I want to connect to the database which is on Amazon AWS VM from azure website.
It is giving error "not accessible"
Any configuration I have to made in AWS VM
You need to setup a security group and open up inbound and outbound ports in AWS.
Only after your sql server port is opened you can connect to your sserver from Azure.
If you are using MySql which uses 3306 port by default (you need to change this for security reasons), you need to open up 3306 to recieve and throw bytes.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
Have you checked your network firewall settings in both azure and aws? I suspect that's your issue. Create exceptions for the proper IP addresses.
Related
I deployed a web app on Azure App Services. When web app tries to connect to the Azure SQL Database connection failed.
I downloaded the event log from Kudu, I found the following error message:
Cannot open server 'servername' requested by the login. Client with IP
address '**************' is not allowed to access the server. To
enable access, use the Windows Azure Management Portal or run
sp_set_firewall_rule on the master database to create a firewall rule
for this IP address or address range. It may take up to five minutes
for this change to take effect..
On Azure portal I found how to set server firewall by adding a range of client IP addresses (with lower bound and upper bound) according your client IP address. For instance, if client IP address is 00.000.000.09 the range of IP addresses is: low bound (00.000.000.0) and upper bound (00.000.000.255).
I set the server firewall for the IP address assigned to my Azure App Services account and also for my local machine to connect to Azure SQL Database from SQL Server Management Studio. After setting firewall, I can connect to Azure SQL Database with SQL Server Management Studio. Unfortunately unable to connect from web app. When I download event log from Kudu I find the same message error.
Someone could help to solve that issue.
Thanks.
Go to your SQL Server in Azure Portal.
Go to "Firewall and Virtual Network".
Turn on "Allow Azure Service and resources to access this server".
Allowing Azure Service and resources to access this server may not be the correct approach. This may be a security issue in many cases. We have to create managed identity and assign to webapp or sql server where required.
I have SSRS running on my Azure VM, I want to access my SSRS Server Portal through my DNS name with an https. I already deploy add configure my https using a certificate that I already generate using let's encrypt and a different port. FYI this certificate is used by my Website too. But when I try to access my SSRS using an https and my DNS name, but it won't connect, its return site can't be reached. I already add inbound rules to my port too. But when I try to connect from my Ip and Http It will connect. What did I miss?
I found the answer, I need to add my Inbound port in my azure Network Security Group
I have my api running on Azure and it is working perfect if it is connected to Azure SQL database.
I want this api to use my local database i.e on-premises database. I made my database to accept connection from remote and also enabled TCP/IP in wf.msc and also created an inbound rule for 1433. Is there anything i had to do to make this work? I tried to use the following connection string in azure :
ASP.Net core 2.0 web api written in C# hosted on azure and trying to access the sqlserver database on the Virtual Machine.
I tried as mentioned in the following to create hybrid connection but the status keeps saying 'Not Connected'
https://learn.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections
Server=tcp:<mycomputername>,1433;Initial Catalog=MyDb;Persist Security Info=False;User ID=userid;Password=pwd;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;
If your On-Prem SQL VM is behind firewall, you need to allow inbound from Azure. Usually you poke a hole in your On-Prem firewall and allow inbound from your Azure (source) to your On-Prem SQL server (Destination) on a particular port.
We are building a client solution that will be hosted on servers in a data-centre. It consists of several servers all related to providing the client solution. There is no internal network to protect but for some reason our UAT environment has the notion of a DMZ in the server diagram.
We have an IIS box which will have a public IP. Then we have two servers DB(Sql Server) and APP that are only on the internal lan with no public IPs. You can only RDP to these servers via VPN. Our IIS server needs sql access so port 1433 is open from IIS box(DMZ) to the sql server. We are also opening several ports from the IIS server to the APP server which hosts WCF services.
My understanding was that a DMZ was meant to protect internal private networks and that these networks should not be accessible from the DMZ but we are now opening up ports to both our APP and DB servers so they are accessible from the DMZ. In the end most of our servers are accessible from the IIS server via certain ports.
We originally wanted to setup our SQL server for AD authentication only but since our IIS server is in the DMZ and has no AD access we will be forced to enable mixed mode authentication in SQL server. This might be another security issue in it's own since we are now forced to store passwords somewhere on the IIS server to be able to auth against sql server.
Are we not perhaps missing the idea of a DMZ?
So with a system where you have a DMZ, there is also a firewall involved.
So your system should look like this I think:
SQL-server hosting internal data
Other servers needed for the company
---- firewall ----
SQL-server hosting data for web solution
AD-server (if needed)
Web-server
FTP-server (could be on the web server also)
With this setup you don't expose company-sensitive database to the outside world and you also don't open up a port in the firewall making it possible for attackers to (maybe) get access to the internal database which has company sensitive data...
Just my suggestion based on the information provided.
I am setting up a system that runs on Azure but needs to access an on-premises SQL Server. I've built it out as detailed in this article. This calls for me opening port 1433 to the world which looks like a serious security problem. Is there any way to open that port and still have it secure (I know that I can have complex user ids and passwords and everything, but is there a better way to secure SQL Server)
The connection between your on-premises DB and Windows Azure Connect will be secure by default via the IPSEC protocol
"Windows Azure Connect uses industry-standard end-to-end IPSEC
protocol to establish secure connections between on-premise machines
and roles in the cloud. Unlike a traditional Virtual Private Network
(VPN), which establishes secure connectivity at gateway level, Windows
Azure Connect offers more granular control by establishing secure
connections at a machine and role level."
http://blogs.msdn.com/b/usisvde/archive/2012/03/14/windows-azure-security-best-practices-part-6-how-azure-services-extends-your-app-security.aspx
Your DB won't be publicly available, only VM's on the Azure Connect will be able to see it.
Your traditional firewall and on-premises security policies and procedures will still hide your DB in your Enterprise Environment, all you are doing is giving Windows Azure VM (Roles) the ability to see it.
I saw the comment discussion on #user728584's answer about opening port 1433. Port 1433 has nothing to do with Azure Connect, which is essentially a VPN tunnel between on-prem boxes and a collection of Windows Azure role instances. Azure Connect requires an agent to be installed on any on-prem server you're adding to the Connect Group and doesn't require an inbound port to be opened. In your case, you'd add the agent to your SQL Server box, which would then be part of the connect group and accessible directly from your Windows Azure Role instances (for the roles you add to the group). The Connect Agent then establishes the tunnel.
The Connect Agent has a special key baked in, generated for you, making it unique. But even if someone somehow obtained the installer for your specific Connect Agent, it wouldn't help at all, as you still need to add that node to the Connect Group. So, this is a secure setup.