Skip to main content
Skip table of contents

Securing Hydra

Using Private Endpoints

You can configure the Hydra installation to use private endpoints. By following this best practice, you can avoid exposing sensitive components such as your SQL Server and Key Vault to the internet. See How to Secure the Database and Key Vault of an App Service/Web App in Azure.

Frame 1327.png

Example Private Endpoint Configuration

In this example, we will create a new Virtual Network (192.168.1.0/24 named nb-westus-vnet) with two subnets:

  1. 192.168.1.0/25 (default): will be used for the Private Endpoints.

  2. 192.168.128.0/25 (nb-subnet2): will be used for web app integration.

Tip: You can use an existing virtual network, but note that the second integration subnet must be completely empty.

  1. In the Key Vault, go to Settings > Networking > Private Endpoint Connections, and click Create.

  2. In the Basics tab, select the Subscription and Resource Group you wish to associate the private endpoints with.

    1. You can create a new Resource Group if desired, but you can simply choose the Resource Group Hydra, which is deployed.

Frame 1666.png

  1. In the Resource tab, choose Microsoft.KeyVault/vaults for the Resource type.

  2. For Resource, choose the Key Vault resource.

  3. The Target sub-resource should be vault.

Frame 1667.png

  1. In the Virtual Network tab, select the Virtual Network you would like to associate with the private endpoint.

  2. The Subnet in this case will be the first example subnet in the virtual network, 192.168.1.0/25, named default.

Frame 1668.png

  1. For DNS, it's best to create the private DNS integration with the default settings so that the app service can appropriately resolve the resource names to the private IP. Otherwise, ensure your DNS servers have the correct DNS record associated.

Frame 1669.png

  1. Set tags if necessary and review the configuration.

  2. Click Create.

  3. Back in the Key Vault's Networking configuration, allow access only from the Virtual Network. This will disable access to the Key Vault over the public internet.

Frame 1670.png

At this point, the App Service will become unavailable at the next fetch of secrets or restart of app service. You will typically receive an HTTP 500.30 ANCM In-Process Start Failure when the Key Vault is inaccessible.

  1. Next, choose the Hydra SQL Server and go to Security > Networking. Repeat similar steps from the Key Vault. The target sub-resource should be auto-configured to SQL Server in the Resource tab.

  2. After creating the Private Endpoint, disable Public network access and click Save.

Frame 1671.png

  1. Navigate to the Hydra App Service > Settings > Networking.

  2. Review the Networking Configuration and notice that VNet integration is currently disabled for outbound access. Therefore, all outbound communication is across public networks, which we have effectively disabled access on both the SQL Server and Key Vaults.

Frame 1672.png

  1. Select the Virtual network integration > Not configured. Then, select Add virtual network integration.

Frame 1673.png

  1. Select an existing subnet and choose the empty subnet we previously specified as our integration subnet. You can optionally create one here if there is unassociated address availability in the VNet.

Frame 1674.png

  1. Click Save. Then, confirm the Virtual Network integration is in place:

Frame 1675.png

  1. Optionally, for inbound access, you can associate it with a private endpoint to only allow access internally, or you can further restrict which IPs can access it over the public internet.

  2. After the networking changes are completed, restart the App Service:

Frame 1676.png

After a few minutes, Hydra should be accessible again. The Key Vault and SQL components are now only accessible over the Private Endpoints and can no longer be reached over the internet.

Configuring Entra ID Only Support for SQL Server (Legacy Installations Only)

We recommend changing the access to the database during a maintenance window by using the app service identity (Entra ID).

This is the default configuration starting with 1.1.1.8. No action is needed if Hydra was deployed after this version. 

  1. Open the SQL server resource in the Azure Portal > Azure Active Directory.

    1. Set the managed identity of Hydra's web service as an administrator.

    2. Check Support only Azure Active Directory authentication for this server.

Frame 1328.png

  1. Open the Key Vault and give yourself permission (Access Policy) to change secrets.

  2. In secrets, copy the existing connection string from Hydra-DbConnectionString and modify it to match the following string:

Server=tcp:<your-instance>.database.windows.net,1433;Initial Catalog=Hydra;Persist Security Info=False;Encrypt=True;Connection Timeout=90;

  1. Remove the other parts of the string (like user id, ...).

  2. Add the new connection string as a new version.

  3. Optionally, remove your permission from the Key Vault. Restart the app service and verify that the engine runs with the new configuration.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close