Private connectivity between Azure SQL Servers for external table link - azure-sql-database

I have a question on the network traffic between two Azure SQL DB servers connected to network via private endpoint.
The setup is as below in Azure.
A private VNet with two subnets - one for VMs and another one for data services.
Two SQL database servers for two different projects. DB Server B should connect to DB Server A to retrieve some common data to reuse. This is done using external table approach. i.e. DB Server B has external tables linked to DB Server A's tables.
Private endpoint between DB Server A to Data Subnet and DB Server B to Data Subnet and the setup is identical.
Both SQL Server firewalls allow "Public Access" but "Allow all azure IP" disabled due to security reasons.
When I queried the external table from database inside Server B, it throws an error that the IP address of server B is not allowed to access database in Server A. The IP address that it shows in the error seems to be a public IP and belongs to Azure DC of the resource's said location.
I can make it work by allowing this public IP of Server B in Server A's firewall but it's not allowed in our security policy to whitelist a public IP of Azure DC. If it's a public IP of our org, then it's allowed.
Any idea how can I establish a private connection between these two SQL servers to make external tables work using this setup?

Related

Azure SQL Network Firewall & Private Endpoint

I have a requirement in my project to pipeline the data from Azure Storage to Azure SQL database. We are using Azure Data Factory (ADF) V2 to perform this pipelining work.
In order to have secure access to Azure SQL DB, I have configured the following properties first.
Deny public network access: No
Connection Policy: Default
Allow Azure services and resources to access this server: No
With the aforementioned settings, the firewall rules have been configured to whitelist a few Public IPs and Virtual Network subnets.
This setting works fine when I use a DB client like SSMS inside a Virtual Machine (part of the subnet already whitelisted). However, it doesn't work when I am trying to create the linked service from ADF. I don't want to turn on this feature "Allow Azure services and resources to access this server" due to security risk to allow ADF connect to the DB. Instead, I have created a Private Endpoint from ADF to SQL Database and approved it but still kept "Deny public network access" --> No.
With the above setup, I have entered into an issue. i.e. The VM which has been successfully connecting to the DB Server doesn't connect to the database server now after enabling Private Endpoint for ADF.
Question:
May I please check what's wrong with this setup? According to MS documentation,
When "Deny public network access" setting is No (default), customers can connect by using either public endpoints (with IP-based firewall rules or with virtual-network-based firewall rules) or private endpoints (by using Azure Private Link), as outlined in the network access overview.
https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings
I have configured Private Endpoint for ADF and VNet firewall for public endpoint access through DB client from a VM. But, only one works at time. To make VM client connect to the DB, I had to delete Private Endpoint of ADF whereas to make ADF work, I had to enable private endpoint which disables the DB connectivity from the VM.
Once you enable private end point for SQL then public network access stops working. Hence, that is the reason you are unable to connect from VM. Kindly consider using private end point to connect from your VM as well.
Now, Add both the (ADF and VM ) subnets to the SQL Server >> Firewalls & Networks >> Under the Add existing virtual Network
Create a private Endpoint in the Azure Data factory having the same subnet as the VM.
Hence, Could add the Azure SQL DB as a linked service in Azure Data Factory:
Here is my MyVNET where I have the created the Subnet(VM) and ADFSubnet which has been added to SQL DB existing Virtual networks via which it can be connected to the ADF or with the VM.
Hence, if you create 2 private endpoints for respective services in the same managed Virtual network you will be able to connect.

How to connect Azure SQL database to ASP.NET website hosted on a different server

I have created Sql database from Azure using my subscription. I copied the connection string supplied with my credentials correctly into my code and it work in visual studio but when I deployed to my hosting server for my website it displays connection error. I have set IP range to accept all IP yet not working.
By default, (when you create a new DB), Azure blocks ALL traffic to your database. In order to allow traffic to your database either you need to whitelist all the IP address or the best suggestion in your case is to enable 'Allow access to Azure Services' on the SQL Server settings. Find more details here

Azure SQL Gateways Update

I am fairly new in the database management world and I just received an email from Microsoft Azure warning me that the gateways IP address in my region will change on the 1st of September 2020, which I guess will potentially impact my database.
Therefore I am wondering if I should do something regarding this change knowing that:
My Azure SQL server has a "Default" Connection Policy
I have few IP addresses set in my "Firewall Settings"
I insert data using the SQL connection
I query data using Power BI Azure SQL connector
Best,
Kevin
It means, that if you have applications that connects to the database server via its IP address, or you query (Power BI) the database via its IP address, you will have to update the connection information.
If you access via the hostname of the database, nothing should change.
You need to add the IP addresses of all gateways on your firewall rules, as shown below:
Those are the gateways on my region. Please update with the IP addresses Microsoft sent to you.
"To connect to SQL Database or Azure Synapse, you need to allow network traffic to and from all Gateways for the region.". Source Microsoft documentation here.

Connecting to SQL Azure from Azure VM - internal IP or public VIP

I have an SQL Azure database and Azure Virtual Machine with an application connecting to the database.
They are in the same datacenter and under the same Azure
subscription.
I added public virtual IP of the virtual machine to the list of
allowed IP addresses in the server configure page of management
portal.
Windows Azure Services are marked "Yes" in the "Allowed Services"
section.
When trying to connect, I receive exception: "Client with IP address 'x.x.x.x' is not allowed to access the server.", where x.x.x.x is the internal IP of the VM. I am hesitant to use internal IP in an allowed IP rule. Shouldn't SQL Azure see public IP of the VM during connection?
I am hesitant to use internal IP in an allowed IP rule. Shouldn't SQL
Azure see public IP of the VM during connection?
The calls are being made through the internal network so never actually leave the data centre. Why not add a rule as follows to only allow internal calls by opening the following IP range on the Azure Database:
10.0.0.0 to 10.0.0.255
In the above case you don't need to worry about a transient IP on your VM.
Perhaps try looking at the azure cmdlets that allow you to manage firewall rules by script. You could add a start up job to update a specific rule with the new IP the vm should it change do to a migration or reboot.
Specificially these powershell cmdlets:
New-SqlAzureFirewallRule - Adds a new Sql Azure firewall rule to a
server.
Get-SqlAzureFirewallRules - Returns the firewall rules for
the specified Sql Azure server.
Remove-SqlAzureFirewallRule -
Removes an existing Sql Azure fireall rule.
Sql Azure Cmdlets

Cannot connect to Azure SQL database, even with whitelisted IP

I am currently unable to connect to my Azure SQL database from a separate remote standalone dedicated box in a private datacenter.
I have an Azure SQL database where I manage the list of IP addresses that can connect to this database. This has worked perfectly until now. I have recently set-up a new dedicated box in a private datacenter that needs to query the Azure SQL database at regular 5 second intervals, give or take.
The problem is, this dedicated box cannot establish a connection to the Azure SQL database, despite being able to connect to other remote FTP servers, MySQL servers, etc. The Azure SQL database does have the IP address of the dedicated box on the allowed connection list. Furthermore, I temporarily opened up a massive range of allowed IP addresses (0.0.0.0 -> 255.255.255.255) on the Azure SQL database to see whether this inability to connect may have resulted from IP blocking.
Does anyone have any suggestions or thoughts on what might be causing this and how I could begin debugging the situation better?
To clarify: I can connect to the Azure SQL database from laptops with individual IP addresses in my office and elsewhere, so long as they have been added to the database whitelist; I can make outward connections to remote FTP and MySQL servers from the dedicated box; I have tried to open-up a massive range of allowed IP addresses on Azure SQL with no luck.
Edit
C:\Users\graphite.rack.ID17157>osql -S v7o06blktw.database.windows.net -U XXXXXXX#v7o06blktw -P XXXXXXX
[SQL Server Native Client 11.0] Named Pipes Provider: Could not open a
connection to SQL Server [53].
[SQL Server Native Client 11.0] Login timeout expired
[SQL Server Native Client 11.0] A network-related or instance-specific error
has occurred while establishing a connection to SQL Server. Server is not
found or not accessible. Check if instance name is correct and if SQL Server
is configured to allow remote connections. For more information see SQL Server
Books Online.
To summarize.
Windows Azure SQL Database (formerly known as SQL Azure) works exclusively and only on TCP port 1433. It only support SQL Server Authentication, TCP connection and TDS protocol as of today.
In order to successfully establish connection to SQL Azure one must fulfil the following requirements:
Create SQL Azure server & Database
Setup SQL Azure Server's firewall rules to accept connections from the IP address of application that will connect to that server
Make sure the box (be it Virtual, or home, or whatever) has no blocking outbound TCP port 1433
Explicitly force encryption in connection string
Explicitly chose to not trust server certificate in connection string
Please note that many (if not all) ISPs (Internet Service Providers) and Hosters, as well as IT staff within companies DO block outgoing TCP Port 1433 due to the SQL Slammer worm. This outgoing port blocking appears to be one of the most faced issues of newcommers to SQL Azure.
UPDATE Nov. 2015
As of August 2015, there is preview feature that enables you to use Azure AD to authenticate to Azure SQL Database. You can read more on this new preview feature here: https://azure.microsoft.com/en-us/documentation/articles/sql-database-aad-authentication/
If you're using corporate network for internet access and facing this problem,
a simple way around this is to use your phone's mobile hotspot for internet access instead.
Be sure to disable your ethernet connection too, which may also be connected to the internet.
Spent hours on this issue. The fix for me was finally found to be my setting on the Xfinity firewall. I had it set to high. Once I changed the setting to low security, I could connect to the Azure sql database with no issues.