Reputation: 377
Connection to Azure SQL database on Azure Private Link/Endpoint using Azure VPN Client not working
I'm trying to setup an Azure SQL database using P2S VPN for users who are remote working. They are using some applications like SSMS and Visual Studio that require access to the database. We allow them to connect by white listing their IP addresses but we would like to stop this and to use the deny public network access option on the SQL server on Azure.
Whenever I try to connect using SSMS I get the following message:
I've followed the steps outlined in the documentation and tutorials on MS Docs but I have not been able to get the private endpoint to work with the database.
I have created the virtual network gateway and connected it to Azure Active Directory and I can see the sessions being created by the users as they log in.
I have created the virtual network using the address range = 10.1.0.0/16 and the subnet address range = 10.1.0.0/24. I have attached the private endpoint connection to the Azure SQL server and added the virtual network to the firewall.
Is there some setting required to allow the user to connect to the database from their PC without whitelisting IP addresses?
Upvotes: 2
Views: 2083
Answers (1)
Reputation: 10831
WAY 1:
You may Use domain name instead of IP directly from your virtual network. So, you need some service in Azure which can translate domain name to IP.
It is necessary to properly configure your DNS settings to resolve the private endpoint IP address to the fully qualified domain name (FQDN) of the connection string.
- Use a DNS forwarder for on-premises workloads to resolve the FQDN of a private endpoint, to resolve the Azure service public DNS zone in Azure.
A DNS forwarder is a Virtual Machine running on the Virtual Network linked to the Private DNS Zone that can proxy DNS queries coming from other Virtual Networks or from on-premises. This is required as the query must be originated from the Virtual Network to Azure DNS.
.
- Use the host file on a virtual machine to override the DNS: Azure creates a canonical name DNS record (CNAME) on the public DNS. The CNAME record redirects the resolution to the private domain name (privatelink.database.windows.net). You can override the resolution with the private IP address of your private endpoints. See azure-provided-name-resolution.
References:
- Azure services DNS zone configuration and on-premises-workloads-using-a-dns-forwarder
- Refer this for connectivity troubleshooting using Private Link
- See how to resolve-azure-internal-dns-from-your-on-prem-network
WAY 2 :
You may go for SQL managed instance which is another Azure SQL PaaS offering .It is deployed with in VNet with no public service endpoints and uses root and client certificates to authenticate in azure.
(Go for this when one prefers not to use Private endpoint:)
- To configure P2S VPN using certificates Refer : configure-p2s-vpn-using-certificates-and-connect-to-sql-managed-instance-from-on-premise-machine.
Other references:
Upvotes: 0
Related Questions
- Connect to Azure Database for Postgresql through VPN
- How do I connect to Azure SQL Database using Private Endpoint trough VPN gateway
- Connect to SQL Server hosted on-prem from Azure
- Unable to connect to Azure SQL through Virtual Network Gateway
- How can I connect to a database server within a VPN via Azure Portal?
- Unable to connect to azure SQL through Point-to-Site VPN connection
- Connect to Azure SQL over VPN
- Query of on-premises SQL Server from Azure web app (over Azure S2S VPN) fails
- Azure VPN to on-premises cannot connect SQL Server from azure web app
- Unable to connect with Azure SQL from Azure VM using Site-Site Connectivity