We use UK West as our primary region and UK South as our secondary. We have a database server in West that we created a SQL Failover Group in order to replicate to South.
What I'm looking to know is whether an Application in UK South, can connect to the SQL Failover Group when the the Primary is still West?
I've already tested using a bi-directional VNet Connection, but I'm getting a forbidden request when connecting from South, which leads me to believe the connection is not being used.
System.AggregateException: One or more errors occurred. (Cannot open server 'ppd-ons-comet-sql-ukwest' requested by the login. Client with IP address '51.140.146.129' is not allowed to access the server. To enable access, use the Windows Azure Management Portal or run sp_set_firewall_rule on the master database to create a firewall rule for this IP address or address range. It may take up to five minutes for this change to take effect.
Related
I have a SQL Database in Azure, I have geo-replicated. I am simulating a failover by using the "force failover" in Azure.
One question , since the app service that connected to the primary has a connection that relies on the sql server that lives in North Central US ,like the following:
"Server=mynthcentralusserver.database.windows.net ....
When i create my secondary sql database backup it requires a server . I dont want to put the server in the same region as the primary (North Central US) as that region I am simulating is down, so if i create a sql server in South Central US , the connection string will obviously change to something like:
"Server=mysthcentralusserver.database.windows.net .... just the server part.
So does that mean i need to manually go and change the app service configuration settings ?
Also if the primary location North Central US is back up and I want to move back there , do in I need to go back and change the connection string again to point to the server in North Central US ?
Update:
My Spring app connects to the Failover Group. I did a Failover manually, In the console output, we can see that the Client IP needs to be added to the firewall to access. After that, our app can access the new server.
Cannot open server 'josephserver3' requested by the login. Client with IP address 'xxx.xxx.xxx.xxx' is not allowed to access the server. To enable access, use the Windows Azure Management Portal or run sp_set_firewall_rule on the master database to create a firewall rule for this IP address or address range.
After you created a failover group for the primary sql server, the primary db will automatically be replicated. Then we should connect to the failover group name. we can see the Primary and secondary switch , and the app service will be automatically changed to point to the new Primary sql server. When we create a new sql server it doesnt allow to put in the same location.
If your connection string is as follows:
Primary Server : mynthcentralusserver.database.windows.net
Secondary Server :mysthcentralusserver.database.windows.net
Failover Group Read/write listener endpoint : failover-group.database.windows.net
As #Bruno L. said. Your app service should connect to failover-group.database.windows.net. So you don't need to manually go and change the app service configuration settings.
You can find it in the location shown in the follows picture.
If you are using the Failover Groups setting, in combination with Geo-Replication, you would use the "Read/write listener endpoint" (groupname.database.windows.net). This automatically selects the "active/primary" server in the group.
Follow through with your setup (secondary server in another Region), add the replication, then create the Failover Group, and you should see it there.
We have a sql server firewall setup with no IP access and "Allow Azure Services" flag also set to off.
I understand this means no azure services and no external clients will be able to access the sql server and database.
however, when i try Import Database option on sql server, with bacpac stored in azure storage, we get a strange error of an IP that needs to be given access in sql server firewall. The error reads.
Client with IP address 65.52.129.125 is not allowed to access the server.
While our azure infra is in West Europe, there is no mention of what this IP belongs to and what is the purpose of it.
The same error of course also occurs from Infra as a code approach and CI-CD Pipelines. and I think adding an IP without any information is risky.
Has anyone faced this before? or if anyone knows , what is azure database import using underneath for which this IP needs access and will it always be the same?
65.52.129.0 - 65.52.129.255 is an IP address range owned by Microsoft Corporation and located in Netherlands.
Please read the following explanation about why you should enable Azure Services access on the firewall at least while doing export/import operations. When you finish import/export operations, then disable Azure Services access.
"The IP address space used for outbound connections from the Import/Export Service infrastructure to the target logical server is not documented, and is subject to change at any time. Therefore, given that connections to the target Azure SQL Database server are gated by server firewall, the only fully reliable way to ensure that the Import/Export service will be able to connect is to enable the firewall rule that allows access from all Azure services (or, equivalently, from the 0.0.0.0 IP address). Obviously, opening the firewall to a large IP address space is a network security risk. Security conscious organizations will want to mitigate this risk by disabling this firewall rule as soon as the import operation completes successfully..."
Source is here.
I trying connect to azure sql server (xxxx.database.windows.net) through datacenter ip addres, i changed connect policy by proxy, but now i don't know how connect to instance the sql server.
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-connectivity-architecture
You may have to add the datacenter IP range as a rule on the Azure SQL Database firewall rule. Please download and read this document to know the current IP range of the datacenter where your database resides.
Alternatively you can also set "Allow Access to Azure Services" to On (see image below), although this option configures the firewall to allow all connections from Azure including connections from the subscriptions of other customers.
In addition to configure the firewall, for security reasons make sure your login and user permissions limit access to only authorized users.
This guide may provide you additional valuable information to connect to your Azure SQL databases.
I try to access my Azure SQL Database via U-SQL but I got the following error:
Internal error! Cannot open server 'testusql' requested by the login.
Client with IP address '104.44.91.xx' is not allowed to access the
server. To enable access, use the Windows Azure Management Portal or
run sp_set_firewall_rule on the master database to create a firewall
rule for this IP address or address range. It may take up to five
minutes for this change to take effect.
I found an article about IP range in US (here), but not in Europe. Where can I find information about the range for North Europe?
I configured the Azure SQL Server firewall to allow access to Azure Services, but it not works (maybe due to the different regions).
Thank you very much.
Peter
my apology but I am currently on vacation, so I had not time to update the IP ranges yet. It should be 104.44.91.64/27 for EU North.
I've a single Web Role Cloud Service instance running the South East Asia, with a SQL Azure Database running in the same region. I am hitting a firewall issue and the connection is blocked unless I add the Cloud Services public virtual IP to the SQL server firewall.
From everything I've read, if the two systems are in the same region, and 'Allowed Windows Azure Services' is enabled (which adds 0.0.0.0 to the firewall), then the two should be able to communicate internally?
I have some concerns about things being routed inappropriately (is data going outside the network / am I being charged for it), and having to reconfigure the firewall should the VIP change.
Is there some other address I am supposed to access the SQL azure instance by (currently hitting blah.database.windows.net)?
Your understanding is correct. If I were you I would open a support ticket with Microsoft; I have heard of this issue before, although I never experienced it myself. This sounds like an issue, so report it and watch your next invoice carefully.
Firstly,
Allowed Windows Azure Services - Will allow only azure services to access the database.
Secondly,
To be able to access the database server from any other endpoint, you need to add firewall rules to allow those specific IP ranges. If you want to connect from a machine with ip, 132.99.xx.xx you need to add a rule with start IP and end IP as 132.99.xx.xx
Hope this helps!