%3CLINGO-SUB%20id%3D%22lingo-sub-1125254%22%20slang%3D%22en-US%22%3ERe%3A%20Error%2010060%3A%20Configure%20Azure%20NSG%20for%20Azure%20DB%20and%20Azure%20DW%20Connectivity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1125254%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20seems%20to%20work%20great%20for%20SQL%20Auth%2C%20however%2C%20when%20selecting%20Integrated%20AD%20auth%20it%20does%20not.%20It%20looks%20to%20need%20something%20on%20port%2080%20from%20somewhere%20on%20the%20internet%20-%20error%20relating%20to%20SSL%20Cert%20revocation%2C%20so%20assuming%20its%20CRL%20related%2C%20but%20as%20this%20isnt%20something%20we%20would%20openly%20allow%20(free%20open%20port%2080%20internet%20access)%2C%20being%20able%20to%20narrow%20this%20down%20would%20be%20useful.%3C%2FP%3E%3CP%3EYou'd%20think%20that%20Microsoft%20would%20publish%20such%20information%20clearly%2C%20but%20apparently%20not!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-687428%22%20slang%3D%22en-US%22%3EError%2010060%3A%20Configure%20Azure%20NSG%20for%20Azure%20DB%20and%20Azure%20DW%20Connectivity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-687428%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EError%2010060%3A%20Configure%20Azure%20NSG%20for%20Azure%20DB%20and%20Azure%20DW%20Connectivity%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ECustomer%20running%20Virtual%20Machines%20in%20the%20cloud%20require%20additional%20layer%20of%20security%20and%20as%20a%20cost-effective%20option%20is%20to%20implement%20Network%20Secure%20Gateways%20to%20control%20inbound%20and%20outbound%20traffic%20to%20and%20from%20their%20Azure%20hosted%20services.%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20light%20of%20one%20wanting%20to%20connect%20to%20the%20Azure%20SQL%20DB%20or%20Azure%20SQL%20DW%20using%20SQL%20Credentials%2C%20specific%20ports%20are%20required%20through%20the%20NSG.%20Both%20Azure%20SQL%20DB%20and%20Azure%20DW%20allow%20Secure%20VNET%20connections%20and%20to%20make%20use%20of%20this%20configuration%20Destination%20Service%20Tags%20are%20to%20be%20applied%20to%20the%20Firewall%20Rule.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20the%20NSG%20is%20not%20correctly%20configured%20Error%2010060%20will%20be%20returned%20as%20a%20connection%20to%20the%20database%20could%20not%20be%20established.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20a%20list%20of%20required%20ports%20which%20need%20to%20be%20opened%20in%20addition%20to%20this%20article%20for%20AAD%20or%20Hybrid%20AD%20Domain%20Scenarios%20for%20Windows%20based%20Authentication%20please%20refer%20to%20following%20article%20%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Freference-connect-ports%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Freference-connect-ports%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EProblem%20Scenario%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ECustomer%20configured%20their%20NSG%20to%20Allow%20port%201433%20traffic%20to%20their%20Azure%20DW%20as%20per%20our%20documentation%20Azure%20DW%20requires%20this%20for%20connectivity%20to%20complete.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EA%20successful%20connection%20test%20was%20performed%20by%20the%20customer%20via%20telnet%20to%20Port%201433%20of%20the%20Target%20Server%20name.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20521px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F117902iD43E3DEFFB23E74C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22pic1.PNG%22%20title%3D%22pic1.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20connecting%20to%20the%20Target%20DW%20database%20we%20receive%20the%20following%20exception%20when%20connecting%20with%20SQL%20Credentials.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20703px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F117904i11F4EB3390BE2E15%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22pic2.PNG%22%20title%3D%22pic2.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20using%20SSMS%20Error%2010060%20is%20being%20returned%20and%20clearly%20states%20a%20connection%20attempt%20failed%20because%20the%20connected%20party%20did%20not%20respond%20after%20a%20period%20of%20time.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20580px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F117905i38D14DD23535C427%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22pic3.PNG%22%20title%3D%22pic3.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESolution%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThe%20NSG%20had%20port%2080%2C%20443%20and%201433%20allowed%20through%20the%20firewall%20which%20according%20to%20most%20peoples%20understanding%20is%20sufficient%20to%20allow%20access%20to%20Azure%20DW.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHowever%2C%20if%20we%20review%20the%20following%20article%20for%20SQL%20ADO.Net%204.5%20and%20later%20we%20can%20see%20that%20we%20require%20port%20range%2011000-11999%20to%20be%20opened%20as%20well%20for%20Azure%20based%20hosts%20inside%20of%20the%20Azure%20Boundary.%3C%2FP%3E%0A%3CP%3EOnly%20if%20the%20host%20is%20outside%20of%20Azure%20will%20we%20require%20Port%201433%20to%20be%20opened%20only%20from%20your%20local%20network.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Fsql-database-develop-direct-route-ports-adonet-v12%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Fsql-database-develop-direct-route-ports-adonet-v12%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20the%20following%20NSG%20Firewall%20rule%20was%20created%20we%20were%20able%20to%20connect%20successfully%20to%20the%20Target%20DW%20database%20using%20SQL%20Credentials.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20NSG%20will%20be%20associated%20to%20the%20VNET%20which%20the%20Source%20VM%20has%20been%20created%20in%20I%20will%20be%20limiting%20access%20to%20the%20VNET%20only%20on%20my%20DW%20and%20in%20order%20to%20do%20so%20will%20make%20use%20of%20the%20Service%20Tag%20for%20SQL%20as%20well%20in%20my%20NSG%20Rule.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEnsure%20that%20the%20Destination%20references%20%3A%20Service%20Tag%3C%2FP%3E%0A%3CP%3EEnsure%20that%20the%20Destination%20Service%20Tag%20selected%20is%20%3A%26nbsp%3B%20Sql%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CEM%3EFor%20additional%20security%20select%20the%20Source%20as%20your%20Source%20VM%20VNET%20and%20not%20Any%20as%20per%20the%20example%20below%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20536px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F117906i704C10D424B61492%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22pic4.PNG%22%20title%3D%22pic4.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EIn%20accordance%20with%20Azure%20DW%20Best%20practices%20we%20limit%20the%20connection%20to%20my%20Azure%20SQL%20Server%20which%20hosts%20the%20DW%20to%20the%20following%20VNET%20only%20thus%20completing%20the%20secure%20end%20to%20end%20connection%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F117907i0F1605408A713E16%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22pic5.PNG%22%20title%3D%22pic5.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20additional%20information%20on%20Service%20Endpoints%20refer%20to%20following%20article%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Fsql-database-vnet-service-endpoint-rule-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Fsql-database-vnet-service-endpoint-rule-overview%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-687428%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20order%20for%20you%20to%20connect%20successfully%20to%20your%20Azure%20DW%20or%20Azure%20DB%20you%20require%20specific%20ports%20to%20be%20opened%20depending%20on%20your%20Source%20Location%2C%20Internal%20to%20Azure%20and%20On-Premises%20have%20varying%20requirements.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-687428%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Econnectivity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

Error 10060: Configure Azure NSG for Azure DB and Azure DW Connectivity

Customer running Virtual Machines in the cloud require additional layer of security and as a cost-effective option is to implement Network Secure Gateways to control inbound and outbound traffic to and from their Azure hosted services.  

 

In the light of one wanting to connect to the Azure SQL DB or Azure SQL DW using SQL Credentials, specific ports are required through the NSG. Both Azure SQL DB and Azure DW allow Secure VNET connections and to make use of this configuration Destination Service Tags are to be applied to the Firewall Rule.

 

If the NSG is not correctly configured Error 10060 will be returned as a connection to the database could not be established.

 

For a list of required ports which need to be opened in addition to this article for AAD or Hybrid AD Domain Scenarios for Windows based Authentication please refer to following article : https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-ports

 

Problem Scenario

Customer configured their NSG to Allow port 1433 traffic to their Azure DW as per our documentation Azure DW requires this for connectivity to complete.

 

A successful connection test was performed by the customer via telnet to Port 1433 of the Target Server name.

 

pic1.PNG

 

When connecting to the Target DW database we receive the following exception when connecting with SQL Credentials.

pic2.PNG

 

When using SSMS Error 10060 is being returned and clearly states a connection attempt failed because the connected party did not respond after a period of time.

 

 pic3.PNG

 

Solution:

The NSG had port 80, 443 and 1433 allowed through the firewall which according to most peoples understanding is sufficient to allow access to Azure DW. 

 

As per the Azure Connectivity architecture when the connection is within the Azure boundary we make use of Redirection which requires port Range 11000 to 11999 to be opened as well, when the host is outside of the Azure network it would be a Proxy connection making use of Port 1433 only.

 

https://docs.microsoft.com/en-us/azure/azure-sql/database/connectivity-architecture

 

The Firewall rules on the Logical Server allow you to change the connection policy for all inbound connections to Proxy, when doing so only Port 1433 will be required. (The Default is Proxy External to Azure, Redirect Internal to Azure)

 

 

When the following NSG Firewall rule was created we were able to connect successfully to the Target DW database using SQL Credentials.

 

The NSG will be associated to the VNET which the Source VM has been created in I will be limiting access to the VNET only on my DW and in order to do so will make use of the Service Tag for SQL as well in my NSG Rule.

 

Ensure that the Destination references : Service Tag

Ensure that the Destination Service Tag selected is :  Sql

 

For additional security select the Source as your Source VM VNET and not Any as per the example below

 pic4.PNG

 

In accordance with Azure DW Best practices we limit the connection to my Azure SQL Server which hosts the DW to the following VNET only thus completing the secure end to end connection

 

pic5.PNG

 

For additional information on Service Endpoints refer to following article https://docs.microsoft.com/en-us/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview

3 Comments
Established Member

This seems to work great for SQL Auth, however, when selecting Integrated AD auth it does not. It looks to need something on port 80 from somewhere on the internet - error relating to SSL Cert revocation, so assuming its CRL related, but as this isnt something we would openly allow (free open port 80 internet access), being able to narrow this down would be useful.

You'd think that Microsoft would publish such information clearly, but apparently not!

 

 

Microsoft

Hi Anthony have you tried to run a Fiddler trace to confirm where your connection is being blocked and where the authentication attempt is failing. Port 80 and 443 outbound should be allowed to all services if you restrict those ports you could face challenges. It also depends on your Domain Topology with Azure, are you using Federation, is it purely Azure AD or is it a Hybrid Scenario. Depending on which AD Topology you have in place it would require access to different services whether on-premises or in Azure. 

Established Member

Hi, no i havent, as i was wanting to troubleshoot by reviewing the NSG flow logs, but this also has issues for which I have an open support request which has gone unresponded to after a week.

 

As the Azure VM is an extended part of our "internal" networks, freely opening 80 and 443 to the whole internet isnt something we would do. Does Microsoft really not publish what connections are required for each scenario?