I have a Virtual Network Gateway and I have created configured Point-To-Site configuration using OpenVPN (SSL) and Azure Active Directory authentication. I have an Azure SQL database with firewall rules blocking traffic from non-approved addresses. I have whitelisted the subnet attached to the Virtual Network Gateway and created a private endpoint for the SQL instance.
I am able to connect to the VPN service from Azure VPN, however when I connect to the Azure SQL database, the traffic is not being routed through the VPN and I am prompted to add my public IP address to the list of approved entries.
If I enable forced tunneling on the point-to-site configuration, this enables connectivity to the SQL server; however this disables access to the rest of the Internet, which is not acceptable.
I have added dns suffix entries to my azurevpnconfig.xml file using the below format, but that is not working - when I connect through SSMS it is still prompting to add my public IP address. The virtual network is configured to use Azure DNS servers.
<clientconfig>
<dnssuffixes>
<dnssuffix>.database.windows.net</dnssuffix>
</dnssuffixes>
</clientconfig>
How can I allow only VPN traffic to the SQL database (and restrict everything else) while also allowing VPN users to access the internet? This should be possible, but all answers and documentation thus far have not worked.