question

HectorRobles-4661 avatar image
0 Votes"
HectorRobles-4661 asked HectorRobles-4661 answered

Azure SQL Access Through VPN

I am wanting to configure my Azure SQL Server to only be accessible through the VPN Gateway. Is this possible? I've read through much documentation to affirm this and I cannot find a direct solution.

azure-sql-databaseazure-vpn-gateway
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @HectorRobles-4661,

Could you please provide an update on this post?

Kindly let us know if the below helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

0 Votes 0 ·
HectorRobles-4661 avatar image
0 Votes"
HectorRobles-4661 answered

The solution ended up being resolved with using another host as a DNS server that redirected the IP called by a host connected to the VPN, to the private endpoint

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RaviVarmanMSFT-5919 avatar image
0 Votes"
RaviVarmanMSFT-5919 answered RaviVarmanMSFT-5919 commented

Hi @HectorRobles-4661

You want to restrict Azure SQL server access only via the VPN gateway i.e traffic from onprem to reach SQL server via private network not via public network.

You can achieve it via Site to Site or Point to site connectivity.

Site to Site connectivity between Onprem to Azure need to be in place.
https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal

Or

Point to site connectivity between Onprem to Azure need to be in place.
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-rm-ps

Create private endpoint for your SQL server to enable private connectivity.
https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-sql-portal.

For Site to site connectivity, on-premises workloads to resolve the FQDN of a private endpoint, use a DNS forwarder to resolve the Azure service public DNS zone in Azure.
https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder

Or

For Point to site connectivity, have an Host entry on the client machine for the FQDN of SQL(Ex:SQLsevername.privatelink.database.windows.net) pointing to the Private endpoint IP.

Deny public network access under Firewalls and virtual networks of SQL server.
https://docs.microsoft.com/en-gb/azure/azure-sql/database/connectivity-settings#deny-public-network-access.

Once the setup is in place then from onprem(S2S)/Client machine (P2S) you should be able to access the Azure SQL server via VPN gateway

Hope this was helpful. Please let us know in case of any additional questions or concerns.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am still finding a challenge with this solution. I can still connect to the SQL server, with P2S, using the private link/endpoint WITHOUT being logged into the VPN.

0 Votes 0 ·

@HectorRobles-4661 When you establish point to site connectivity, you need to setup point to site configuration under the Virtual network gateway. Before Azure accepts a P2S VPN connection, the user has to be authenticated first based on the protocol you use for the P2S connection. The IP address pool defined under P2S configuration are the IP address your client machine are going to get for the private communication. From the Client machine when you access the SQL server FQDN it resolves to the private IP of the SQL server private endpoint IP (As we have host entries on the client machine) and the private IP communication traverse through the VPN gateway from your client machine and reaches the Private endpoint of SQL server.

Ref https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about#protocol

Please let us know in case of any additional questions or concerns.

0 Votes 0 ·
HectorRobles-4661 avatar image
0 Votes"
HectorRobles-4661 answered HectorRobles-4661 published

I setup P2S config with the VPN and the private link works in SSMS when Im connected to the VPN. But when Im NOT connected to the VPN and use the private link, I can STILL connect to the SQL server through SSMS. I do not want to be able to connect to the sql server through SSMS if Im NOT on the VPN. It prompts me to add a VPN rule to allow my machine's IP. I do not want to be able to connect at all without being connected to the VPN.

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HI @HectorRobles-4661

Enable Deny Public access under Security--> Firewalls and Virtual Network of your SQL server, this will disable public access to your SQL server.

0 Votes 0 ·

The FQDN private link stops working in SSMS when I disable public access to the SQL Server. It doesn't work when Im on the VPN too.

0 Votes 0 ·

@HectorRobles-4661

Please have an host entry on your client machine for the private endpoint name Ex: SQLsevername.privatelink.database.windows.net
Disable the public access on the SQL server
In SSMS use FQDN as SQLsevername.privatelink.database.windows.net you should be able to access the SQL server via P2S when public access is disabled

0 Votes 0 ·
Show more comments