Thanks.
Navtej Singh Saini 4,216 Reputation points Microsoft Employee

2020-08-17T19:48:57.127+00:00

Our Product Team has further replied on this thread with more information - https://learn.microsoft.com/en-us/answers/questions/68419/index.html

Please do follow for more questions.

Regards
Navtej S
Chua Khoon Yong 46 Reputation points

2020-08-20T06:03:17.073+00:00

My connection string is using xx.database.windows.net, and inside Azure VM. Am I affected?
Thanks.

Accepted answer

Pranesh Sathyanarayan 191 Reputation points

2020-08-21T07:44:00.873+00:00
As a conclusive answer to this:

Ensure connection policy is set to default (redirect), check it at Firewalls and virtual networks setting in Az SQL DB.

Use service tag for SQL in nsg rule , same applies in case of app service inetgrated with vnet.

If you have a JDBC connection string, ensure correct version of driver.

Do not hardcode IP addresses in your on-premise firewall, use domain based rule: "*.database.windows.net" on port 1433.

IF you have enabled service endpoint for subnet, then ensure the members of subnet can still contact gateway using NSG rules.

If zone redundant configuration is used, then make sure all three gateway rings have NSG rule based access.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

1 additional answer

Navtej Singh Saini 4,216 Reputation points Microsoft Employee

2020-08-17T02:37:36.717+00:00

@Behdad

These are gateway changes to the Azure SQL and first you need to check if you are affected all or not.

Here is the document which explains what is going to change, How to check if you are affected and changes you need to do if you are.

Gateway Migration

Also see the previous question asked about this here.

If you have any further questions we would be happy to check with the team handling this.

Thank
Navtej S
Please sign in to rate this answer.
nskh 6 Reputation points

2020-08-17T03:01:51.897+00:00

@Navtej Singh Saini
In my understanding, if the "Allow Azure services and resources to access this server" in Firewall settings is true,
we don't have to do anything, right?

Pranesh Sathyanarayan 191 Reputation points

2020-08-17T17:39:10.89+00:00

"Allow Azure services and resources to access this server" is explained in below article:

https://social.msdn.microsoft.com/Forums/vstudio/en-US/130769ba-ea5f-40c8-bbba-0051536c43af/what-means-allow-azure-services-and-resources-to-access-this-server

What we are talking about is at https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-architecture

So we are talking about is "Gateway" and not any server firewall rules

Behdad 126 Reputation points

2020-08-17T22:03:54.83+00:00

I have read all those....my question is very simple. This is the scenario:

Azure Webapp-------------(connection-string)------------->Azure SQL DB

Am I impacted? :)

bamboo 1 Reputation point

2020-08-19T09:54:55.013+00:00

Is it affected if I connect to "*.database.windows.net" from .NET Framework?

Pranesh Sathyanarayan 191 Reputation points

2020-08-19T15:35:59.007+00:00

Please ensure you have not changed the connection policy, it should be redirect by default. See here at https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings and set it to redirection.
Your scenario looks more within azure network, so i would suggest to use service tags as MSFT mentions.
Azure Webapp-------(connection-string)-->Azure SQL DB , so this is all within Azure network itself, so you can add a NSG rule to allow traffic to SQL service tag. If you don't have restrictions on port 1433, then no need to worry.To be on the safer side, ensure to add those rules mentioned at https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-architecture#connection-policy so that redirection policy works fine.
Since you mention connection string, ensure correct version of JDBC driver (if you are using JDBC), its explained here at https://learn.microsoft.com/en-us/azure/azure-sql/database/gateway-migration?tabs=in-progress-ip#impact-of-this-change

Pranesh Sathyanarayan 191 Reputation points

2020-08-19T16:31:16.887+00:00

Depends on your scenario, are you a web developer sitting behind a on-premise firewall, and you are using your machine with visual studio to connect to Azure SQL PaaS, and your firewall restricts connections outbound on port 1433, then ask your NOC team (network team) to add these new ranges. Its better if they allow outbound access for the domain "*.database.windows.net" on port 1433 instead of IP based rule. If you are coming from the internet with no restrictions, no need to worry.

Behdad 126 Reputation points

2020-08-20T01:46:05.47+00:00

Pranesh, thank you for your reply. So I checked my connection policy, and it is set to "Default", which means it is Redirect for all services originating from Azure and Proxy if it is from outside. From outside I only connect using *.database.windows.net and I am not behind corporate firewall which I believe won't be impacted.

Now for the Webapp and my SQL they are both on Azure. Please excuse my ignorance but when you say add service tags, do you mean add it on Webapp or SQL. Also how do I add it? These service tags are the same as normal "Tags" that I have highlighted in the attached screenshot?

In terms of my connection string, I believe it is ADO.net...it looks like below:

Data Source=tcp:myspecialdb.database.windows.net,1433;Initial Catalog=my-prod-db;User Id=johndoe@myspecialdb.database.windows.net;Password=mysecretpassword;

Thank you for your support.

Pranesh Sathyanarayan 191 Reputation points

2020-08-20T06:06:28.567+00:00

You're welcome, we worry about service tags when have vnet integrated with the web app.
If you have not done vnet integration to app service plan at all, then no need to do anything, you are not impacted. If vnet is integrated, then please do below: In app service plan, For free plan F1, we cannot integrate vnet. So, in the app service plan, under settings > networking, for standard tier and above we get the option for integrating a vnet. Here please add a rule to NSG (network security group) associated with vnet, i.e outbound rule to service tag called "sql".

Pranesh Sathyanarayan 191 Reputation points

2020-08-20T06:26:15.87+00:00

If free plan F1 is being used, no need to worry, there is no impact. Provided you have standard or premium plan for app service and you have done vnet integration, please add service tag as specified above.
Service tags are explained at https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview, and vnet integration steps are here: https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet Since you are not using a JDBC connecting string, no need to worry about JDBC here.
Sign in to comment