cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

S2S VPN to SQL MI

WilliamBonomo
Copper Contributor

‎Sep 09 2022 07:22 AM

‎Sep 09 2022 07:22 AM

S2S VPN to SQL MI

Hi Guys,

 

We have a Site-to-site VPN from our office to Azure using IPsec on our Fortigate firewall. The VPN set up is up and running fine for all resources except for SQL MIs.

The Local Network Gateway and Virtual Network Gateway sit on VNET A and the SQL MI on VNET B, with the due peerings set up I can access resources like storage accounts on VNET B but it doesn't work for SQL MI.

Is it a limitation on Fortigate when trying to resolve the SQL MI instance example.vnet.database.windows.net to the correct subnet?

If I try nslookup or ping I can only see the broadcast address not the instance private IP.

 

Worth to mention that we are using OpenVPN for P2S when working from home and it works fine when connecting to SQL MI.

 

Thank you in advance.

640 Views
0 Likes
4 Replies
Reply
4 Replies
tommykneetz

‎Sep 12 2022 02:55 AM

‎Sep 12 2022 02:55 AM

Re: S2S VPN to SQL MI

its a dns and routing issue.. what ip-address to you get onpremise for example.vnet.database.windows.net? I guess its a public ip.. you mus have a service endpoint for your sql mi or a private endpoint..
0 Likes
Reply
WilliamBonomo

‎Sep 12 2022 03:09 AM - edited ‎Sep 12 2022 04:13 AM

‎Sep 12 2022 03:09 AM - edited ‎Sep 12 2022 04:13 AM

Re: S2S VPN to SQL MI

Hi @tommykneetz.

 

We get the same IP for all instances, per example: 172.10.5.254.

 

I tried to create a private endpoint but I cannot use the same subnet as the MIs subnet is delegated to Managed Instances.

Would it work if I use a different subnet?

 

Thank you.

0 Likes
Reply
best response confirmed by WilliamBonomo (Copper Contributor)
WilliamBonomo

‎Sep 12 2022 05:46 AM

‎Sep 12 2022 05:46 AM

Solution

Re: S2S VPN to SQL MI

Thanks, Tommy. I have it working already.

So I have created a new subnet to serve the private endpoints and added the due inbound/outbound to the security groups then had to add the instance to the Windows hostfile as DNS still doesn't resolve to the private endpoint but this isn't a big deal.
0 Likes
Reply