I have two virtual machines for database and app server and I want the app server and only the app server to connect to the database server.
These are in the same vnet. I am trying to do this by securing the endpoint.
With Azure I can see that if I shutdown the VMs they will get new IP addresses so I cant hardcode the public IP address of the app server in the ACL list of the database server. If I put a vnet range like 10.2.0.0/16 in the acl then I need my app server database connection string to use a local address but again the local address of the database will change when it shuts down.
The only option I can see is to set up a dns server. Is there another way?
Potentially I could add the dns role to my app server. This seems like it would be a common scenario, what is the usual way people handle this?
Edit: I found how to get the FQDN using nslookup. This resolves to the 10.x.x.x address so I can use this in the connection string.
Have you looked into network security groups? https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/
You can reserve both public and private IP addresses to avoid changes.
Example for private IP:
Example for public IP:
Regarding NSG vs ACLs, NSGs are always preferable for better control and manageability. Usually, we are talking about several virtual machines, imagine if you had to add/remove ACL rules all the time. In NSG, you can define inbound and outbound rules for a single VM, group or even an entire subnet.
If you only have a couple virtual machines to manage, just go with ACL. By default, ACL will allow 0.0.0.0 for an open endpoint. As soon as you add an entry to the list, it will become a whitelist, so you can add your app server IP to only let it connect to your database.
References:
Reserved IP Overview
How to Set a Static Internal Private IP
What is an endpoint Access Control List (ACLs)?
What is a Network Security Group (NSG)?