Using Private Link and Point-to-Site Gateway for secure on-premise connectivity to MariaDB Server
Published Jan 14 2020 02:58 PM 2,591 Views

Azure Private Link is a secure and scalable way for Azure customers to consume Azure database for MariaDB server service privately from their Azure Virtual Network (VNet). Azure Private Link essentially brings Azure services inside the customer’s private VNet. The MariaDB resources can be accessed using the private IP address just like any other resource in the VNet. This significantly simplifies the network configuration by keeping access rules private. You can read more about it here: Introducing Private Link for Azure Database for MariaDB.


In this blog post, we will outline detailed steps on how to connect securely from an On-Premise VM to Azure Database for MariaDB using Point-to-Site Gateway and Azure Private Link.


A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S VPN or ExpressRoute when you have only a few clients that need to connect to a VNet.


Here is the high-level architecture diagram of how this solution works in practice:



User connects from on-premises (over Point-to-Site VPN) by specifying Private IP address for Azure Database for MariaDB & port 3306.


Step by step guide to implementing this architecture


You can create Private Endpoints using either Portal or CLI.


We have also created one-click-deployable ARM Templates to provision the Private Endpoints quickly:


Create Azure Virtual Network Gateway for the VNET in which private endpoints exist :






Once the Virtual Network Gateway is created successfully, we will add Point-to-Site configuration:




P2S VPN clients are authenticated using native Azure Certificate Authentication. Instructions to generate and export certificates for Point-to-Site using Powershell are here. You can either generate a self-signed root certificate or use Enterprise CA solution.


Instructions to use self-signed root certificate 


1. Create a self-signed root certificate: From a computer running Windows 10 or Windows Server 2016, open a Windows PowerShell console with elevated privileges and run the following command



$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=P2SRootCert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign



NOTE: Root certificate name “P2SRootCert” should be provided as input for Root Certificate Name


2. Export the root certificate public key (.cer)



[System.Convert]::ToBase64String($cert.RawData, 'InsertLineBreaks') -replace "`n","" -replace "`r",""



NOTE: The output of the above command should be provided as input for Public Certificate Data.


3. Generate a client certificate: Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.



# Generate a client certificate from the self-signed root certificate
$clientCert = New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature -Subject "CN=P2SChildCert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -Signer $cert -TextExtension @("{text}")

# Protect the pfx file using a password
$mypwd = ConvertTo-SecureString -String "1234" -Force -AsPlainText

# Export the client certificate as PFX
$clientCert | Export-PfxCertificate -FilePath C:\clientcertificate.pfx -Password $mypwd



NOTE: If you wish to connect to VNET using P2S from another client VM, copy paste clientceritifcate.pfx and install it using the password.


Create Point-to-site configuration using the certificate generated above : 




Connectivity from On-Premise Client VM


You will need to install the client certificates on the On-Premise Client VM for authenticating the P2S connections

Click on the Virtual Network Gateway and click Point-to-Site Configurations.

Click on Download VPN Client to download the VPN Client Configuration Files.




Once the VPN Client is downloaded, extract the folder and run the following program as Administrator: WindowsAmd64\VpnClientSetupAmd64.exe. (For a 64-bit processor architecture, choose the 'VpnClientSetupAmd64' installer package. For a 32-bit processor architecture, choose the 'VpnClientSetupX86' installer package.)


If you see a SmartScreen popup, click More info, then Run anyway.


Click Yes on the following prompt




On the client computer, navigate to Network Settings and click VPN. The VPN connection shows the name of the virtual network that it connects to. Click Connect.




Click Connect




Select the checkbox and Click Continue




If connected successfully, you will see “Connected” status




Verify connection is successful using mysql command line:



mysql --host={privateIPAddress} --port=3306 --database={your_database} --user={your_username} --ssl-mode=REQUIRED --password={your_password}




Learn More


You can find more details in the official documentation. You can give the Azure Private Link a try today. If you have questions, please reach out to the alias.

Version history
Last update:
‎Feb 08 2022 01:51 PM
Updated by: