Share via

Securely connect to Azure SQL DB from Desktop (WinForms) app

Derek R 0 Reputation points
2024-02-20T14:54:44.68+00:00

I'm developing an desktop app (WinForms C#) for use in an office environment that will generally interact with a database hosted on the office's local network. However, I'd like to provide the option of a cloud-hosted database. Azure SQL Database or Azure Database for MySQL seems like a good option. However, I'm concerned about security.

I understand you can use either standard SQL authentication (username+password) or Microsoft Entra authentication.

Standard SQL authentication is probably fine if you restrict to certain IP addresses, but users need to be able to install and run the app on any device they want. Everything I read recommends against opening all IP's in this way. I don't fully understand why -- it seems about as secure as any other username+password-based system. Maybe someone can clarify the risks for me.

Anyway, the only other option is Microsoft Entra, which I don't think is viable for us, because we will be managing the Azure account and DB for the customer, and therefore only we could add new Microsoft Entra users, which is a non-starter. Our clients need to be able to add and manage their own users. So unless there's a way around that (that doesn't add a whole layer of complexity and additional development), that option is out.

So, does that mean I'm out of luck? Is an Azure-hosted DB just not a viable option for this scenario?

The only other semi-promising avenues I've looked down are:

  • Azure VNet. It appears I can add the Azure DB to a VNet and set it up so only the VNet can communicate with it. But it seems like this would require my clients to install a VPN client and connect it each time they want to use the app, which negates the advantage of using a cloud DB in the first place. Is there any way around this? Could my app initiate the VPN connection "in the background" without the need for the user to install or initiate anything manually?
  • App Registrations (+VNet?). It sounds like with this I may possibly be able to register some ID for my app, and have my app send that as a sort of key to access either the Azure DB directly, or maybe the VNet, without the need for a Microsoft Entra login from the user. However, it seems like even this might require a Microsoft Entra login, plus I can't figure out how to grant an App Registration access to a DB or VNet.

Could either of those options meet my needs, or maybe something else? To summarize, my requirements are:

  • Ability for a desktop app (WinForms C#) to connect to the Azure-hosted DB without need for the user to install/connect a VPN.
  • Ability for our clients (who will not own the DB's Azure/Entra account) to add and remove users for themselves.
  • This is a production app, so the connection mechanism needs to be secure.

Any advice would be appreciated. Thanks!

Azure SQL Database
Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,014 questions
Azure Database for MySQL
Azure Database for MySQL
An Azure managed MySQL database service for app development and deployment.
726 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Oury Ba-MSFT 16,886 Reputation points Microsoft Employee
    2024-02-20T23:39:16.59+00:00

    @Derek R Thank you for reaching out.

    Azure SQL Database and Azure Database for MySQL are both good options for cloud-hosted databases.

    Azure SQL Database is an excellent choice for many scenarios. Azure SQL Database offers the followings.

    1. Ideal for businesses needing advanced database management and analysis.
    2. Offers features like built-in machine learning and advanced data security.
    3. Proprietary architecture with out-of-the-box features.
    4. Supports T-SQL (Transact-SQL) language. You can migrate your on-premises SQL Server databases with minimal code changes.
    5. Best suited for enterprise-grade applications, data warehousing, and analytics.
    6. Azure SQL Database offers serverless compute, which automatically scales based on demand, reducing costs during idle periods.

    What is Azure SQL Database?

    Azure Database for MySQL

    Azure Database for MySQL - Flexible Server deployment model

    What is Azure Database for MySQL - Flexible Server?

    Set up Microsoft Entra authentication for Azure Database for MySQL - Flexible Server

    Azure Database for MySQL - Flexible Server service tiers

    Microsoft Entra (also known as Azure Active Directory authentication) provides a more secure option.

    You could invite your customers to the MS Entra tenant, provide the appropriate RBAC permissions and create a group to ensure only the appropriate users have access to the DB.

    • Users authenticate using their Azure AD credentials (single sign-on).
    • You can manage users centrally, and it integrates well with Azure services.

    Azure VNet:

    • Adding your Azure DB to a Virtual Network (VNet) restricts communication to only the VNet.
    • While this enhances security, it does require users to connect via VPN.
    • To avoid manual VPN setup, consider using Point-to-Site VPN or VNet Gateway with Always On enabled.
    • This way, your app can initiate the VPN connection automatically when needed.

    App Registrations + VNet:

    • App Registrations (Azure AD) allow you to register your app and obtain an App ID.
    • You can use this App ID to authenticate your app against Azure AD.
    • Combine this with VNet integration to ensure secure communication.
    • While this approach adds some complexity, it provides better security and user management.

    Regards Oury

    0 comments