Ensuring secure connectivity to database resource is an important requirement and consideration for customers running in cloud environment. Today customers want to connect to their Azure Database for PostgreSQL from both inside/outside of Azure, and based on the security and compliance requirements, organizations can choose one of the options provided by Azure Database for PostgreSQL. In this blog post, we will outline detailed steps on how to connect securely from an On-Premise VM to Azure Database for PostgreSQL using Point-to-Site Gateway.
A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S VPN or ExpressRoute when you have only a few clients that need to connect to a VNet.
Here is the high-level architecture diagram of how this solution works in practice:
Step1 - User connects from on-premises (over Point-to-Site VPN) by specifying Private IP address for Azure VM & port 5432.
Step 2 - NGINX is running on Azure VM and listening for traffic on port 5432
Step 3 - Traffic is forwarded by NGINX to the Azure Database for PostgreSQL as part of normal login flow.
We have created one-click-deployable ARM Templates to provision the above architecture quickly.
P2S VPN clients are authenticated using native Azure Certificate Authentication. Instructions to generate and export certificates for Point-to-Site using Powershell are here. You can either generate a self-signed root certificate or use Enterprise CA solution.
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=P2SRootCert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
NOTE: Root certificate name “P2SRootCert” should be provided as input for ARM Template parameter ‘clientRootCertName’
[System.Convert]::ToBase64String($cert.RawData, 'InsertLineBreaks')
NOTE: The output of the above command should be provided as input for ARM Template parameter ‘clientRootCertData’
# Generate a client certificate from the self-signed root certificate
$clientCert = New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature -Subject "CN=P2SChildCert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
# Protect the pfx file using a password
$mypwd = ConvertTo-SecureString -String "1234" -Force -AsPlainText
# Export the client certificate as PFX
$clientCert | Export-PfxCertificate -FilePath C:\clientcertificate.pfx -Password $mypwd
NOTE: If you wish to connect to VNET using P2S from another client VM, copy paste clientceritifcate.pfx and install it using the password.
Once the template is deployed successfully, you will see the following resources in your resource group:
You will need to install the client certificates on the On-Premise Client VM for authenticating the P2S connections
If you have trouble deploying the ARM Template, please let us know by opening an issue
Feel free to contribute any updates or bug fixes by creating a pull request
Thank you!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.