In my Azure environment I have private SQL Server. To access SQL Server and databases I use a private endpoint. When I connect to SQL from VM in the same Virtual Network I have no problem. I have AKS in the same Virtual Network I try to connect to the database from pod but Kubernetes DNS didn’t resolve SQL Server FQDN correctly. DNS name resolved to external IP but private SQL didn’t have external access.
This is example how SQL Server resolved from VM:
nslookup *****************.database.windows.net
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
*****************.database.windows.net canonical name = *****************.privatelink.database.windows.net.
Name: *****************.privatelink.database.windows.net
Address: 172.0.8.4
This is correct address to Private Endpoint
And how it resolve from pod in AKS cluster:
kubectl exec -it dnsutils -- nslookup *****************.database.windows.net
Server: 10.0.0.10
Address: 10.0.0.10#53
Non-authoritative answer:
*****************.database.windows.net canonical name = *****************.privatelink.database.windows.net.
*****************.privatelink.database.windows.net canonical name = dataslice6.******.database.windows.net.
dataslice6.******.database.windows.net canonical name = dataslice6*******.trafficmanager.net.
dataslice6*******.trafficmanager.net canonical name = cr5.******-a.control.database.windows.net.
Name: cr5.*******-a.control.database.windows.net
Address: 40.78.225.32
How I can set connection pods from AKS to SQL Private Endpoint?
2
Answers
Create a firewall rule on the Azure DB Server with a range of IP addresses of the AKS Cluster nodes.
Create a VNet Rule on the Azure DB Server that allows access from the subnet to the AKS nodes. This is used in
Microsoft.Sql
VNet Service Endpoint enabled on the cluster subnet.If Azure SQL Database is restricted to allow only private access, we can use cross-region private endpoints via Azure Private Link for the Azure SQL database or in region private endpoint with Azure Global VNet-peering.
To connect to AKS from SQL Private Endpoint, we will use VNet Peering with Azure SQL Database Private Link.
For more in detail, please refer below links:
https://learn.microsoft.com/en-us/azure/aks/command-invoke
https://arsenvlad.medium.com/aks-workload-accessing-azure-sql-database-in-another-region-cb6fb30545e4
https://argonsys.com/microsoft-cloud/library/private-aks-and-acr-using-private-endpoint-part-1-2/
https://blog.crossplane.io/azure-secure-connectivity-for-aks-azure-db/
I guess your SQL server’s private IP is falling in the docker bridge’s CIDR range which is found in the Networking menu in your AKS cluster. If it falls in the range, then docker won’t allow the request to go out of docker network.