question

VinsonYuen-8877 avatar image
0 Votes"
VinsonYuen-8877 asked MayankBargali-MSFT edited

Access Restritions on Azure App API leads to slowness, timeouts, and high CPU usage

I have an Api App on Azure that pulls data from an Azure SQL Server. I want to limit access to the Api App to specific IP Addresses. If I allow all traffic I see no problems with the Api App. When I add an "Allow" record in the Access restriction found under the networking protocol Azure correctly blocks all other traffic from accessing the site but also causes extreme slowness and high CPU usage when called from the "Allowed" IP Address. The lag/slowness/high cpu usage is so extreme it often crashes the application that is performing the API call. I've tried allowing 0.0.0.0/32 and the Azure SQL Gateways for my region (A list of IP addresses listed by Microsoft for outbound IP Address with Azure databases) as well thinking that the firewall/access restrictions could have inadvertently blocked legitimate SQL traffic but the problem persists. I would prefer not to go down the rabbit hole of setting up a vNet at this time as I'm not confident that would solve my problem.

azure-sql-databaseazure-webappsazure-application-gatewayazure-firewall
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We have asked this customer to work with us offline so we can understand what might be causing this behavior. If a solution is found, we will share it here with the community.

If the community has any suggestions, please continue the discussion.

0 Votes 0 ·

1 Answer

VinsonYuen-8877 avatar image
0 Votes"
VinsonYuen-8877 answered

After working with support to confirm my problem I believe I've found a solution. Thank you @GitaraniSharmaMSFT-4262 for answering this questions about Service Tags. (https://docs.microsoft.com/en-us/answers/questions/48025/questions-about-service-tags.html)

The Access Restrictions was blocking in bound traffic from the Azure SQL Servers causing time outs and crashing my App API. Adding the SQL gateways IP addresses for the appropriate region did not help because the Web API is situated on the Azure Network and does not need to go through the gateways (different IP external vs internal). I instead add an Access Restriction with type Service Tags https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#set-a-service-tag-based-rule Each service tag represents a list of IP ranges from Azure services. I added AzureCloud is an available Service Tag and it seems to cover ALL Azure products.
Although SQL is a valid Service Tag, SQL was not deemed a common Service Tag and is not available in the drop down. (Perhaps this could be added in the future as it should be fairly common that an Azure Web API communicates with an Azure SQL Server)

Note: You must create a new access restriction and set the type to Service Tag. The Portal does not allow you Edit an existing Access Restriction from one type to another (EG: IPv4 to Service Tag)

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.