I have a database behind a firewall - can I connect to it from cloudbees? What are the options?
The best option is to use the "Weave" on-prem connector:
Weave on prem connector
This runs as a little app, that opens a (secure) outbound websocket, allowing you to get data from private databases from your cloud hosted app.
Other options involve:
write an app that syncs data from your internal DB to a cloud DB
open up the your database via a firewall rule/VPN to the cloud (this can be helped by having fixed IPs that your cloud servers use).
Related
I am trying to connect from a client in vnet A to a Synapse Workspace and storage account in vnet b using private endpoints.
All traffic between the two vnets is routed via a third party firewall.
The firewall allows all traffic:
If I try to open Synapse Studio I receive an error 'Failed to load'. When I run the the Powershell Script provided by Microsoft to test the connection, I receive a TrustFailure on the 'dev' and 'sqlondemand' private endpoints:
Does someone know what causes this problem and how I can fix it?
I tried:
Allowing any applications on the firewall rules
Allowing Azure services and resources to access workspace on network settings of Synapse Workspace
tweaking network settings of the workspace instance
Thank you GregGalloway for your guidance in the comments; the DNS records were wrongly configured. The 'dev' FQDN resolved to the 'sqlondemand' private ip and vice versa. After correcting this, the errors disappeared.
I have tried these:
Data Source=/cloudsql/*****:asia-southeast2:*****;Initial Catalog=*****;Integrated Security=False;User ID=sqlserver;Password=MyPassword0!;MultipleActiveResultSets=True
that /cloudsql/*****:asia-southeast2:***** is my instance connection name described in here.
I tried public IP too like this:
Data Source=***.***.***.***;Initial Catalog=*****;Integrated Security=False;User ID=sqlserver;Password=MyPassword0!;MultipleActiveResultSets=True
with IP address my SQL instance public IP, but it is not working.
I have enabled the sql instance connection from the Cloud Run:
How can I fix the connection string using EF Core?
This is the error I got:
Microsoft.Data.SqlClient.SqlException (0x80131904): A network-related
or instance-specific error occurred while establishing a connection to
SQL Server. The server was not found or was not accessible. Verify
that the instance name is correct and that SQL Server is configured to
allow remote connections. (provider: SQL Network Interfaces, error: 25 - Connection string is not valid)
You are trying to use Cloud SQL SQL server with Cloud Run. But if you have a look to the documentation, this connexion is not supported.
In reality, the connexion is supported, but Cloud Run service open a Unix socket to connect the SQL Server instance. And there is no SQL Server client compliant with Unix Socket and therefore, you can't access it.
To solve your issue, I recommend you to use the Private IP section of this page. You can also achieve the same configuration with the public IP (don't use a serverless VPC connector and go to your Cloud SQL instance, and authorized the network 0.0.0.0/0 to access to your instance), but, because you need to open broadly the authorized network, I don't recommend you this option, for security reason.
EDIT 1
Because of my bad english, let me explain more!!
The best way is to follow the documentation page: Connect Cloud SQL private IP to your VPC, use a serverless VPC connector with Cloud Run, and in your code you can use the private IP in your connection string to access the database.
But, you can also use the public IP, that I don't recommend (see below why), at least in its first naive use. In fact, you can use the pubic IP instead of the private IP in your code. Because you use the pubic IP, you no longer need the serverless VPC connector on your Cloud Run service (you don't use the VPC but the internet to reach the internet).
However, because you use the internet and Cloud Run is a multi-customer shared service, you don't know your source IP. On Cloud SQL, you need to allow any IP (0.0.0.0/0) in the authorized network section to access to your database, which is not a very secure configuration.
Alternatively, you can create a more complex configuration on Cloud Run to use securely the Cloud SQL public IP (but it becomes really complex). let me dig into it.
I said previously that Cloud Run is a shared service, and you don't manage the source IP when you initiate outgoing call (like connection to the database). It's true, but you can control that!
Firstly, you need (again) a serverless VPC connector on your Cloud Run. And you need to set your egress to ALL (route public and private traffic to the serverless VPC connector).
Then, create a Cloud NAT in your VPC and select, at least, your serverless VPC connector subnet to be NATed when going to the internet
Reserve a public IP on your Cloud NAT configuration
Now you have a public, static IP defined on your Cloud Run service. You can only grant it on your Cloud SQL authorized Network, to improve the security and don't let anybody access to your Cloud SQL instance.
I have a Web App (Azure App Service) and I have an Azure SQL Database that this Web App talks to. I have two questions regarding communication between the two.
When connecting from the Web App to the Database (using the connection string), does the communication go out to the internet and then back into Azure or does Azure know to keep the traffic locally in Azure?
I have been looking into V-Net Service Endpoints as a possible way to improve speed of communication between the two. It is said that when connecting from a VM on V-Net with Service Endpoints enabled to a SQL Database, that Azure knows to keep the traffic internal to the Azure network and not go out to the internet, is this the same for Azure App Services?
Is it possible to keep traffic between an App Service and SQL Database internal to Azure? If so, how do I go about doing this? Any guidance on this is greatly appreciated.
It knows to keep it local on the "Azure backbone" (as per Azure doco). It doesn't go out to the public internet
Yes
Yes. It is already internal to the "Azure Backbone"
Having said that.... networks are really complicated.
As I understand it the main benefit of V-Net is that you can define your own network and add things to it like firewalls, security groups, subnets, peering between networks. Also it helps when setting up a hybrid network - i.e. connecting Azure resources to an on-premises network. When you can set up the same kind of structures as on premise, it's easier to 'transparently' make it part of the on-premises network. Lastly (rereading the doco), you can remove any incoming public IP firewall rules. These are "Azure backbone" IP addresses but they are also "public internet" addresses
There may be a performance improvement if the App Service and Azure SQL are on the same V-Net.
Azure SQL service endpoints are a bit mysterious. They "connect" to the VNET but you still need to connect to a public address. They don't actually take a up a local IP adress.
Depending on what you are really doing, you might want to look into private endpoint, which actually assigns a private IP to your Azure SQL.
Yes, communication between Azure App Service and Azure SQL Database is "local" within the Azure Virtual Network and does not go out to the public internet.
I have used Azure Cloud Services in the past and enabled RDP when I needed access to the machine for some troubleshooting. Today I needed access again, but I cannot access any cloud service anymore. I enabled RDP with my normal certificate and the same user and password as always, but I just cannot connect.
Adding the RDP connection works fine, but when logging in it just times out. It feels like a port that is blocked. Anyone knows if something has changed?
Your issue looks similar to the thread posted here.
Azure classic cloud service cannot RDP
Here is a document on enabling remote desktop connection for a role in Azure cloud services:
https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-role-enable-remote-desktop-new-portal
The problem I have is that we're trying to use our WebApp in Microsoft Azure to connect to an external SQL-database (not our own) through a VPN. The SQL-database is only allowing connections from our local IP-addresses that we put up as a Network (for example 176.0.0.0/24).
We are now connected to the same virtual private network, and through our Azure-VM we can now connect to the SQL-Server through SQL Server Management Studio.
Now we want to do the same with a WebApp, but we're not getting through to the server. It gets "Not authenticated" before reaching the SQL-Server (probably the server isn't accepting our IP from the WebApp).
The different problems I have tried to look through is:
Do we only try to connect through our Outbound IPs?
Is the WebApp not connected to the VPN?
I have unfortunatley not found any real answers, and neither any solutions to my problem. If you have any ideas of how to solve our problem, or maybe know how I could tunnel all of the SQL-calls through the VM, the help would be very much appreciated!
Hybrid connection is one option. What you can also do is enable point-to-site in your VPN. Once you do that, you can directly integrate your web app to the vnet and your connections will work. (Go to your web app -> Settings -> Networking -> VNet Integration)
If your Vnet is V1(older way of creating VNs) then enabling point to site is very straightforward. You can do it through portal. For V2 Vnets you have to do it through powershell commands.
Here is a link for the documentation which explains both the options.
https://azure.microsoft.com/en-in/documentation/articles/web-sites-integrate-with-vnet/
There's a way to "tunnel all of the SQL-calls through the VM". You may want to use hybrid connections (cf https://azure.microsoft.com/en-us/documentation/articles/integration-hybrid-connection-overview/).
The principle is to have an agent installed on the VM that can access the database with the correct IP address.
Suppose you can access the SQL DB as mysqldbsrv from the VM. You add an hybrid connection associated to your web app, you install the agent on the VM. Then, when you connect to mysqldbsrv from the Web App, you go through the VM.