Using Private Link and Point-to-Site Gateway for secure on-premise connectivity to MySQL Server
Published Jan 14 2020 02:33 PM 4,594 Views
Microsoft

Azure Private Link is a secure and scalable way for Azure customers to consume Azure database for MySQL server service privately from their Azure Virtual Network (VNet). Azure Private Link essentially brings Azure services inside the customer’s private VNet. The MySQL resources can be accessed using the private IP address just like any other resource in the VNet. This significantly simplifies the network configuration by keeping access rules private. You can read more about it here: Introducing Private Link for Azure Database for MySQL.

 

In this blog post, we will outline detailed steps on how to connect securely from an On-Premise VM to Azure Database for MySQL using Point-to-Site Gateway and Azure Private Link.

 

A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S VPN or ExpressRoute when you have only a few clients that need to connect to a VNet.

 

Here is the high-level architecture diagram of how this solution works in practice:

 

pip2.jpg

User connects from on-premises (over Point-to-Site VPN) by specifying Private IP address for Azure Database for MySQL & port 3306.

 

Step by step guide to implementing this architecture

 

You can create Private Endpoints using either Portal or CLI.

 

We have also created one-click-deployable ARM Templates to provision the Private Endpoints quickly:

https://github.com/Azure/azure-mysql/tree/master/arm-templates/ExampleWithPrivateLink

 

Create Azure Virtual Network Gateway for the VNET in which private endpoints exist :

https://ms.portal.azure.com/#create/Microsoft.VirtualNetworkGateway-ARM

 

clipboard_image_0.png

 

clipboard_image_1.png

 

Once the Virtual Network Gateway is created successfully, we will add Point-to-Site configuration:

 

clipboard_image_2.png

 

P2S VPN clients are authenticated using native Azure Certificate Authentication. Instructions to generate and export certificates for Point-to-Site using Powershell are here. You can either generate a self-signed root certificate or use Enterprise CA solution.

 

Instructions to use self-signed root certificate 

 

1. Create a self-signed root certificate: From a computer running Windows 10 or Windows Server 2016, open a Windows PowerShell console with elevated privileges and run the following command

 

 

$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=P2SRootCert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

 

 

NOTE: Root certificate name “P2SRootCert” should be provided as input for Root Certificate Name

 

2. Export the root certificate public key (.cer)

 

 

[System.Convert]::ToBase64String($cert.RawData, 'InsertLineBreaks') -replace "`n","" -replace "`r",""

 

 

NOTE: The output of the above command should be provided as input for Public Certificate Data.

 

3. Generate a client certificate: Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.

 

 

# Generate a client certificate from the self-signed root certificate
$clientCert = New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature -Subject "CN=P2SChildCert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

# Protect the pfx file using a password
$mypwd = ConvertTo-SecureString -String "1234" -Force -AsPlainText

# Export the client certificate as PFX
$clientCert | Export-PfxCertificate -FilePath C:\clientcertificate.pfx -Password $mypwd

 

 

NOTE: If you wish to connect to VNET using P2S from another client VM, copy paste clientceritifcate.pfx and install it using the password.

 

Create Point-to-site configuration using the certificate generated above : 

 

clipboard_image_3.png

 

Connectivity from On-Premise Client VM

 

You will need to install the client certificates on the On-Premise Client VM for authenticating the P2S connections

Click on the Virtual Network Gateway and click Point-to-Site Configurations.

Click on Download VPN Client to download the VPN Client Configuration Files.

 

clipboard_image_4.png

 

Once the VPN Client is downloaded, extract the folder and run the following program as Administrator: WindowsAmd64\VpnClientSetupAmd64.exe. (For a 64-bit processor architecture, choose the 'VpnClientSetupAmd64' installer package. For a 32-bit processor architecture, choose the 'VpnClientSetupX86' installer package.)

 

If you see a SmartScreen popup, click More info, then Run anyway.

 

Click Yes on the following prompt

 

clipboard_image_5.png

 

On the client computer, navigate to Network Settings and click VPN. The VPN connection shows the name of the virtual network that it connects to. Click Connect.

 

clipboard_image_6.png

 

Click Connect

 

clipboard_image_7.png

 

Select the checkbox and Click Continue

 

clipboard_image_8.png

 

If connected successfully, you will see “Connected” status

 

clipboard_image_9.png

 

Verify connection is successful using mysql command line:

 

 

mysql --host={privateIPAddress} --port=3306 --database={your_database} --user={your_username} --ssl-mode=REQUIRED --password={your_password}

 

 

Learn More

You can find more details in the official documentation. You can give the Azure Private Link a try today. If you have questions, please reach out to the AskAzureDBforMySQL@service.microsoft.com alias.

 

Version history
Last update:
‎Jan 14 2020 02:33 PM
Updated by: