One common request or annoyance from customers is the fact that Windows Azure Sql Database (WASD) supports two modes of protection with its firewall only.
1. External IP addresses that are used to manage databases through SMSS or some other tool
2. An “any” rule with an IP range of 0.0.0.0 – 0.0.0.0 which denotes that any Windows Azure virtual machine can access the Sql database server
Its not that clear cut but lets have a short lesson on the latter is achieved … Each role instance has an IP address of 10.x.x.x and traffic can be routed between roles on internal endpoints through this network interface. An external service like Windows Azure Sql Database has no knowledge of this since it’s not part of a virtual network. This means that when an application hosted on a virtual machine connects to the WASD the firewall will pick up the public address of the cloud service.
Try this out by removing all rules and connect to a database in a sample web application and you’ll see an IP address that is referenced within a public range here:
That being said a better way of using the firewall would be to avoid the “any” rule altogether and lock down the WASD to the specific IP address of the cloud service.
Fluent Management was conceptualised to create deployment workflows in Windows Azure and one that I like quite a lot is the idea of building an agent or a monitoring application of some kind which will monitor a cloud service deployment. If the address changes (infinite lease unlikely but possible depending on the circumstances) then the agent will pick up the fact that the IP has changed blow away the firewall rules and create a new set.
I set out to do just this and this is what my code looks like:
It’s a new SqlDatabaseClient class which now has that single method to be able to take a cloud service name and look at either the staging or production slot and optionally blow away all other rules or append the new IP to an existing set of rules.
There are several ways to do this using Fluent Management. One way could be coded as follows:
This will use the Linq provider to determine the current public IP address of the cloud service and it can be checked against the stored previous one(s). This can also be used in conjunction with the fluent API deployment for cloud services and WASD. More can be read about this on the wiki.
The latest version of fluent management is 0.4.8.5 which will be packaged and I’ll add to nuget in the next couple of days.