Hello Community, i have a Question about an Azure SQL Server and the Azure Firewall. I have configured the Azure SQL Server with Private Endpoints. The Network Hub and Spoke are with peerings connected. The Private DNS Zone is linked to both Virtual Networks. The Public Access is disabled on the Azure SQL Server. No i would like to Use Azure Firewall Rules to Connect from External (WWW) trough the Azure Firewall the Azure SQL Server with Management Studio. I can find nothing to this Scenario. I have to tried it with "DNAT / Application NAT / Network Nut" but nothing works. is it even possible to reach the SQL Database over the Public through the Firewall when the public Access is disabled on the SQL Database? Thanks a lot. Regards, Phil

Hi @Philipp Gerber , Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well. I understand that you would like to access the SQL Database's Private EndPoint via Azure Firewall. I am not sure if this is a recommended architecture or a best practice, but with DNAT, you should be able to reach any VM/Private EndPoint in the VNet (or Spoke VNet). Can you access the SQL server via Private EndPoint from VMs in the same Vnet via SSMS? Can you access the SQL server via Private EndPoint from VMs in the Azure Firewall Vnet via SSMS? Can you share a screenshot of how you have configured the DNAT rule from Azure Firewall? Also, from your local machine, you should map the FQDN of SQL server ( XXX.database.windows.net ) to the Public IP of the Firewall You can edit the Host file entry in your local machine to achieve this. Cheers, Kapil

AZURE SQL Server - Access trough the Azure Firewall

Accepted answer

KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee

2022-12-06T06:23:46.117+00:00
Hi @Philipp Gerber ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to access the SQL Database's Private EndPoint via Azure Firewall.

I am not sure if this is a recommended architecture or a best practice, but with DNAT, you should be able to reach any VM/Private EndPoint in the VNet (or Spoke VNet).

Can you access the SQL server via Private EndPoint from VMs in the same Vnet via SSMS?

Can you access the SQL server via Private EndPoint from VMs in the Azure Firewall Vnet via SSMS?

Can you share a screenshot of how you have configured the DNAT rule from Azure Firewall?

Also, from your local machine, you should map the FQDN of SQL server ( XXX.database.windows.net ) to the Public IP of the Firewall
You can edit the Host file entry in your local machine to achieve this.

Cheers,
Kapil
Please sign in to rate this answer.

1 person found this answer helpful.
Philipp Gerber 251 Reputation points

2022-12-06T10:10:47.963+00:00

Hi @KapilAnanth-MSFT ,

thanks for your Answer.

You unterstand it completly correctly.
I'm not sure myself, which is why I'm also reporting here.
However a customer would like it to be exactly the way that all public access to the SQL database is switched off and only accessed via the private endpoint.

In this case also from an external IP without VPN access.

Not to your Questions:

I can Access the SQL server ofer SSMS and the Private Endpoint from an Subnet in the Virtual Network of the Azure Firewall
The Same from the Other Subnets in Azure
So the Configuration from the Private Endpoints are absolutly correct.

Here ist the Screenshot from the DNAT Rule:

I can connect the SQL Server but i have a login failed Error after this.

I have not testet it with a local Host Entry.
But i go also to the Public IP Address or the FQDN of the Public IP Address from the Firewall, so its the same i think.

Regards,
Phil

KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee

2022-12-06T10:19:53.03+00:00

Hi @Philipp Gerber ,

I believe the Destination IP Address here is that of Azure Firewall.

Action Plan

Instead of using FQDN, can you specify IP address and configure the IP of the Private EndPoint

Please make a Host file entry mapping FQDN of SQL server to the Public IP of the Firewall.

After this, open Powershell as Admin and run, ping <FQDNofSQLServer>

ICMP Ping won't work, but we can make sure the FQDN resolves to the IP of Azure Firewall (Please do not use nslookup as it does not work with Hostfile entry)

Post this, run, tnc <FQDNofSQLServer> -p 1433 and see if TCP connection succeeds.

Once the above succeeds, you can use SSMS from your local machine and see if we are able to login.

Let me know if you are stuck at any step mentioned above. Also share the screenshot of the error encountered.

Cheers,
Kapil

Philipp Gerber 251 Reputation points

2022-12-06T10:35:04.63+00:00

Thanks for your Reply.

I will check this Points and give you Feedback.

Philipp Gerber 251 Reputation points

2022-12-06T10:49:09.01+00:00

Thanks a lot for your Answers.

It works now. The Problem was, that i must use the FQDN of the SQL server to Connect correctly.
When i Use other CNAMES its dont work.

I have it tested also with DNAT to the FQDN of the Private Endpoint, and it works too.

Too bad you can't use your own CNAME. But nice that it works now.

Best Regards,
Phil

KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee

2022-12-06T11:53:48.163+00:00

Hi @Philipp Gerber ,

Yes, your observation is correct.

The PaaS service would expect the domain name to be matching. (Probably for TLS Handshakes).

I am glad the issue is now resolved.

I have converted our discussion to an answer for better visibility and reach across the entire Q&A community.
Request you to "Accept the answer" and close this thread.

Cheers,
Kapil
Sign in to comment

AZURE SQL Server - Access trough the Azure Firewall

0 additional answers