Azure VPN Gateway P2S Session not Connecting to Azure SQL

Jake Skwarcan 0 Reputation points
2023-07-23T17:30:42.3133333+00:00

I have a Virtual Network Gateway and I have created configured Point-To-Site configuration using OpenVPN (SSL) and Azure Active Directory authentication. I have an Azure SQL database with firewall rules blocking traffic from non-approved addresses. I have whitelisted the subnet attached to the Virtual Network Gateway and created a private endpoint for the SQL instance.

I am able to connect to the VPN service from Azure VPN, however when I connect to the Azure SQL database, the traffic is not being routed through the VPN and I am prompted to add my public IP address to the list of approved entries.

If I enable forced tunneling on the point-to-site configuration, this enables connectivity to the SQL server; however this disables access to the rest of the Internet, which is not acceptable.

I have added dns suffix entries to my azurevpnconfig.xml file using the below format, but that is not working - when I connect through SSMS it is still prompting to add my public IP address. The virtual network is configured to use Azure DNS servers.

  <clientconfig>
    <dnssuffixes>
      <dnssuffix>.database.windows.net</dnssuffix>
    </dnssuffixes>
  </clientconfig>

How can I allow only VPN traffic to the SQL database (and restrict everything else) while also allowing VPN users to access the internet? This should be possible, but all answers and documentation thus far have not worked.

Azure SQL Database
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,636 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,628 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Luke Murray 11,246 Reputation points MVP
    2023-07-23T22:17:25.7366667+00:00

    Hi, Jake

    At a guess, your DNS will be responding with the public endpoint.

    You can either:

    Edit your host files to direct the SQL database to its private IP on your PC - this is fine if its just 1-2 users and testing, this is a change needing to made on each PC - but for production systems, go with 2.

    or

    Set up a Private DNS resolver to resolve the private endpoint DNS namespace.

    Reference:

    https://learn.microsoft.com/en-us/azure/architecture/example-scenario/networking/azure-dns-private-resolver

    https://luke.geek.nz/azure/azure-point-to-site-vpn-and-private-dns-resolver/

    https://www.groovypost.com/howto/edit-hosts-file-windows-10/

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.