How-to set up point-to-site peering with Azure SQL Managed Instance and self-signed certificates

Published Mar 13 2019 07:23 PM 1,003 Views
Microsoft
First published on MSDN on Nov 01, 2018
This tutorial assumes the Managed Instance is already created and that connections from the jumpbox also work.

If you have a Managed Instance and would like to connect directly from a place which is outside of Azure, you may have noticed that Managed Instances are only accessible via private IPs. Once a Managed Instance is created, we offer a Getting Started guide to deploy a Virtual Machine inside another subnet on the same vnet the MI is part of, but you may want to skip having a VM provisioned in Azure and connecting as you usually do with Azure SQL Database. This means that you would need a direct connection from your laptop, for example, to the vnet where the MI was deployed and this can be done using Point-to-Site peering. Instructions below:

  1. On the Getting Started page, run the script (via local PowerShell) under the P2S tab to set up the VPN gateway, configure it for P2S and attach it to the vnet (this all happens automatically with the script)




  1. Fire up your computer and create a self-signed root certificate via PowerShell (that we will later upload to Azure) with the below script (you can change the name in the -Subject variable, the certificate will be automatically installed on your local Cert Store):


$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=P2SRootCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign


  1. Using the same PowerShell session, run the following command to create and install a client certificate from the root certificate created in the step above:


$cert = New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
-Subject "CN=P2SChildCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

  1. Next, lets Export the root certificate from the Windows Certificate Store:

    • Search in the Start menu for Manage user certificates


    • In the Export Wizard, do not export the private key and use Base-64 encoding.

    • (Optional) If the client certificate needs to be in another computer, export it using the following options:

      • Yes to the private key.

      • Leave the default options in Export File Format .

      • Make sure to protect it with a password.





  2. Next, look in the Portal for Virtual Network Gateways (you can write network gateways in the search bar for faster access) and there should be one created under the Managed Instance vnet, open it and click the Point-to-site configuration blade




  1. Open the previously exported Root certificate in Notepad and copy everything shown in blue:




  1. Copy that string to a new certificate line in the blade we opened in the gateway and assign it a name then save the settings.




  1. On that same blade click the Download VPN client button, extract it and run the setup version for your indows version.



  1. Next, open the VPN settings in your Windows client machine and connect to the recently installed VPN client. If the client certificate was successfully installed on the machine, the connection should go through and connecting via SSMS to your Managed Instance should work.

%3CLINGO-SUB%20id%3D%22lingo-sub-369097%22%20slang%3D%22en-US%22%3EHow-to%20set%20up%20point-to-site%20peering%20with%20Azure%20SQL%20Managed%20Instance%20and%20self-signed%20certificates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369097%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3EFirst%20published%20on%20MSDN%20on%20Nov%2001%2C%202018%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20%3CEM%3E%20This%20tutorial%20assumes%20the%20Managed%20Instance%20is%20already%20created%20and%20that%20connections%20from%20the%20jumpbox%20also%20work.%20%3C%2FEM%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20If%20you%20have%20a%20Managed%20Instance%20and%20would%20like%20to%20connect%20directly%20from%20a%20place%20which%20is%20outside%20of%20Azure%2C%20you%20may%20have%20noticed%20that%20Managed%20Instances%20are%20only%20accessible%20via%20private%20IPs.%20Once%20a%20Managed%20Instance%20is%20created%2C%20we%20offer%20a%20Getting%20Started%20guide%20to%20deploy%20a%20Virtual%20Machine%20inside%20another%20subnet%20on%20the%20same%20vnet%20the%20MI%20is%20part%20of%2C%20but%20you%20may%20want%20to%20skip%20having%20a%20VM%20provisioned%20in%20Azure%20and%20connecting%20as%20you%20usually%20do%20with%20Azure%20SQL%20Database.%20This%20means%20that%20you%20would%20need%20a%20direct%20connection%20from%20your%20laptop%2C%20for%20example%2C%20to%20the%20vnet%20where%20the%20MI%20was%20deployed%20and%20this%20can%20be%20done%20using%20Point-to-Site%20peering.%20Instructions%20below%3A%20%3CBR%20%2F%3E%3COL%3E%3CBR%20%2F%3E%3CLI%3EOn%20the%20Getting%20Started%20page%2C%20run%20the%20script%20(via%20local%20PowerShell)%20under%20the%20P2S%20tab%20to%20set%20up%20the%20VPN%20gateway%2C%20configure%20it%20for%20P2S%20and%20attach%20it%20to%20the%20vnet%20(this%20all%20happens%20automatically%20with%20the%20script)%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FOL%3E%3CBR%20%2F%3E%20%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F89056iBF66D8C8CEA5B691%22%20%2F%3E%20%3CBR%20%2F%3E%3COL%3E%3CBR%20%2F%3E%3CLI%3EFire%20up%20your%20computer%20and%20create%20a%20%3CSTRONG%3E%20self-signed%20root%20certificate%20%3C%2FSTRONG%3E%20via%20PowerShell%20(that%20we%20will%20later%20upload%20to%20Azure)%20with%20the%20below%20script%20(you%20can%20change%20the%20name%20in%20the%20-Subject%20variable%2C%20the%20certificate%20will%20be%20automatically%20installed%20on%20your%20local%20Cert%20Store)%3A%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FOL%3E%3CBR%20%2F%3E%20%24cert%20%3D%20New-SelfSignedCertificate%20-Type%20Custom%20-KeySpec%20Signature%20%60%20%3CBR%20%2F%3E%20-Subject%20%22CN%3DP2SRootCert%22%20-KeyExportPolicy%20Exportable%20%60%20%3CBR%20%2F%3E%20-HashAlgorithm%20sha256%20-KeyLength%202048%20%60%20%3CBR%20%2F%3E%20-CertStoreLocation%20%22Cert%3A%5CCurrentUser%5CMy%22%20-KeyUsageProperty%20Sign%20-KeyUsage%20CertSign%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%3COL%3E%3CBR%20%2F%3E%3CLI%3EUsing%20the%20same%20PowerShell%20session%2C%20run%20the%20following%20command%20to%20create%20and%20install%20a%20client%20certificate%20from%20the%20root%20certificate%20created%20in%20the%20step%20above%3A%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FOL%3E%3CBR%20%2F%3E%20%24cert%20%3D%20New-SelfSignedCertificate%20-Type%20Custom%20-DnsName%20P2SChildCert%20-KeySpec%20Signature%20%60%20%3CBR%20%2F%3E%20-Subject%20%22CN%3DP2SChildCert%22%20-KeyExportPolicy%20Exportable%20%60%20%3CBR%20%2F%3E%20-HashAlgorithm%20sha256%20-KeyLength%202048%20%60%20%3CBR%20%2F%3E%20-CertStoreLocation%20%22Cert%3A%5CCurrentUser%5CMy%22%20%60%20%3CBR%20%2F%3E%20-Signer%20%24cert%20-TextExtension%20%40(%222.5.29.37%3D%7Btext%7D1.3.6.1.5.5.7.3.2%22)%20%3CBR%20%2F%3E%3COL%3E%3CBR%20%2F%3E%3CLI%3ENext%2C%20lets%20Export%20the%20root%20certificate%20from%20the%20Windows%20Certificate%20Store%3A%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3ESearch%20in%20the%20Start%20menu%20for%20%3CEM%3E%20Manage%20user%20certificates%3C%2FEM%3E%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F89057iB1A18722CF4BF359%22%20%2F%3E%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EIn%20the%20Export%20Wizard%2C%20%3CSTRONG%3E%20do%20not%20%3C%2FSTRONG%3E%20export%20the%20private%20key%20and%20use%20%3CSTRONG%3E%20Base-64%20%3C%2FSTRONG%3E%20encoding.%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3E%3CEM%3E(Optional)%20%3C%2FEM%3E%20If%20the%20client%20certificate%20needs%20to%20be%20in%20another%20computer%2C%20export%20it%20using%20the%20following%20options%3A%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3E%3CSTRONG%3EYes%20%3C%2FSTRONG%3E%20to%20the%20private%20key.%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3ELeave%20the%20default%20options%20in%20%3CSTRONG%3E%20Export%20File%20Format%20%3C%2FSTRONG%3E%20.%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EMake%20sure%20to%20protect%20it%20with%20a%20password.%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%3CBR%20%2F%3E%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%3CBR%20%2F%3E%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3ENext%2C%20look%20in%20the%20Portal%20for%20%3CSTRONG%3E%20Virtual%20Network%20Gateways%20%3C%2FSTRONG%3E%20(you%20can%20write%20%3CEM%3E%20network%20gateways%20%3C%2FEM%3E%20in%20the%20search%20bar%20for%20faster%20access)%20and%20there%20should%20be%20one%20created%20under%20the%20Managed%20Instance%20vnet%2C%20open%20it%20and%20click%20the%20%3CSTRONG%3E%20Point-to-site%20configuration%20blade%3C%2FSTRONG%3E%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FOL%3E%3CBR%20%2F%3E%20%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F89058iFFC5055BB2EB8D19%22%20%2F%3E%20%3CBR%20%2F%3E%3COL%3E%3CBR%20%2F%3E%3CLI%3EOpen%20the%20previously%20exported%20Root%20certificate%20in%20Notepad%20and%20copy%20everything%20shown%20in%20blue%3A%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FOL%3E%3CBR%20%2F%3E%20%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F89059iDB56CA991E670C34%22%20%2F%3E%20%3CBR%20%2F%3E%3COL%3E%3CBR%20%2F%3E%3CLI%3ECopy%20that%20string%20to%20a%20new%20certificate%20line%20in%20the%20blade%20we%20opened%20in%20the%20gateway%20and%20assign%20it%20a%20name%20then%20save%20the%20settings.%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FOL%3E%3CBR%20%2F%3E%20%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F89060iE3E32C90AD71EF17%22%20%2F%3E%20%3CBR%20%2F%3E%3COL%3E%3CBR%20%2F%3E%3CLI%3EOn%20that%20same%20blade%20click%20the%20%3CSTRONG%3E%20Download%20VPN%20client%20%3C%2FSTRONG%3E%20button%2C%20extract%20it%20and%20run%20the%20setup%20version%20for%20your%20indows%20version.%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FOL%3E%3CBR%20%2F%3E%3COL%3E%3CBR%20%2F%3E%3CLI%3ENext%2C%20open%20the%20VPN%20settings%20in%20your%20Windows%20client%20machine%20and%20connect%20to%20the%20recently%20installed%20VPN%20client.%20If%20the%20client%20certificate%20was%20successfully%20installed%20on%20the%20machine%2C%20the%20connection%20should%20go%20through%20and%20connecting%20via%20SSMS%20to%20your%20Managed%20Instance%20should%20work.%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FOL%3E%0A%20%0A%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-369097%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20MSDN%20on%20Nov%2001%2C%202018%20This%20tutorial%20assumes%20the%20Managed%20Instance%20is%20already%20created%20and%20that%20connections%20from%20the%20jumpbox%20also%20work.%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-369097%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Emanaged%20instance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ep2s%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPeering%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Evpn%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Mar 13 2019 07:23 PM
Updated by: