Share via

My network rule that specifically allows access to public SQL MAnaged Instance URL does not appear to work

JohnSebastian-3934 441 Reputation points
2024-09-25T15:36:33.22+00:00

I have two virtual hosts in my Azure V-NET. The subnet they are are in is connected to a route table that sends 0.0.0.0/0 to the internal IP Address of my Azure Firewall.

From these virtual hosts which send traffic through the Azure Firewall I can reach the internal endpoint of my two SQL Managed Instances using their internal endpoints of nwm-sqlmi-01.exxxxxxxxxx1.database.windows.net and nwm-sqlmi-prod.exxxxxxxxxx1.database.windows.net.

Both of these SQL MIs are allowing public access as well. Public access for a SQL MI uses port 3342. The endpoints for public access are: nwm-sqlmi-prod.public.exxxxxxxxxx1.database.windows.net and nwm-sqlmi-01.public.exxxxxxxxxx1.database.windows.net.

I cannot reach either of these SQL MIs on their public endpoint using the two virtual machines.

I know that the NSG on the subnet where these two virtual machines reside is configured correctly because if I remove the sub-net from the route table that sends traffic through the Firewall, I can connect to the public endpoint of both SQL MIs.

I have tried to add a Network Rule into my Azure Firewall Policy with the lowest priority number (highest precedence) to ensure that port 3342 can be used to reach the FQDNs of the public endpoints for both SQL MIs. My two virtual machines are added to this rule via an IP_GROUP.

As of right now I still cannot reach the public endpoints of these databases from my virtual machines when they route traffic through the firewall.

I looked into using the SQL Service Tag but according to the Microsoft Documentation on Service Tags, they do not apply to SQL Managed Instances.

Can someone give me a clue here as to what to do? Is there some way to actually trace what is happening in the Azure Firewall with this request?

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
676 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ganesh Patapati 1,275 Reputation points Microsoft Vendor
    2024-10-08T14:28:07.0866667+00:00

    Hello @JohnSebastian-3934 ,

    Greetings,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    As an original poster cannot accept their own answer, I am reposting it so that you can accept it an answer. Accepted answer will help other community members navigate to the appropriate solutions.

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to accept the answer.

    Issue: My network rule that specifically allows access to public SQL MAnaged Instance URL does not appear to work

    Solution: I had to create the network rule at the correct priority. I can connect now.

    • No, Network Rules are stateful, if you have a two traffics all the flows in that direction it should work.

    Please Don't forget to 'Upvote' and 'Accept answer' so that others experiencing the same thing can easily reference this.

    Your contribution is highly appreciated.

    Best Regards,

    Ganesh.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.