skip to Main Content

In my Azure environment I have private SQL Server. To access SQL Server and databases I use a private endpoint. When I connect to SQL from VM in the same Virtual Network I have no problem. I have AKS in the same Virtual Network I try to connect to the database from pod but Kubernetes DNS didn’t resolve SQL Server FQDN correctly. DNS name resolved to external IP but private SQL didn’t have external access.

This is example how SQL Server resolved from VM:

nslookup *****************.database.windows.net
Server:     127.0.0.53
Address:    127.0.0.53#53

Non-authoritative answer:
*****************.database.windows.net  canonical name = *****************.privatelink.database.windows.net.
Name:   *****************.privatelink.database.windows.net
Address: 172.0.8.4

This is correct address to Private Endpoint

And how it resolve from pod in AKS cluster:

kubectl exec -it dnsutils -- nslookup *****************.database.windows.net

Server:     10.0.0.10
Address:    10.0.0.10#53

Non-authoritative answer:
*****************.database.windows.net  canonical name = *****************.privatelink.database.windows.net.
*****************.privatelink.database.windows.net  canonical name = dataslice6.******.database.windows.net.
dataslice6.******.database.windows.net  canonical name = dataslice6*******.trafficmanager.net.
dataslice6*******.trafficmanager.net    canonical name = cr5.******-a.control.database.windows.net.
Name:   cr5.*******-a.control.database.windows.net
Address: 40.78.225.32

How I can set connection pods from AKS to SQL Private Endpoint?

2

Answers


  1. Create a firewall rule on the Azure DB Server with a range of IP addresses of the AKS Cluster nodes.

    Create a VNet Rule on the Azure DB Server that allows access from the subnet to the AKS nodes. This is used in Microsoft.Sql VNet Service Endpoint enabled on the cluster subnet.

    If Azure SQL Database is restricted to allow only private access, we can use cross-region private endpoints via Azure Private Link for the Azure SQL database or in region private endpoint with Azure Global VNet-peering.

    To connect to AKS from SQL Private Endpoint, we will use VNet Peering with Azure SQL Database Private Link.

    For more in detail, please refer below links:

    https://learn.microsoft.com/en-us/azure/aks/command-invoke

    https://arsenvlad.medium.com/aks-workload-accessing-azure-sql-database-in-another-region-cb6fb30545e4

    https://argonsys.com/microsoft-cloud/library/private-aks-and-acr-using-private-endpoint-part-1-2/

    https://blog.crossplane.io/azure-secure-connectivity-for-aks-azure-db/

    Login or Signup to reply.
  2. I guess your SQL server’s private IP is falling in the docker bridge’s CIDR range which is found in the Networking menu in your AKS cluster. If it falls in the range, then docker won’t allow the request to go out of docker network.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search