Accessing Azure resources from an offsite location

Question

I have an azure application that runs on PaaS architecture. To access azure resources like sql or add, I would like that to go through a secure virtual machine instead of from personal devices which is what happens today.

The problem today is that access is from personal devices which can be a personal Pc or laptop, secondly if the personal laptop is compromised this presents a risk. Third point, IP addresses change from ISP's when coming from a personal device this means that multiple up address entries are required for the sql firewall, if access is from a VM, the hassle of managing public IP address entries can be eliminated.

What is the best way to configure this (jump host, bastion host, VPN) and is it possible to have more than one virtual machine for access from a disaster recovery perspective. I am after a few options with some comments on the cost implication please., and if it can be on demand.

Answer 1

Hi MrFlinstone-1451,

You can configure P2S in the VNET by deploying a VPN gateway and use certificate based auth and share the exe file and cert to the users who want to access the SQL remotely.

This way users from remote can securely connect to the Azure VNET. You will need to setup Private Endpoint in the same VNET and link to the SQL resource.

When that happens, all traffic to the SQL will be private connection and you can block the public access to the SQL completely.

Reference: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal
Private Endpoint: https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-sql-portal

Regards,
Karthik Srinivas