Connecting to your Azure SQL database over a Private Endpoint

In a corporate network, internal database servers are usually heavily firewalled in separate network segments. However, when we deploy our database in Azure, we can connect to it directly over the internet.

To improve the security of your database, you should use a private link (also known as Private Endpoint) to connect to your database from your application. This will route the traffic over internal Azure connections, and you can disallow any public access to the database server.

Easy way to set Azure RBAC roles in Bicep

When deploying resources in Azure using Bicep, occasionally you will have to assign rights to a user or principal to perform certain actions. For example, authorizing an app service to access a storage account.

Initially you would create something like this:

// Assume we have an app service with a System Assigned managed service identity
var principalId = appService.identity.principalId;

resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' existing = {
    name: 'some-existing-storage-account'
}

resource roleAuthorization 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
    name: guid(storageAccount.id, resourceGroup().id, principalId)
    scope: storageAccount
    properties: {
        principalId: principalId
        roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe' // Storage Blob Data Contributor
    }
}

I came up with the following Bicep module which shows a nice way to hide the nasty details such as the role guids in a module.