Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
600 questions
Azure Database Access from A Different Virtual Network
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 21%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESO%3C/text%3E%3C/svg%3E)
Seun Ore
40
Reputation points
Dear Azure Team,
I have an azure managed mysql database in virtual network vnet1 and a virtual machine in vnet2. I am unable to get this VM to access the database. I have a hub-spoke architecture with both vnet1 and vnet2 peered with my hub-vnet with firewall. I am not interested in peering vnet1 and vnet2. I tried to setup a FQDNs network rule in firewall but then this required that You must enable DNS Proxy on the Firewall before you can add Network rules with FQDN Destinations.
I am not very vast in azure firewall and i do not want to upset or cause disruptions to existing systems. What is the safest way to achieve this? What also is the implication of You must enable DNS Proxy on the Firewall before you can add Network rules with FQDN Destinations. In anyway, will this really solve the problem? The database is using private DNS connection string like name.mysql.database.azure.com with no public access and I'd like to maintain this status.
Seun
{count} votes
-
KapilAnanth-MSFT 39,446 Reputation points Microsoft Employee2024-07-01T09:32:08.8233333+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you have a Managed mySql in vnet1 and a VM in vnet2 and these two VNETs are peered to a HubVNET which has a Azure Firewall and you would like to establish Transit connectivity between the Spokes VNET1 and VNET2.
Before Troubleshooting for VNET2, I would suggest you to make sure VMs in VNET1 are able to reach and access the database.
- Can you confirm if the VMs in VNET1 work with the Database?
For Transit connectivity,
- I believe the service you are using is Azure Database for MySQL - Flexible Server
- Correct me if I am wrong
- Can you confirm if UDRs are associated to both the subnet of the VM and the subnet of the managed database with a route 0.0.0.0/0 pointing to Azure Firewall IP ?
- In the network rules, may I ask why you are planning to use a FQDN instead of IP Address?
- From the VM, please run *
nsolookup name.mysql.database.azure.com*and share the results - From the VM, please run *
ping name.mysql.database.azure.com*and share the results
- From the VM, please run *
Cheers,
Kapil
-
Seun Ore 40 Reputation points
2024-07-01T10:38:45.5166667+00:00 @KapilAnanth-MSFT thank you!
Can you confirm if the VMs in VNET1 work with the Database?YesI believe the service you are using isAzure Database for MySQL - Flexible Server. YesCan you confirm if UDRs are associated to both the subnet of the VM and the subnet of the managed database with a route 0.0.0.0/0 pointing to Azure Firewall IP ?The last time I did this, it caused a downtime for some of our services in vnet2. Because earlier, I created a route in both vnets, pointing to the private IP of the azure firewall instance and associated vnet2 subnet to it. I removed it in order to restore our services.nslookup name.mysql.database.azure.com Server: 127.0.0.53 Address: 127.0.0.53#53 ** server can't find name.mysql.database.azure.com: NXDOMAIN ping name.mysql.database.azure.com ping: name.mysql.database.azure.com: Name or service not knownHowever, from a server deployed into hub-vnet subnet, I was able to ping and nslookup the database successfully.
-
KapilAnanth-MSFT 39,446 Reputation points Microsoft Employee
2024-07-01T12:45:10.3433333+00:00 @Seun Ore ,Without UDR, Transit connectivity across Peered VNETS (Spokes) will not work.
You must check what are the dependencies and work on them.
If you want only traffic between VM and Database to go via Firewall, what you can do is,
- In the Route Table attached to the VM, instead of 0.0.0.0/0, add the subnet range of Database and nextHop as Azure Firewall
- In the Route Table attached to the Database Subnet, instead of 0.0.0.0/0, add the subnet range of the VM and nextHop as Azure Firewall
- This way, the default route (0.0.0.0/0) will not be impacted
Wrt DNS,
- I take it that "name" is just a place holder and you used the exact name of the Database server name.
- i.e., nslookup <YOURDATABASENAME>.mysql.database.azure.com
- For testing, you can add an entry in the Host file pointing <YOURDATABASENAME>.mysql.database.azure.com to the private IP address of the Database
- Once done, share the results of
ping <YOURDATABASENAME>.mysql.database.azure.com
Let me know how it goes with UDR and Host file.
Sign in to comment