Isolating Azure SQL Databases within a Virtual Network

Question

Pulumi · Accepted Answer

Isolating an Azure SQL Database within a Virtual Network (VNet) is an important task to ensure the security and network isolation of your database service. While Azure SQL Database is a managed service, it does not directly reside within a VNet. Instead, you can use VNet service endpoints or private endpoints to control and secure your network traffic to the SQL Database.

VNet service endpoints give you the ability to extend your VNet private address space and the identity of your VNet to the Azure services. Private Link service and Private Endpoints ensure that access to your SQL Database is through a private IP address within your VNet.

The following program in Python uses Pulumi with the `azure-native` provider to create the necessary resources for isolating an Azure SQL Database within a Virtual Network. Please ensure you have Azure CLI installed and logged in and have selected the subscription where you want to deploy the resources. Also, ensure that Pulumi CLI is installed and configured for use.

Here's what the program does:
1. **Virtual Network Creation**: Sets up a VNet within a specified address space.
2. **Subnet Creation**: Defines a subnet within the VNet specifically for the SQL Server.
3. **SQL Server Creation**: Provisions an Azure SQL Server.
4. **SQL Database Creation**: Attaches a SQL Database instance to the SQL Server.
5. **Virtual Network Rule Creation**: Associates the subnet with the SQL Server to restrict access to the SQL Database through the subnet.

Here's the code:

```python
import pulumi
import pulumi_azure_native.network as network
import pulumi_azure_native.sql as sql

# Set up a new resource group
resource_group = network.ResourceGroup('resourceGroup')

# Create a new virtual network within the resource group
vnet = network.VirtualNetwork('vnet',
    resource_group_name=resource_group.name,
    location=resource_group.location,
    address_space=network.AddressSpaceArgs(
        address_prefixes=["10.0.0.0/16"],
    )
)

# Create a new subnet within the virtual network for the Azure SQL Server
subnet = network.Subnet('subnet',
    resource_group_name=resource_group.name,
    virtual_network_name=vnet.name,
    address_prefix="10.0.1.0/24",
    service_endpoints=[network.ServiceEndpointPropertiesFormatArgs(
        service="Microsoft.Sql"
    )]
)

# Create an Azure SQL Server instance
sql_server = sql.Server('sqlServer',
    resource_group_name=resource_group.name,
    location=resource_group.location,
    administrator_login='sqladmin',
    administrator_login_password='complexpassword#1234',
    version='12.0'
)

# Create an Azure SQL Database in the server
sql_db = sql.Database('sqlDb',
    resource_group_name=resource_group.name,
    server_name=sql_server.name,
    sku=sql.SkuArgs(
        name="S0",
        tier="Standard"
    ),
    max_size_bytes=1073741824 # 1 GB
)

# Create a virtual network rule to establish the connection to the SQL server from the subnet
vnet_rule = sql.VirtualNetworkRule('vnetRule',
    resource_group_name=resource_group.name,
    server_name=sql_server.name,
    virtual_network_subnet_id=subnet.id,
    ignore_missing_vnet_service_endpoint=True
)

# Export the connection string for the SQL database
connection_string = pulumi.Output.all(sql_server.name, sql_db.name).apply(
    lambda args: f"Server=tcp:{args[0]}.database.windows.net;Database={args[1]};")
pulumi.export('connectionString', connection_string)
```

Understanding the code:

- `network.ResourceGroup`: Defines a new resource group where all resources will reside.
- `network.VirtualNetwork`: Provisions a Virtual Network in a specified address range.
- `network.Subnet`: Creates a subnet within the Virtual Network. A service endpoint is specified with `"Microsoft.Sql"` to enable connectivity to Azure SQL Database.
- `sql.Server`: Creates a new SQL Server instance with an administrator login and password.
- `sql.Database`: Provisions a new SQL Database in the previously created SQL Server.
- `sql.VirtualNetworkRule`: Establishes a Virtual Network rule that links the subnet to the SQL Server, effectively isolating it and making sure that only traffic from within the VNet can access the SQL Server.

The `connectionString` is an export which will display the connection string needed to connect to the SQL Database once the Pulumi program has been successfully run. It combines the SQL server name with the database name in a format recognized by connection strings.

Please replace `'complexpassword#1234'` with a strong password of your choice.

You would run this Pulumi program by saving it to a file, for example, `main.py`, and running `pulumi up` in the command line from the directory containing that file. This will set up the infrastructure as defined in the code within your Azure subscription.