I have a VPN connection to my Azure cloud. When I connect I am able to see most of my network devices such as virtual machines. However, I am not able to see Azure SQL databases. I contacted support and they explained that this is not supported and that I can only access Azure SQL outside of the cloud if I open the ports to certain ips. To me that seems like a major security issue and an inconvenience as support staff may be connecting from different locations and different ips from time to time. I am wondering how else others have ive come this issue.
Asked
Active
Viewed 9,408 times
6
-
Do you have any question on my reply? – Nancy Aug 21 '19 at 08:37
-
Hi @NancyXiong thanks for the answer. It didn't solve my problem we ended rolling our own VPN software. Managed instance is also not an option for my current case. We got pretty far with a native VPN solution and configurations but then we ran into an issue with two factor. It's a shame this is not a simple out of the box solution for Azure. – CodeMilian Aug 22 '19 at 00:02
-
Someone at ServerFault has suggested that the general problem can be addressed by mere routing setting in the Azure VPN Gateway. I'm not sure if that's true and if it will address the 2FA issue or not, but you can check that answer here: https://serverfault.com/questions/899661/how-do-i-connect-to-an-azure-sql-server-via-an-azure-vpn-gateway/944228#944228 – Hilarion Apr 12 '21 at 19:40
1 Answers
4
Azure SQL database is public over the Internet, however, the traffic through a VPN connection from your on-premise network is private so it does not support to access Azure SQL database over VPN. Also, VNet Service Endpoints don’t extend to on-premises. To allow access from on-premises, Firewall rules can be used to limit connectivity only to your public (NAT) IPs.
In this case, you can use Firewall rules and VNet Service Endpoints together. You could get more details from this blog: General availability of VNet Service Endpoints for Azure SQL Data Warehouse
Another option is to use Azure SQL Database Managed Instance, which must be deployed within an Azure virtual network and the subnet dedicated for Managed Instances only. Then you could use VNet Peering or S2S VPN to connect to your on-premise network.
- Create a virtual network for Azure SQL Database Managed Instance
- Connect your application to Azure SQL Database Managed Instance
Hope this could help you.
Nancy
- 26,865
- 3
- 18
- 34
-
2It is crazy that this endpoint is public. Why is Azure thinking about? Even after applying firewall rules the port can probed. This is not good. – AFP_555 Jun 02 '20 at 04:57
-
1@AFP_555 I mean by default it's public but currently you can use private endpoint for database. see [azure private endpoint](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview). – Nancy Jun 02 '20 at 05:21
-
2Yeha, but you can't use the basic tier with private endpoint. They are basically charging you $100/moth more just to have a private communication. This is crazy. In AWS you can have a t2.nano and a m5.8xlarge with the same networking security. I don't get it... You have to choose to waste your money in resources that won't ever be used or to get hacked because you can't afford an expensive BASIC security. – AFP_555 Jun 03 '20 at 00:09