Azure SQL:无法从本地网络 ping 专用终结点

huangapple go评论104阅读模式
英文:

Azure SQL: can’t ping the Private Endpoint from on-prem

问题

我已经设置了一个Azure SQL PaaS服务器和一个私有端点(PE),以便通过我们的VPN私下连接。但是,我无法从我的本地客户端对端点IP进行ping操作。由于PE不支持ICMP流量(请参阅FAQ),所以ping命令不受支持,我使用了psping。我的设置如下,我想要一些建议,看看我是否漏掉了什么。

架构:本地VPN通过S2S VPN连接到Azure的Hub和Spoke环境(1个Hub订阅+Vnet,3个Spoke订阅+VNets。所有Spoke VNets都与Hub Vnet进行了对等连接)。

PE部署到了一个Spoke中的一个子网(没有委派,但我已经在Microsoft.Sql服务上进行了检查)。PE使用了Hub子网中的一个私有DNS区域,该区域已启用了与Hub和Spoke VNets的Vnet链接。A名称记录用于DNS目的(但在这种情况下,我只是想测试IP连接性)。

我还在所有的订阅上注册了Microsoft.Networks和Microsoft.Sql资源提供程序。

Azure SQL已关闭了公共访问,并将一个(已批准的)PE列为私有连接方法。

在我的本地笔记本电脑上,我希望能够打开cmd并使用psping命令ping PE的IP,但它总是超时。为什么我不能这样做呢?(FYI-对于FQDN解析,我们有一个本地DNS服务器,但由于这是外部管理的,我还没有要求他们为Azure DNS私有解析器创建有条件的转发器以进行DNS查找。我想首先测试IP ping。我们在Spoke VNets中有一些成功使用其IP ping的私有(VNet注入的)PostgreSQL Flexible服务器)。谢谢。

英文:

I’ve set up an Azure SQL PaaS server and a private endpoint (PE) so I can connect privately over our VPN. However I can’t ping the endpoint IP from my on-premise client. As the ping command isn't supported (as PE doesn't support ICMP traffic - see FAQ), I used psping too. My set up is below, I’d like some advice on what I’m missing.

Architecture: on-prem VPN Connected via S2S VPN to an Azure Hub and Spoke environment (1 Hub Subscription+Vnet, 3 Spoke Subs+VNets. All spoke Vnets peered with Hub Vnet).

PE deployed to one of the spokes, into a Subnet (no delegation, but I’ve checked on the Microsoft.Sql service). PE uses a Private DNS Zone in the Hub Sub which has Vnet links enabled to the Hub and Spoke VNets. The A name records exist for DNS purposes (but in this case I'm just trying to test IP connectivity).

I’ve also registered Microsoft.Networks and Microsoft.Sql resource providers on all Subs.

Azure SQL has public access turned off, and has an (approved) PE listed as a private connection method.

On my on-prem laptop, I expect to be able to open cmd and psping the ip of the PE but it always times out. Why can’t I do it? (FYI- for FQDN resolution, we have an on-prem DNS server, but as this is externally managed I’m yet to ask them to create the conditional forwarder to the Azure DNS private resolver for DNS lookup. I want to test the ip ping first. We have some private (VNet injected) PostgreSQL Flexible servers in the Spoke VNets which I can successfully ping using their IPs). Thanks

答案1

得分: 1

我已成功连接/ ping 了我的私有 Azure SQL 服务器的FQDN,连接来自本地客户机。我将在此答案中列出所有要求:

  • Azure SQL Server(分配给其中一个Spoke订阅,禁用公共访问,启用私有访问,并设置为下面描述的私有终结点)
  • Azure SQL数据库(附加到服务器)
  • 子网*(在我的情况下,添加Microsoft.Sql服务终结点没有效果,但我仍然启用了它)
  • 私有终结点(部署到我的一个Spoke VNet中,在上面的子网中,与下面的私有DNS区集成,目标子资源设置为sqlServer
  • 私有DNS区(包含SQL服务器名称和私有终结点私有IP地址的A类型记录,关联到Hub订阅,与Hub VNet和所有3个Spoke VNet建立虚拟网络链接)
  • 对于每个订阅,在资源提供程序刀片中,确保已注册Microsoft.Network(用于私有终结点使用)和Microsoft.Sql(用于Azure SQL使用)
  • 位于Hub VNet中的基于Azure的DNS转发器(VM或DNS私有解析器)
  • 在本地自定义DNS服务器中添加了条件转发器,将对database.windows.net的查询定向到Azure DNS转发器的入站终结点IP地址

*根据您的Azure设置,子网可能需要分配NSG和路由表。

对我来说,这整个解决方案实现了本地私有连接到Azure SQL数据库。然后我可以使用psping fqdn:port(正常的ping命令对PEs不起作用)。我希望其他人也会发现这个有用。相关的微软文档链接在这里(请参见下面的第二张图片)和在这里

来自这些文章的相关图片:

Azure SQL:无法从本地网络 ping 专用终结点

Azure SQL:无法从本地网络 ping 专用终结点

英文:

I've successfully managed to connect to/ping the FQDN of my private Azure SQL server from an on-premise client machine. I'll list all the requirements in this answer:

  • an Azure SQL Server (assigned to one of the Spoke Subscriptions, public access disabled, private access enabled & set to the Private Endpoint described below)
  • an Azure SQL Database (attached to the server)
  • a Subnet* (adding the Microsoft.Sql service endpoint has no effect in my scenario, but I have it enabled anyway)
  • a Private Endpoint (deployed into one of my Spoke VNets, into the Subnet above, integrated with the Private DNS Zone below, with target sub-resource set to sqlServer)
  • a Private DNS Zone (containing A type record to the SQL server name and Private Endpoint private IP address, associated to the Hub Subscription, with Virtual network links to the Hub VNet, and all 3 spoke VNets)
  • for each Subscription, in Resource providers blade, make sure Microsoft.Network (for Private Endpoint usage) and Microsoft.Sql (for Azure SQL usage) are registered
  • an Azure based DNS forwarder (VM or DNS Private Resolver) located in the Hub VNet
  • a Conditional Forwarder added to the on-premise custom DNS Server, directing queries for database.windows.net to the inbound endpoing IP address of the Azure DNS forwarder

*the Subnet may need a NSG and Route table assigned to it, depending on your Azure setup.

For me, this entire solution enabled on-premise private connectivity to an Azure SQL database. I then could psping fqdn:port (normal ping command won’t work for PEs). I hope others find this useful. Relevant MS documentation links here (see second image down) and here.

Relevant images from these articles:

Azure SQL:无法从本地网络 ping 专用终结点

Azure SQL:无法从本地网络 ping 专用终结点

huangapple
  • 本文由 发表于 2023年7月20日 20:13:19
  • 转载请务必保留本文链接:https://go.coder-hub.com/76729736.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定