SQL communication

trapan
New here

SQL communication

Hi,

 

Trying to connect to my SQL MI on azure but I have been failing.

 

I am trying to rule out that the traffic is blocked by my Meraki firewall. There are no rules blocking anything outbound there is only the default rule (any/any/any/any)

 

Having said that when I try to nc -vz any port other than 80 on either the virtual IP address or the physical IP address of the firewall they all fail. The only one that succeeds is 80.

 

Maybe I have got this completely wrong and you simply cannot nc -vz but traffic is allowed. How can I check or what am I possibly missing?

 

Any help would be much appreciated.

 

 

10 REPLIES 10
alemabrahao
Kind of a big deal
Kind of a big deal

Have you tried the packet capture on Meraki dashboard? The SQL port is open on Azure?

 

https://learn.microsoft.com/en-us/azure/azure-sql/database/firewall-configure?view=azuresql

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
trapan
New here

thanks for the reply, I wouldn't know what I would be looking for on packet capture if I am being honest.

 

as far as I can tell I have opened 1433 on the azure vnet. The SQL is not a vm but rather a managed instance which  in a net which is peered with the vnet with which we have a site to site connection from on premises.

 

This setup is detailed in the managed instance connection guide from MS but it never addresses how after peering you can connect from on premises although the diagram is showing this.

 

Additionally when I did a trace route of the managed instance name the route stopped at the meraki firewall IP. A little bit at a loss here.

 

 
 

 

alemabrahao
Kind of a big deal
Kind of a big deal

It's look like a routing problem. Can you perform a test on Azure? Are your subnets enabled on VPN?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
trapan
New here

What test should I perform on Azure, I can connect to the MI through SSMS running on the Vnet that does not host the SQL MI. I have come to the same conclusion that it is a routing problem. 

 

Also not sure what you mean if the subnets are enabled on VPN? There is a site to site connection between on prems and azure vnet that holds the DC

alemabrahao
Kind of a big deal
Kind of a big deal

Are using a vMX on Azure? Or are you using a Non-Meraki VPN peers?  Or this site to site is configured with another equipment? Do you have a topology of your network or something like that?


I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
trapan
New here

I don't know what VMX is but we are using meraki for our local switching and routing and the site to site configuration is based on meraki VPN.

 

The azure infrastructure is for DC purposes nothing more than that but we want to deploy our DB and Web server there.

 

The topology of the local network is very simple, 30 odd local computers, two meraki switches 6 meraki WAPs and an MX85 router/firewall.

alemabrahao
Kind of a big deal
Kind of a big deal

Can you show me your VPN configuration?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
trapan
New here

Screenshot 2022-09-23 at 16.01.43.png

 

is this what you are after?

alemabrahao
Kind of a big deal
Kind of a big deal

Great, on Azure the tunnel is UP, right? I don't have experience with Azure, but are you sure that the necessary ports are allowed on Azure?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
trapan
New here

we wouldn't be able to authenticate if it was not , in any case when I check for the site to site connection it looks up and running. I have created nsg rules for 1433 and redirection on the tunnelled Vnet.

 

This is why I am thinking your initial assessment of it being a routing issue is correct. The 1433 connection from SSMS does not seem to be hitting the Azure Vnet and therefore not getting forwarded to the SQL MI. This is why I as thinking that it was a meraki firewall issue but really not confident on this at all.

 

Not sure how it all connects (as in is this a DNS issue?)

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels