How to enable SQL PrivateLink connection when SQL server is behind Active/Passive load balanced firewall pair

TGS Service Account 0 Reputation points
2024-04-26T17:06:55.22+00:00

We have configured an Edge VNET that contains and ELB with our public IP that goes to a pair of Fortinet firewalls. Those firewalls route traffic to our spoke VNET that contains our SQL server that has a PrivateLink interface. If I leave external access enabled I can connect directly to the DB but this bypasses the firewall. I am having trouble figuring out how to force the access to come in through the ELB and firewalls to the DB because the TLS connection fails.

Azure SQL Database
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
469 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 47,686 Reputation points Microsoft Employee
    2024-05-01T13:42:55.92+00:00

    Hello @TGS Service Account ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you are trying to enable a Private Link connection for your SQL server which is behind an Active/Passive load-balanced firewall pair.

    This type of setup can be found in the below tutorial:

    https://learn.microsoft.com/en-us/azure/private-link/tutorial-inspect-traffic-azure-firewall

    The above tutorial uses Azure Firewall, but the same setup can be used with any third-party network virtual appliance.

    You need to make sure that the below configurations are done:

    • Create a private endpoint for Azure SQL.
    • Create a peering between the private endpoint virtual network and the edge virtual network.
    • Link the virtual networks to private DNS zone. The private DNS zone created during the private endpoint creation of Azure SQL must be linked to both Edge Vnet and spoke virtual network.
    • Configure firewall rules in your NVA for Azure SQL to allow communication from edge Vnet to the private endpoint of the Azure SQL server.
    • Route traffic between the Edge Vnet and Azure SQL through the NVA.

    Few more references:

    https://learn.microsoft.com/en-us/azure/private-link/inspect-traffic-with-azure-firewall

    https://techcommunity.microsoft.com/t5/azure-database-support-blog/azure-sql-db-private-link-private-endpoint-connectivity/ba-p/1235573

    If your active-passive load-balanced firewall pair is configured as shown in the below doc, then Source Network Address Translation (SNAT) needs to be performed by the NVA instances to attract the return traffic and avoid traffic asymmetry.

    Refer: https://learn.microsoft.com/en-us/azure/architecture/networking/guide/nva-ha#load-balancer-design

    If you have any additional questions or your setup is different, please share the same for further discussion.

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

    0 comments