Create and manage Private Link for Azure Database for MySQL using CLI
APPLIES TO: Azure Database for MySQL - Single Server
Important
Azure Database for MySQL single server is on the retirement path. We strongly recommend that you upgrade to Azure Database for MySQL flexible server. For more information about migrating to Azure Database for MySQL flexible server, see What's happening to Azure Database for MySQL Single Server?
A Private Endpoint is the fundamental building block for private link in Azure. It enables Azure resources, like Virtual Machines (VMs), to communicate privately with private link resources. In this article, you will learn how to use the Azure CLI to create a VM in an Azure Virtual Network and an Azure Database for MySQL server with an Azure private endpoint.
Note
The private link feature is only available for Azure Database for MySQL servers in the General Purpose or Memory Optimized pricing tiers. Ensure the database server is in one of these pricing tiers.
Prerequisites
Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.
When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.
Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.
- This article requires version 2.0.28 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.
Create a resource group
Before you can create any resource, you have to create a resource group to host the Virtual Network. Create a resource group with az group create. This example creates a resource group named myResourceGroup in the westeurope location:
az group create --name myResourceGroup --location westeurope
Create a Virtual Network
Create a Virtual Network with az network vnet create. This example creates a default Virtual Network named myVirtualNetwork with one subnet named mySubnet:
az network vnet create \
--name myVirtualNetwork \
--resource-group myResourceGroup \
--subnet-name mySubnet
Disable subnet private endpoint policies
Azure deploys resources to a subnet within a virtual network, so you need to create or update the subnet to disable private endpoint network policies. Update a subnet configuration named mySubnet with az network vnet subnet update:
az network vnet subnet update \
--name mySubnet \
--resource-group myResourceGroup \
--vnet-name myVirtualNetwork \
--disable-private-endpoint-network-policies true
Create the VM
Create a VM with az vm create. When prompted, provide a password to be used as the sign-in credentials for the VM. This example creates a VM named myVm:
az vm create \
--resource-group myResourceGroup \
--name myVm \
--image Win2019Datacenter
Note
The public IP address of the VM. You use this address to connect to the VM from the internet in the next step.
Create an Azure Database for MySQL server
Create an Azure Database for MySQL with the az mysql server create command. Remember that the name of your MySQL Server must be unique across Azure, so replace the placeholder value in brackets with your own unique value:
# Create a server in the resource group
az mysql server create \
--name mydemoserver \
--resource-group myResourcegroup \
--location westeurope \
--admin-user mylogin \
--admin-password <server_admin_password> \
--sku-name GP_Gen5_2
Note
In some cases the Azure Database for MySQL and the VNet-subnet are in different subscriptions. In these cases you must ensure the following configurations:
- Make sure that both the subscription has the Microsoft.DBforMySQL resource provider registered. For more information refer resource-manager-registration
Create the Private Endpoint
Create a private endpoint for the MySQL server in your Virtual Network:
az network private-endpoint create \
--name myPrivateEndpoint \
--resource-group myResourceGroup \
--vnet-name myVirtualNetwork \
--subnet mySubnet \
--private-connection-resource-id $(az resource show -g myResourcegroup -n mydemoserver --resource-type "Microsoft.DBforMySQL/servers" --query "id" -o tsv) \
--group-id mysqlServer \
--connection-name myConnection
Configure the Private DNS Zone
Create a Private DNS Zone for MySQL server domain and create an association link with the Virtual Network.
az network private-dns zone create --resource-group myResourceGroup \
--name "privatelink.mysql.database.azure.com"
az network private-dns link vnet create --resource-group myResourceGroup \
--zone-name "privatelink.mysql.database.azure.com"\
--name MyDNSLink \
--virtual-network myVirtualNetwork \
--registration-enabled false
# Query for the network interface ID
$networkInterfaceId=$(az network private-endpoint show --name myPrivateEndpoint --resource-group myResourceGroup --query 'networkInterfaces[0].id' -o tsv)
az resource show --ids $networkInterfaceId --api-version 2019-04-01 -o json
# Copy the content for privateIPAddress and FQDN matching the Azure database for MySQL name
# Create DNS records
az network private-dns record-set a create --name myserver --zone-name privatelink.mysql.database.azure.com --resource-group myResourceGroup
az network private-dns record-set a add-record --record-set-name myserver --zone-name privatelink.mysql.database.azure.com --resource-group myResourceGroup -a <Private IP Address>
Note
The FQDN in the customer DNS setting does not resolve to the private IP configured. You will have to setup a DNS zone for the configured FQDN as shown here.
Connect to a VM from the internet
Connect to the VM myVm from the internet as follows:
In the portal's search bar, enter myVm.
Select the Connect button. After selecting the Connect button, Connect to virtual machine opens.
Select Download RDP File. Azure creates a Remote Desktop Protocol (.rdp) file and downloads it to your computer.
Open the downloaded.rdp file.
If prompted, select Connect.
Enter the username and password you specified when creating the VM.
Note
You may need to select More choices > Use a different account, to specify the credentials you entered when you created the VM.
Select OK.
You may receive a certificate warning during the sign-in process. If you receive a certificate warning, select Yes or Continue.
Once the VM desktop appears, minimize it to go back to your local desktop.
Access the MySQL server privately from the VM
In the Remote Desktop of myVM, open PowerShell.
Enter
nslookup mydemomysqlserver.privatelink.mysql.database.azure.com
.You'll receive a message similar to this:
Server: UnKnown Address: 168.63.129.16 Non-authoritative answer: Name: mydemomysqlserver.privatelink.mysql.database.azure.com Address: 10.1.3.4
Test the private link connection for the MySQL server using any available client. In the example below I have used MySQL Workbench to do the operation.
In New connection, enter or select this information:
Setting Value Connection Name Select the connection name of your choice. Hostname Select mydemoserver.privatelink.mysql.database.azure.com Username Enter username as username@servername which is provided during the MySQL server creation. Password Enter a password provided during the MySQL server creation. Select Connect.
Browse databases from left menu.
(Optionally) Create or query information from the MySQL database.
Close the remote desktop connection to myVm.
Clean up resources
When no longer needed, you can use az group delete to remove the resource group and all the resources it has:
az group delete --name myResourceGroup --yes
Next steps
- Learn more about What is Azure private endpoint