Connecting to an Azure SQL database with a VPN (Point-to-Site)

Question

I'm trying to connect to an Azure SQL database with the use of an Point-to-Site VPN connection based on Azure AD authentication. I can connect with the VPN without any problems and I get a green status that everything is connected. However, I cannot access the database.

The database is set up that access is only granted to certain IPs so we want to use the VPN to access the database. The VPN is set up so that it can connect with a VNET and the VNET is connected to the SQL database.

I have followed the following tutorials during the setup of the VPN and VNET:

• https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about
• https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about

On Stackoverflow I found this question in which is stated that the thing I'm trying to do is not possible. However, this post is from 2018. So I was wondering if it already works?

Answer 1

Hi Please use below steps.

First you need to Configure the Azure VPN Client

Then :

Navigate to "Firewalls and virtual networks" of you SQL server and make sure to set "Deny public network access" to yes.

Create an Azure private endpoint. It will create endpoint for SQL server within your virtual network and it'll be assigned a private IP from within subnet's IP range. You will use this private IP to connect to SQL server. On your local machine, make sure you're connected to VPN and open SQL Server Management Studio:

Under "Server name" enter private IP address of Azure private endpoint created in step 2.

Under "Login" field, enter username in format "username@public_sql_server_name" (e.g. admin@my-sql-server.database.windows.net). For password, just enter your password.

Last thing to do is to click on "Options" and navigate to "Connection properties". Make sure to check "Encrypt connection" and "Trust server certificate".

This is required as server's certificate is issued to "my-sql-server.database.windows.net" and you're accessing it via private IP. If this wasn't checked, management studio wouldn't trust server's certificate and would refuse connection.

Answer 2

I tried to reproduce the same in my environment and got the results below:

Created Azure point-to-site azure virtual network gateway with Azure certificate like below:

Generating Client and Root Certificate and export as a public key and connect to VPN client successfully like below:

Refer: Configure Point to Site VPN Connection using Azure Certificate Authentication

Created SQL database with private endpoint like below:

Make sure to Disable public access in SQL server and try new private endpoint with Microsoft SQL/server like below:

.

Try to login your vm to remote desktop and install SQL server management studio in a Connect to Server enter the fully qualified hostname of your managed instance in the Server name like below:

when I try to connect with my private IP address it connected successfully like below:

References:

Configure point-to-site connectivity using SSMS - Azure SQL Managed Instance | Microsoft Learn

Connect to an Azure SQL server using an Azure Private Endpoint - Azure portal | Microsoft Learn

Answer 3

A private endpoint is the only way to connect Azure SQL through S2S(and P2S) VPN: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview / https://learn.microsoft.com/en-us/azure/azure-sql/database/private-endpoint-overview?view=azuresql.

VNet rule aka service endpoint works only from Azure VNet subnet to SQL resource: https://learn.microsoft.com/en-us/azure/azure-sql/database/vnet-service-endpoint-rule-overview?view=azuresql