What is a recommend way to connect to a private MySQL Server on VNET via Azure Bastion Host

Question

What is a recommend way to connect to a private MySQL Server on VNET via Azure Bastion Host

Ruban Siva 20

I have a private MySQL server on VNET which currently connect to via Azure Bastion VM through SSH. So effectively a double hop and also means I have to allow the users to connect to the Bastion Host which leaves the bastion host exposed.

So was wondering what's the recommended way to do this without user having to SSH to Bastion Host first. As far as I can think, there are possible two ways:

SSH Tunneling
Azure Bastion Native connections (maybe misunderstood what this does?)

Looking for suggestions pls?

KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-07-27T06:06:10.45+00:00
@Ruban Siva

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you are having a VM in Azure which acts as a MySQL server.

Azure Bastion is used to provide RDP or SSH Connections to Azure Virtual Machines running Windows or Linux.

And as such, connectivity is provided using RDP and SSH ports.

Now, I see you want to connect to this VM using the SQL Port,

This depends on your end users and how they access it.

I take it that your end users are in Internet,

1.NSG

You can attach a Public IP to your VM

And leverage NSGs to block traffic from malicious IPs and allow only your remote users' IPs.

https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

https://learn.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic

You can also use JIT Access to dynamically update NSG rules based on user's IPs

2.JumpVM

If you have any issues with assigning a Public IP to the SQL VM, you can create a Jump server and assign a Public IP to it.

Then RDP to it and from here, RDP/Connect to the SQL VM.

3.Bastion (method you are currently using)

This is same as the above

However, the advantage is that you do not have to assign a Public IP to a VM

Rather, the public IP is assigned to the Bastion

Check out the security baselines for Bastion : https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/bastion-security-baseline?toc=%2Fazure%2Fbastion%2FTOC.json

4. P2S VPN Gateway

This is a complex solution, however, the advantage is that you do not have to manually update the rules of NSG in case your remote users' IPs change often.

Also, no need to assign a Public IP of any VM and there is no Jump VM involved.

Refer

What is P2S Gateway

How does it work

Configuration

Wrt, Azure Bastion Native connections - this is again Bastion

You will still need a Bastion resource be deployed into the VNet

And also a JumpVM to connect to from Bastion

Only advantage is that you do not have to use a Browser to RDP/SSH

Rather, do it directly from your OS : https://learn.microsoft.com/en-us/azure/bastion/connect-vm-native-client-windows

If you are a single user, I would suggest the best way is to go ahead with Method1. i.e, directly assigning a Public IP and leveraging NSG.

Cheers,

Kapil.
Ruban Siva 20 Reputation points

2023-07-27T10:25:12.98+00:00

Thanks Kapil.

So thanks for outlining the options.

Just to correct, I have a Private MySql instance which I would like to access the Bastion Host?

What's the recommended way to access it?
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-07-27T11:11:23.64+00:00

@Ruban Siva

I am afraid I did not understand.

You want your mySQL instance to access the Bastion Host?

or

Access the mySQL instance via Bastion Host?

Just to be sure, your mySQL instance is a VM in a VNet, correct?

Thanks,

Kapil
Ruban Siva 20 Reputation points

2023-07-27T11:20:47.5+00:00

I have a Azure Bastion VM, Azure Database for MySQL Instance which is Private in a VNet.

So I can connect currently by connecting via to Azure Bastion Host VM using pem key then running MySQL client on the VM.

As mentioned this method has various draw backs related to double hope, requiring PEM to SSH into bastion host and wondering if there are suggested better approaches?

I'm from GCP background so there are a few options to do this but wondering what's AZ best approaches for this/
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-07-28T13:00:19.0166667+00:00

@Ruban Siva

Sure.

Azure Bastion is a PaaS resource.

I see you are using a JumpVM (and referring this as BastionVM)

Also, when you say "Azure Database for MySQL Instance which is Private in a VNet."

Do you mean a Azure Database for MySQL PaaS resource with Private EndPoint?

or

A simple VM in which you are running mySql?

Cheers,

Kapil
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-07-31T05:06:34.7+00:00

@Ruban Siva

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil
Ruban Siva 20 Reputation points

2023-07-31T08:03:33.61+00:00

Deleted as I incorrectly put this as comment.
Ruban Siva 20 Reputation points

2023-07-31T08:08:29.5933333+00:00

Deleted as I incorrectly put this as comment.
Ruban Siva 20 Reputation points

2023-07-31T08:16:23.1233333+00:00

Hi Kapil

So yes, have created a Azure Bastion Host PAAS (which I assume is just a VM acting as a JumpHost on the VNET with a public IP?) which is used to connect via SSH to the Azure MySQL PAAS.

Looks there are also other options such as SQLProxy and HAProxy which I can presumably install on Bastion Host to act as a proxy for the MySQL client connection pass through?

Accept answer

0 commentsNo commentsReport a concern
Ruban Siva 20 Reputation points

2023-08-01T16:38:23.15+00:00

Hi @KapilAnanth-MSFT
Any updates on this?
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-08-02T06:31:10.7033333+00:00
@Ruban Siva

Apologies for the delay.

I am afraid your statement is quite misleading.

Azure Bastion can only provide RDP/SSH to a VM and not to a PaaS service.

So, when you say, "Azure Bastion Host PAAS which is used to connect via SSH to the Azure MySQL PAAS"

This statement is incorrect.

Do you mean you have a VM in a VNET where you have installed mySQL in it?

Please note

SSH to a VM via Bastion and then connect locally to the mySQL installed in it within the VM

and

SSH directly to mySQL via Bastion are two different things.

I would like to know

if you have a VM where mySQL is installed (In this case, it's not called Azure mySQL Database)

or

you have a PaaS service Azure Database for MySQL

Cheers,

Kapil
Ruban Siva 20 Reputation points

2023-08-02T17:39:44.6566667+00:00

@KapilAnanth-MSFT Feels like we are going around in circles.
As I said I'm not an Azure expert by any means but you keep wanting to focus on semantics rather than offer any support or advice.
Ruban Siva 20 Reputation points

2023-08-02T17:45:15.2+00:00
@KapilAnanth-MSFT
Here's the setup to confirm:

VNET with MySQL Instance (Azure Database for MySQL servers, PAAS? surely this is called a PAAS right?)

Bastion VM with External IP

So currently if I want to connect to the DB:

SSH into VM --> MySQL Client into DB

Not sure what information you need...
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-08-03T16:38:55.4233333+00:00
@Ruban Siva

My sincere apologies.

However, without knowing the actual resource and configuration, it will be challenging to provide assistance.

The confusion was that

You were referring to the Jumphost VM as BastionVM ((Which can provide connectivity to mySQL instance)

While in Azure, we have a PaaS resource called Azure Bastion (Which cannot provide connectivity to mySQL instance)

And also, since you have used the "Azure Bastion" tag, (which I have expertise on and not much on databases)

Now, I believe you are using : Private Network Access for Azure Database for MySQL - Flexible Server

I was able to find the documentation for Connecting privately to a Server in VNET.

Refer : Connect Azure Database for MySQL - Flexible Server with private access connectivity method

I also reached out internally wrt SQLProxy and HAProxy and below is the response from them,

"Like ProxySQL or HAProxy, Heimdall etx, Proxies sit between the mysql client and mysql server, they don't eliminate the need of mysql client,certain mysql clients also have connection pooling features such as JDBC, HikariPool, JBoss, etc,proxies can be installed on the same linux vm hosting application and running mysql client or on a seperate VM in between app and mysql server

Proxies are optional but recommended for workloads that can generate random spikes of connections and/or the customer wants to direct reads and writes to different servers using proxy in between than making the multiple connection strings in application"

This might come in handy: https://techcommunity.microsoft.com/t5/azure-database-for-mysql-blog/connecting-efficiently-to-azure-database-for-mysql-with-proxysql/ba-p/1279842

Cheers,

Kapil
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-08-04T11:40:38.5466667+00:00
@Ruban Siva

<< I shall repost my comment here. >>

My sincere apologies.

However, without knowing the actual resource and configuration, it will be challenging to provide assistance.

The confusion was that

You were referring to the Jumphost VM as BastionVM ((Which can provide connectivity to mySQL instance)

While in Azure, we have a PaaS resource called Azure Bastion (Which cannot provide connectivity to mySQL instance)

And also, since you have used the "Azure Bastion" tag, (which I have expertise on and not much on databases)

Now, I believe you are using : Private Network Access for Azure Database for MySQL - Flexible Server

I was able to find the documentation for Connecting privately to a Server in VNET.

Refer : Connect Azure Database for MySQL - Flexible Server with private access connectivity method

I also reached out internally wrt SQLProxy and HAProxy and below is the response from them,

"Like ProxySQL or HAProxy, Heimdall etx, Proxies sit between the mysql client and mysql server, they don't eliminate the need of mysql client,certain mysql clients also have connection pooling features such as JDBC, HikariPool, JBoss, etc,proxies can be installed on the same linux vm hosting application and running mysql client or on a seperate VM in between app and mysql server

Proxies are optional but recommended for workloads that can generate random spikes of connections and/or the customer wants to direct reads and writes to different servers using proxy in between than making the multiple connection strings in application"

This might come in handy: https://techcommunity.microsoft.com/t5/azure-database-for-mysql-blog/connecting-efficiently-to-azure-database-for-mysql-with-proxysql/ba-p/1279842

Cheers,

Kapil
Ruban Siva 20 Reputation points

2023-08-04T12:17:43.2833333+00:00

@KapilAnanth-MSFT

Thanks, I ready about proxysql too.
What about Azure Bastion Native connection? is that a recommended alternative?
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-08-04T12:46:17.75+00:00

@Ruban Siva

Azure Bastion Native connection can only provide RDP and SSH connectivity.

It cannot be used for accessing Azure Database for MySQL though it is in a VNET.

Cheers,

Kapil
Ruban Siva 20 Reputation points

2023-08-06T21:38:50.54+00:00

Thanks @KapilAnanth-MSFT

Accepted answer

0 additional answers

Your answer

Ruban Siva 20 Reputation points

2023-07-27T10:25:12.98+00:00

Thanks Kapil.

So thanks for outlining the options.

Just to correct, I have a Private MySql instance which I would like to access the Bastion Host?

What's the recommended way to access it?
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-07-27T11:11:23.64+00:00

@Ruban Siva

I am afraid I did not understand.

You want your mySQL instance to access the Bastion Host?

or

Access the mySQL instance via Bastion Host?

Just to be sure, your mySQL instance is a VM in a VNet, correct?

Thanks,

Kapil
Ruban Siva 20 Reputation points

2023-07-27T11:20:47.5+00:00

I have a Azure Bastion VM, Azure Database for MySQL Instance which is Private in a VNet.

So I can connect currently by connecting via to Azure Bastion Host VM using pem key then running MySQL client on the VM.

As mentioned this method has various draw backs related to double hope, requiring PEM to SSH into bastion host and wondering if there are suggested better approaches?

I'm from GCP background so there are a few options to do this but wondering what's AZ best approaches for this/
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-07-28T13:00:19.0166667+00:00

@Ruban Siva

Sure.

Azure Bastion is a PaaS resource.

I see you are using a JumpVM (and referring this as BastionVM)

Also, when you say "Azure Database for MySQL Instance which is Private in a VNet."

Do you mean a Azure Database for MySQL PaaS resource with Private EndPoint?

or

A simple VM in which you are running mySql?

Cheers,

Kapil
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-07-31T05:06:34.7+00:00

@Ruban Siva

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil
Ruban Siva 20 Reputation points

2023-07-31T08:03:33.61+00:00

Deleted as I incorrectly put this as comment.
Ruban Siva 20 Reputation points

2023-07-31T08:08:29.5933333+00:00

Deleted as I incorrectly put this as comment.
Ruban Siva 20 Reputation points

2023-07-31T08:16:23.1233333+00:00

Hi Kapil

So yes, have created a Azure Bastion Host PAAS (which I assume is just a VM acting as a JumpHost on the VNET with a public IP?) which is used to connect via SSH to the Azure MySQL PAAS.

Looks there are also other options such as SQLProxy and HAProxy which I can presumably install on Bastion Host to act as a proxy for the MySQL client connection pass through?

Accept answer

0 commentsNo commentsReport a concern
Ruban Siva 20 Reputation points

2023-08-01T16:38:23.15+00:00

Hi @KapilAnanth-MSFT
Any updates on this?
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-08-02T06:31:10.7033333+00:00

@Ruban Siva

Apologies for the delay.

I am afraid your statement is quite misleading.

Azure Bastion can only provide RDP/SSH to a VM and not to a PaaS service.

So, when you say, "Azure Bastion Host PAAS which is used to connect via SSH to the Azure MySQL PAAS"

This statement is incorrect.

Do you mean you have a VM in a VNET where you have installed mySQL in it?

Please note

SSH to a VM via Bastion and then connect locally to the mySQL installed in it within the VM

and

SSH directly to mySQL via Bastion are two different things.

I would like to know

if you have a VM where mySQL is installed (In this case, it's not called Azure mySQL Database)

or

you have a PaaS service Azure Database for MySQL

Cheers,

Kapil
Ruban Siva 20 Reputation points

2023-08-02T17:39:44.6566667+00:00

@KapilAnanth-MSFT Feels like we are going around in circles.
As I said I'm not an Azure expert by any means but you keep wanting to focus on semantics rather than offer any support or advice.
Ruban Siva 20 Reputation points

2023-08-02T17:45:15.2+00:00

@KapilAnanth-MSFT
Here's the setup to confirm:

VNET with MySQL Instance (Azure Database for MySQL servers, PAAS? surely this is called a PAAS right?)

Bastion VM with External IP

So currently if I want to connect to the DB:

SSH into VM --> MySQL Client into DB

Not sure what information you need...
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-08-03T16:38:55.4233333+00:00

@Ruban Siva

My sincere apologies.

However, without knowing the actual resource and configuration, it will be challenging to provide assistance.

The confusion was that

You were referring to the Jumphost VM as BastionVM ((Which can provide connectivity to mySQL instance)

While in Azure, we have a PaaS resource called Azure Bastion (Which cannot provide connectivity to mySQL instance)

And also, since you have used the "Azure Bastion" tag, (which I have expertise on and not much on databases)

Now, I believe you are using : Private Network Access for Azure Database for MySQL - Flexible Server

I was able to find the documentation for Connecting privately to a Server in VNET.

Refer : Connect Azure Database for MySQL - Flexible Server with private access connectivity method

I also reached out internally wrt SQLProxy and HAProxy and below is the response from them,

"Like ProxySQL or HAProxy, Heimdall etx, Proxies sit between the mysql client and mysql server, they don't eliminate the need of mysql client,certain mysql clients also have connection pooling features such as JDBC, HikariPool, JBoss, etc,proxies can be installed on the same linux vm hosting application and running mysql client or on a seperate VM in between app and mysql server

Proxies are optional but recommended for workloads that can generate random spikes of connections and/or the customer wants to direct reads and writes to different servers using proxy in between than making the multiple connection strings in application"

This might come in handy: https://techcommunity.microsoft.com/t5/azure-database-for-mysql-blog/connecting-efficiently-to-azure-database-for-mysql-with-proxysql/ba-p/1279842

Cheers,

Kapil
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-08-04T11:40:38.5466667+00:00

@Ruban Siva

<< I shall repost my comment here. >>

My sincere apologies.

However, without knowing the actual resource and configuration, it will be challenging to provide assistance.

The confusion was that

You were referring to the Jumphost VM as BastionVM ((Which can provide connectivity to mySQL instance)

While in Azure, we have a PaaS resource called Azure Bastion (Which cannot provide connectivity to mySQL instance)

And also, since you have used the "Azure Bastion" tag, (which I have expertise on and not much on databases)

Now, I believe you are using : Private Network Access for Azure Database for MySQL - Flexible Server

I was able to find the documentation for Connecting privately to a Server in VNET.

Refer : Connect Azure Database for MySQL - Flexible Server with private access connectivity method

I also reached out internally wrt SQLProxy and HAProxy and below is the response from them,

"Like ProxySQL or HAProxy, Heimdall etx, Proxies sit between the mysql client and mysql server, they don't eliminate the need of mysql client,certain mysql clients also have connection pooling features such as JDBC, HikariPool, JBoss, etc,proxies can be installed on the same linux vm hosting application and running mysql client or on a seperate VM in between app and mysql server

Proxies are optional but recommended for workloads that can generate random spikes of connections and/or the customer wants to direct reads and writes to different servers using proxy in between than making the multiple connection strings in application"

This might come in handy: https://techcommunity.microsoft.com/t5/azure-database-for-mysql-blog/connecting-efficiently-to-azure-database-for-mysql-with-proxysql/ba-p/1279842

Cheers,

Kapil
Ruban Siva 20 Reputation points

2023-08-04T12:17:43.2833333+00:00

@KapilAnanth-MSFT

Thanks, I ready about proxysql too.
What about Azure Bastion Native connection? is that a recommended alternative?
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-08-04T12:46:17.75+00:00

@Ruban Siva

Azure Bastion Native connection can only provide RDP and SSH connectivity.

It cannot be used for accessing Azure Database for MySQL though it is in a VNET.

Cheers,

Kapil
Ruban Siva 20 Reputation points

2023-08-06T21:38:50.54+00:00

Thanks @KapilAnanth-MSFT

Answer 1

@Ruban Siva

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

You were interested in the recommended way to connect to your MySQL Server in a VNet.

You confirmed you are using : Private Network Access for Azure Database for MySQL - Flexible Server
You were also wondering if Azure Bastion Native Client can be used to achieve this

I was able to find the documentation for connecting privately to a Server in VNET.

Refer : Connect Azure Database for MySQL - Flexible Server with private access connectivity method

I also reached out internally wrt SQLProxy and HAProxy and below is the response from them,

"Like ProxySQL or HAProxy, Heimdall etx, Proxies sit between the mysql client and mysql server, they don't eliminate the need of mysql client,certain mysql clients also have connection pooling features such as JDBC, HikariPool, JBoss, etc,proxies can be installed on the same linux vm hosting application and running mysql client or on a seperate VM in between app and mysql server

Proxies are optional but recommended for workloads that can generate random spikes of connections and/or the customer wants to direct reads and writes to different servers using proxy in between than making the multiple connection strings in application"

Refer: [https://techcommunity.microsoft.com/t5/azure-database-for-mysql-blog/connecting-efficiently-to-azure-database-for-mysql-with-proxysql/ba-p/1279842](https://techcommunity.microsoft.com/t5/azure-database-for-mysql-blog/connecting-efficiently-to-azure-database-for-mysql-with-proxysql/ba-p/1279842)

Wrt, Azure Bastion Native Client

Azure Bastion Native connection can only provide RDP and SSH connectivity to VMs in Azure
It cannot be used for accessing Azure Database for MySQL though it is in a VNET (as this is a PaaS service integrated into VNET and not a VM on it's own)

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Share via

What is a recommend way to connect to a private MySQL Server on VNET via Azure Bastion Host

0 additional answers

Your answer