question

MrFlinstone-1451 avatar image
0 Votes"
MrFlinstone-1451 asked MrFlinstone-1451 commented

Accessing Azure resources from an offsite location

I have an azure application that runs on PaaS architecture. To access azure resources like sql or add, I would like that to go through a secure virtual machine instead of from personal devices which is what happens today.

The problem today is that access is from personal devices which can be a personal Pc or laptop, secondly if the personal laptop is compromised this presents a risk. Third point, IP addresses change from ISP's when coming from a personal device this means that multiple up address entries are required for the sql firewall, if access is from a VM, the hassle of managing public IP address entries can be eliminated.

What is the best way to configure this (jump host, bastion host, VPN) and is it possible to have more than one virtual machine for access from a disaster recovery perspective. I am after a few options with some comments on the cost implication please., and if it can be on demand.

azure-vpn-gatewayazure-bastion
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

msrini-MSFT avatar image
0 Votes"
msrini-MSFT answered MrFlinstone-1451 commented

Hi MrFlinstone-1451,

You can configure P2S in the VNET by deploying a VPN gateway and use certificate based auth and share the exe file and cert to the users who want to access the SQL remotely.

This way users from remote can securely connect to the Azure VNET. You will need to setup Private Endpoint in the same VNET and link to the SQL resource.

When that happens, all traffic to the SQL will be private connection and you can block the public access to the SQL completely.

Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal
Private Endpoint: https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-sql-portal

Regards,
Karthik Srinivas

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Please note that there is no vNet currently for SQL.

0 Votes 0 ·

Hello.

I have configured the P2S VPN connection.

However I do have some constraints.

How can I allow users to connect to SQL server using Azure AD authentication whilst connected via the VPN.

I got SQL login working using the username in the format sqlLOGIN@mydb.database.windows.net, however what I want to get working is Azure AD with MFA. If I use the vnet IP address which works for SQL authentication, and select Azure AD authentication with MFA, I get the error Cannot open server "10.1.1.x" requested by the login. The login failed. Microsoft SQL server Error 40532.

One of my objectives is to provide connectivity to SQL without having to allow the public IP address of several users.
Is there a way to have a friendly name for connectivity rather than using the IP address on the vNet.

0 Votes 0 ·