Lesson Learned #67: Azure SQL Database – SSH, VNET and Firewall


Today I worked in a service request when our customer tries to connect using SSH to the 1433 port from a Linux environment using a JumpBox in Azure to perform the connection.

In this situation, we need to know that in Azure, depending on where is the connection coming, the Gateway that Azure SQL Database has to validate the connection, has different behaviour, based on the IP source.

  • If the source IP is located outside Azure: All the connection is stablished against the Gateway using the port 1433.
  • If the source IP is located inside Azure:
    • The first connection will be to the Gateway using the port 1433.
    • This gateway will validate the connection and provide to the client another Database Server IP and another port (11000-14000) to connect. This process is called redirection.

In this scenario, using SSH and changing the external IP to private IP/VNET range our customer was not able to connect because our Gateway understand that the connection is stablished inside Azure and perform the redirection.

  • The gateway receives the connection using the port 1433.
  • The gateway replies with the re-direction policy.
  • As the connection has been stablished using only 1433 when the client application tries to connect to the Database Server IP and port is not possible and is not able to connect.
  • To change the behaviour from redirect or default to proxy (use only the port 1433) please, follow the steps mentioned in this URL.

In our YouTube channel you could find more information about it.


Comments (0)

Skip to main content