SOLVED

S2S VPN to SQL MI

Occasional Contributor

Hi Guys,

 

We have a Site-to-site VPN from our office to Azure using IPsec on our Fortigate firewall. The VPN set up is up and running fine for all resources except for SQL MIs.

The Local Network Gateway and Virtual Network Gateway sit on VNET A and the SQL MI on VNET B, with the due peerings set up I can access resources like storage accounts on VNET B but it doesn't work for SQL MI.

Is it a limitation on Fortigate when trying to resolve the SQL MI instance example.vnet.database.windows.net to the correct subnet?

If I try nslookup or ping I can only see the broadcast address not the instance private IP.

 

Worth to mention that we are using OpenVPN for P2S when working from home and it works fine when connecting to SQL MI.

 

Thank you in advance.

4 Replies
its a dns and routing issue.. what ip-address to you get onpremise for example.vnet.database.windows.net? I guess its a public ip.. you mus have a service endpoint for your sql mi or a private endpoint..

Hi @tommykneetz.

 

We get the same IP for all instances, per example: 172.10.5.254.

 

I tried to create a private endpoint but I cannot use the same subnet as the MIs subnet is delegated to Managed Instances.

Would it work if I use a different subnet?

 

Thank you.

best response confirmed by WilliamBonomo (Occasional Contributor)
Solution
Thanks, Tommy. I have it working already.

So I have created a new subnet to serve the private endpoints and added the due inbound/outbound to the security groups then had to add the instance to the Windows hostfile as DNS still doesn't resolve to the private endpoint but this isn't a big deal.