Is allowing Azure Services to be turned on as a firewall rule inside my Azure Database a security issue?

Question

I have the "Allow Azure Services to access this server" option turned on for my Azure Database. The reason for me having turned it on is because I have a Function App that accesses the database to do inserts etc.

My question is, is having this option turned on a security issue at all? If it is, what is the best practice method to keep my database secure while still being able to access it myself through my Function App.

Answer 1

Assuming you are connecting to your SQL databases using username/password combination, there's always a security risk in case your username/password are leaked.

A better approach would be to use Managed Identity. What you will do is assign an identity to your Function app and then allow that identity to connect to your database. That way only your Function App will be able to connect to your database. You would still need to keep "Allow Azure Services to access this server" option turned on though.

Please see this link on connecting an Azure WebApp to a SQL Database using Managed Identity: https://docs.microsoft.com/en-us/azure/app-service/tutorial-connect-msi-sql-database?tabs=windowsclient%2Cef%2Cdotnet