Connecting to On-Premises SQL Server from API in Azure App Service - sql-server

I am trying to connect to an on-premises SQL Server from my API which i have deployed to Azure App Service. I have established a Azure Hybrid Connection to connect between on-premises SQL and Azure. I created a connection string which included username and password as that of a local login i created in the On-Premises server. This is allowing me to connect.
Connection String:
Data Source=;Initial Catalog=;User=;Password=;MultipleActiveResultSets=True
However i want to connect to the server using windows authentication. My System account has access on the server, but when using connection string as -
Data Source=;Initial Catalog=;Integrated Security=SSPI;User=;Password=;
Or
Data Source=;Initial Catalog=;Integrated Security=SSPI;
It is giving error as
"Login failed. The login is from an untrusted domain and cannot be
used with Windows authentication."
Please suggest how to use windows mode of authentication while forming connection string to the on-premises SQL Server from Azure App Service.

Azure Hybrid Connection does not appear to support Active Directory and hence Windows Authentication will not work. See note about sql auth being required in Official MS documentation.
https://learn.microsoft.com/en-us/azure/biztalk-services/integration-hybrid-connection-overview
Also, look at the following SO question where one of the answers details common issues faced this setup:
C# web app not connecting to on premise SQL Server through Azure hybrid Connection
You are unlikely to get around this, especially if you are hosting your app as a web app.

Related

Azure VM SQL Server using Windows authentication from another Azure VM ASP.NET application

Currently I have two Azure VM's, one for the ASP.NET application (VM1) and another with SQL Server 2017 (VM2).
At the moment, the application on VM1 connects to VM2's SQL Server using SQL Server authentication, but now I want to change it to Windows authentication. I found this on the Azure website about how to connect:
Virtual networks also enables you to join your Azure VMs to a domain. This is the only way to use Windows authentication to SQL Server. The other connection scenarios require SQL Server authentication with user names and passwords.
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/sqlclassic/virtual-machines-windows-classic-sql-connect
But there is also a website forum ask to use Azure Active Directory domain in order to achieve this.
I am confused regarding this, can anyone help me with a description how to connect my VM1 application to VM2 SQL Server using Windows authentication?

Connect to Internal SQL database from Azure Web Application

I'm trying to build a webservice that talks to a SQL database hosted on a server in our internal network. The service is hosted by Azure as a Web App. Is there a good way of doing this? Do I have to use Azure Sql databases, and if I do, is there a way to have the Azure database act as a proxy for our internal database?
There are already rules permitting connections to the ports on our database server, so I don't think that's the problem. I see a lot of questions regarding connecting to Azure hosted sql databases, but nothing about connecting Azure web apps to other kinds of databases.
The error occurs when I try to call a stored procedure (via generated entity framework code) and is as follows:
Error occurred: System.Data.Entity.Core.EntityException: The underlying provider failed on Open. ---> System.Data.SqlClient.SqlException: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections.
Our database is configured to allow remote connections, so what I'm guessing the Web App is having difficulty connecting to our vpn.
Please let me know if you need any additional information.
Thanks,
Josh
You can leverage Azure Hybrid Connections which is a feature of App service. Within App Service, Hybrid Connections can be used to access application resources in other networks. It provides access from your app to an application endpoint and uses Azure Relay service to connect to on-premise.
Check out the below link for more details :
https://learn.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections
First option is to look on azure app service hybrid connection but for you to do that you should have Windows server 2012 or above.
Azure App Service Hybrid
Azure App Service hybrid connection is good if you are pulling small amount of data.
If you are pulling large amount of data or your SQL server version is below server 2012 you have two options:
Azure Site to Site VPN
Azure SQL Data Sync
Azure SQL DB Sync is a feature that available on Azure SQL database. You can create a Azure SQL database on azure and sync your on-premise SQL database or SQL database table to Azure SQL database and you can connect your application to Azure SQL database instead of connecting to on-premise database server. This will increase your performance of your application.
We ended up adding the application to an Azure Virtual network that allowed connections to our on-prem servers. The remaining difficulties were due the wrong port numbers being open.
What was very helpful in debugging this was the Kudu console in Azure, under Advanced tools -> console. There you can run commands from the machine hosting your application like ping, or the below:
sqlcmd -S tcp:servername,1433 -U Username -d databasename -P password -q "SELECT * FROM tablename"

how to connect api running on azure to connect to on-premises sql server database

I have my api running on Azure and it is working perfect if it is connected to Azure SQL database.
I want this api to use my local database i.e on-premises database. I made my database to accept connection from remote and also enabled TCP/IP in wf.msc and also created an inbound rule for 1433. Is there anything i had to do to make this work? I tried to use the following connection string in azure :
ASP.Net core 2.0 web api written in C# hosted on azure and trying to access the sqlserver database on the Virtual Machine.
I tried as mentioned in the following to create hybrid connection but the status keeps saying 'Not Connected'
https://learn.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections
Server=tcp:<mycomputername>,1433;Initial Catalog=MyDb;Persist Security Info=False;User ID=userid;Password=pwd;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;
If your On-Prem SQL VM is behind firewall, you need to allow inbound from Azure. Usually you poke a hole in your On-Prem firewall and allow inbound from your Azure (source) to your On-Prem SQL server (Destination) on a particular port.

Is it secure to connect directly to Azure SQL

If I have a Windows Forms app that gets data from Azure SQL is it safe to connect directly to the Azure SQL with a connections string or should I develop a Web service that the Azure SQL sits behind so I connect to web service and the web service connects to Azure SQL.
I was thinking that someone could get hold of the connection string from with in the app when it is published or is this not possible.

Can't connect to SQL Server using IIS APPPOOL User

I have an ASP.NET WebAPI that is calling a SQL Server (currently 2008, but will migrate on something newer soon). Authentication is Windows authentication. I have given the IIS Apppool that executes the WebAPI the rights to access the database.
When I use the following connection string, everything works:
Server=localhost; Database=LPG; Integrated Security=SSPI;
For the production system, the WebAPI and the database server are probably on different machines, so I want to use the name of the server instead of localhost.
Server=my.server.com; Database=LPG; Integrated Security=SSPI;
With this connection string, I get the following error.
Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
This is probably because the IIS APPPOOL - User is a local account and when calling my.server.com it can't use local accounts.
Does anyone knows how to resolve that problem?
Thanks in advance,
Frank
The problem is your production server may not be setup for delegation. The web server and the db server must have a relationship so the user on the browser flows through to the database.

Resources