0

I'm building a network of VM's in Azure, 1 group of VM's for the webtier and 1 group of VM's for the data/sql-tier. I will create a jumpbox VM that enables access for devops purposes via VPN.

Now I read that I should have minimal software and connection-options to my actual VM, as it should run via the jumpbox to minimize the attack surface of my VM's and to have a central access point.

Now I want to do 2 things:

  1. Connect via Remote Desktop to all my VM's, I figured I can simple create a VPN RDP connection to my jumpbox, and when logged into my jumpbox, simply open another RDP window to my other VM's using the internal v-network IP.

  2. Access my (loadbalanced w/ availability set) MSSQL 2016 instance directly via SQL Server Management Studio or an application using a connection string. The MSSQL instance lives on my sql-tier VM, not on my jumpbox, can I somehow forward SQL traffic from my jumpbox to my sql-tier VM? I would guess that accessing the sql-tier VM directly goes against the whole idea of having a jumpbox.

Notes: - running MS SQL Server 2016 on Windows Server 2016

user2713516
  • 155
  • 1
  • 1
  • 12
  • Do you mean your webtier VMs and sql-tier VMs in different vnet? maybe you can create site-to-site VPN between them. – Jason Ye Feb 14 '17 at 09:12
  • They would be in the same vnet as displayed here: https://docs.microsoft.com/en-us/azure/guidance/guidance-compute-n-tier-vm – user2713516 Feb 14 '17 at 12:12
  • we can via jump box to access your VMs in Azure, your first point is coorrect. if you want forward SQL traffic from jump box to azure VM, you can deploy some proxy software to forward the SQL traffic, also you should enable IP forwarding on MVs. – Jason Ye Feb 15 '17 at 06:03

2 Answers2

1

There are many ways to go about this, there is no direct answer to this without knowing your business needs, I highly recommend reading this and deciding for your self: https://docs.microsoft.com/en-us/azure/best-practices-network-security?toc=%2fazure%2fvirtual-network%2ftoc.json

A jumpbox will not be the most secure design when it comes with Azure, as there are free tools that you can use that is cheaper and more convenient than the jumpbox.

I would avoid having SQL open to the internet at all costs, unless you have a strong business case for that, then use Network Security Group with ACLs to allow access to it only from specific IP addresses.

For your Multitier deployment, I'd recommend the following:

  • Create a single Resource Group to host the environment.
  • Create a Vnet with three subnets, one for frontend, the second for backend, the third for VPN.
  • Create two Network Security Groups (NSG), and associate them to the frontend and backend subnets.
  • For the frontend NSG, only allow HTTP/HTTPS.
  • For the backend NSG, disable all kind of access from the internet even for RDP and SQL, and allow only access from the frontend subnet.
  • Enable VPN on the subnet level and configure a site-to-site connectivity to your work place, or point-to-site and only allow it for specific people whom you trust.

This is a much better deployment scenario, here's a good summary of how it should look like:

enter image description here

References:

Network Security Groups: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-nsg-arm-portal

Azure Site-to-Site VPN: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal?toc=%2fazure%2fvirtual-network%2ftoc.json

Azure Point-to-Site VPN: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal

Access Contro lists: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-acl-powershell

Community
  • 1
Noor Khaldi
  • 3,869
  • 3
  • 19
  • 28
  • Thanks, I actually got the jumbbox idea from another Azure doc-page, https://docs.microsoft.com/en-us/azure/guidance/guidance-compute-n-tier-vm. However, I'm planning to access my sql-VM's via a VPN installed on that specific VM (softether or openVPN) and do the same for my web-tier-VM's. According to the jumbox-diagram conceptually I shouldn't do this (even though its a VPN connection and not direct SQL/RDP), hence my question if running a jumpbox is still beneficial IF I run every connection via VPN? The idea of a single entry point with a jumpbox seems useful regardless. – user2713516 Feb 13 '17 at 07:52
  • The article you posted uses the jumpbox as an RDP host which is a great idea if you're only going to use RDP from a single IP, but you want to add VPN, SQL/Web access on top of that. I'd recommend to avoid that type of implementation and just go with Azure VPN Point-to-Site, it would be easier to manage since you'll be dealing with VPN as a service, while the jumpbox will add more complexity to your design. You'll have to work with VM, VPN, and whatever NATing service you'll be using on the VM, that's too much operation in the future if you ask me. I'm amending my answer with P2S setup. – Noor Khaldi Feb 14 '17 at 09:35
  • I can definitely see your argument, the thing is that the azure site-to-site VPN only supports windows clients as far as I know. For our office this would be fine, but I also need to connect 3rd party clients via VPN to our datawarehouse who are not all using windows clients. I also think the Azure S2S VPN settings are quite limited from a compatibility standpoint (good enough for office 'site', but 3rd parties in mind not so) – user2713516 Feb 15 '17 at 13:34
  • Even though this answer wasn't a direct answer to the question, it still gave me some good insights. I'm gooing to try azure VPN after all for my windows clients (and the pass on the jumpbox) for now. – user2713516 Feb 16 '17 at 09:08
1

Connect via Remote Desktop to all my VM's, I figured I can simple create a VPN RDP connection to my jumpbox, and when logged into my jumpbox, simply open another RDP window to my other VM's using the internal v-network IP.

Yes, we can deploy a VM work as a jump box.

Access my (loadbalanced w/ availability set) MSSQL 2016 instance directly via SQL Server Management Studio or an application using a connection string. The MSSQL instance lives on my sql-tier VM, not on my jumpbox, can I somehow forward SQL traffic from my jumpbox to my sql-tier VM? I would guess that accessing the sql-tier VM directly goes against the whole idea of having a jumpbox.

We can deploy RRAS(VPN) on jump box, it works as a P2S VPN server, after you can connect to the RRAS server, you will able to connect to Azure VM directly. We can use windows client to connect to the RRAS server, also we can install SSTP-Client on Linux, then we can use Linux to connect to RRAS server.

More information about enable RRAS as a VPN Server, please refer to the link.

Jason Ye
  • 2,399
  • 1
  • 8
  • 10