Unable to connect to MSSQL externally from Amazon Lightsail Windows Instance - sql-server

I am unable to connect to my MSSQL database from outside the server despite exposing the port and setting up inbound rules both in Windows Firewall and the LightSail dashboard.
Networking dashboard image Networking dashboard image. I can reach the hosted IIS website at port 80 but SQL port is not reachable despite setting inbound rule.

Related

Cannot connect to both RDP and SQL Server(Azure) over VPN at the same time

I have an Azure VPN client that I use for connecting to a web server using RDP and to an Azure SQL Server instance using SSMS. The problem is, I cannot connect to both at the same time.
When I go to the Networking properties of the VPN connection, then select the properties of TCP/IPv4, if I select "Use default gateway on remote network", I am able to connect to RDP, but not SQL Server. If "Use default gateway on remote network" is not selected, I am able to connect to SQL Server, but not RDP.
What can I do to be able to connect to both at the same time?
As far as I know. By default, once a successful VPN connection creates, the highest priority entry will be added automatically in the local machine route table. When you select Use default gateway on remote network, data that can not be sent on the local network is forwarded to the dial-up network when you are connected to a local network and a dial-up network simultaneously. The local network prefers to select a VPN connection route. The connection to a local network is disconnected automatically by default. So you could RDP to the web server via the private VPN connection in the dial-up network. You could not access the Azure SQL server since the traffic from the dial-up network is not allowed in the firewall of Azure SQL server firewall. In this scenario, you could check if the outgoing traffic to the Internet from your dial-up network is blocking.
When you un-select Use default gateway on remote network, usually default gateway of the PPP adaptor will be empty. In this scenario, you cannot connect to resources on the remote network because you have disabled the Use Default Gateway on Remote Network setting in the VPN TCP/IP configuration. You could add routes for the desired VPN subnets. Refer to this paragraph Configuring Split Tunnel for Windows
You could use route print on the local machine to check the route entry. Compare the route table in the two situations. More details you could get from this DOC.
It sounds to me like you need to configure a service endpoint on your vnet to allow traffic to route through to your Azure SQL database.
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview
Try the link above for help configuring it.

Query of on-premises SQL Server from Azure web app (over Azure S2S VPN) fails

Our infrastructure team has worked to configure a site-to-site Azure VPN connection between our Azure subscription and our on-prem firewall, essentially following these steps. To test this, we've created a simple Azure web app that makes a query against a SQL Server that is located on-prem behind the firewall.
This web app works locally with no issues. Furthermore, the same code and connection string, when compiled as a console application and run on an Azure virtual machine, works correctly as well. But when deployed to the web app in Azure, the connection to the SQL Server fails:
[Win32Exception (0x80004005): The wait operation timed out]
[SqlException (0x80131904): A network-related or instance-specific
error occurred while establishing a connection to SQL Server. The
server was not found or was not accessible. Verify that the instance
name is correct and that SQL Server is configured to allow remote
connections. (provider: TCP Provider, error: 0 - The wait operation
timed out.)]
Both the Azure VM and web app are configured to point to the Azure VNet. It seems like something is preventing the web app from communicating with the SQL Server on its default port (1433). If I open up the web app's debug console and do a tcpping at the SQL Server with the default port (80), it returns successfully. But a tcpping to port 1433 times out.
It doesn't appear that the Azure Network Security Group is blocking that port:
The only solutions I've found that are relevant to our specific setup basically boil down to "use Azure Hybrid Connections instead", which would not be our first choice.
After working with Microsoft's support, the following changes were made and the VNet integration is working now. I apologize for the lack of detail on some of these, but our infrastructure team did most of the troubleshooting. Hopefully, some of these items will help point someone else the direction of a solution for their setup:
Initially, the connection was being made through public internet and not the VNET Integration and VPN. We identified that the VNET integration was failing due to the tunnel type being used. Azure App Service has a requirement that the tunnel type is SSTP. Once we changed it and synced the network, we were able to tcpping the SQL Server through its private IP.
We noticed it had to allow on the on-premises Network the point-to-site address pool. As a workaround, we decided to use the New VNET Integration (Preview). We created an empty subnet and were able to use this new feature.
We noticed then the App Service was not using the custom DNS. To resolve this, we added the DNS on the Virtual Network and also in the App Settings ("WEBSITE_DNS_SERVER") for the web app.

How to connect database which is on aws VM from azure website

I want to connect to the database which is on Amazon AWS VM from azure website.
It is giving error "not accessible"
Any configuration I have to made in AWS VM
You need to setup a security group and open up inbound and outbound ports in AWS.
Only after your sql server port is opened you can connect to your sserver from Azure.
If you are using MySql which uses 3306 port by default (you need to change this for security reasons), you need to open up 3306 to recieve and throw bytes.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
Have you checked your network firewall settings in both azure and aws? I suspect that's your issue. Create exceptions for the proper IP addresses.

Are we doing DMZ correctly?

We are building a client solution that will be hosted on servers in a data-centre. It consists of several servers all related to providing the client solution. There is no internal network to protect but for some reason our UAT environment has the notion of a DMZ in the server diagram.
We have an IIS box which will have a public IP. Then we have two servers DB(Sql Server) and APP that are only on the internal lan with no public IPs. You can only RDP to these servers via VPN. Our IIS server needs sql access so port 1433 is open from IIS box(DMZ) to the sql server. We are also opening several ports from the IIS server to the APP server which hosts WCF services.
My understanding was that a DMZ was meant to protect internal private networks and that these networks should not be accessible from the DMZ but we are now opening up ports to both our APP and DB servers so they are accessible from the DMZ. In the end most of our servers are accessible from the IIS server via certain ports.
We originally wanted to setup our SQL server for AD authentication only but since our IIS server is in the DMZ and has no AD access we will be forced to enable mixed mode authentication in SQL server. This might be another security issue in it's own since we are now forced to store passwords somewhere on the IIS server to be able to auth against sql server.
Are we not perhaps missing the idea of a DMZ?
So with a system where you have a DMZ, there is also a firewall involved.
So your system should look like this I think:
SQL-server hosting internal data
Other servers needed for the company
---- firewall ----
SQL-server hosting data for web solution
AD-server (if needed)
Web-server
FTP-server (could be on the web server also)
With this setup you don't expose company-sensitive database to the outside world and you also don't open up a port in the firewall making it possible for attackers to (maybe) get access to the internal database which has company sensitive data...
Just my suggestion based on the information provided.

Connect to ec2 database from non-local without tunneling

I am making some application and I need to connect to database which is on Amazon server.
It works fine from local but I need direct access to database without ssl tunneling.
On AWS console 3306 port is opened

Resources