5

We migrated an application from physical servers to Azure VMs (one web server, one database server), and it's running great for the most part.

Last night there was an outage caused when the web server went offline for some TBD reason, and when it came back up the connection string started failing... The errors were all of the network path not found variety.

I know a VM's internal IPs can change inside my affinity group, but I'm not seeing a lot of straight answers on which IP or name I should be using.

Right now my connection string looks like this:

Server=MyDatabaseServerName;Database=xxxx;User ID=xxxx;Password=xxxx;

I feel like maybe MyDatabaseServerName was resolving wrong to the wrong IP for awhile there, and that maybe I should be using my cloudapp.net name instead, like this:

Server=xxx.cloudapp.net, 1433;Database=xxxx;User ID=xxxx;Password=xxxx;

...But I'm concerned that will go all the way out to the internet and back in.

So what's the safest way to go here?

Improve this question

1 Answer 1

Reset to default
3

The best thing to do is to create a Virtual Network and move your SQL Server(s) into it.

Then configure your cloud services to also join the same Virtual Network. This way your SQL server is NOT publically available and port 1433 is only available inside of the Azure network and more to the point your Virtual Network.

Then your connection string will look something like:

server=tcp:sql1prod.myvirtualnetwork.prod;User ID=user;Password=yourpassword

In our environment we have two subnets "Front" and "Back" - the cloud services join Front and our SQL cluster is in "Back".

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Ah. I see the benefit of using a virtual network, although we get some of that by white-listing inbound connections. What name or IP would you use if you were outside of a VPN? Surely there must be a best practice for this. (Also, I knew someone would mention the port 1433 thing. That's not the actual port, just trying to help people understand what I'm talking about).
When I have needed to connect from outside I typically and temporarily create a random external port that maps to 1433 internally; ACL it down to my IP and the just connect via the IP listed under PUBLIC VIRTUAL IP (VIP) ADDRESS. server=123.123.123.123,69 Do you have a reason to not use a Virtual Network in Azure. I believe if you are not connecting externally, these are "free" in Azure.
Well, I do have reason to connect externally, but that's mostly when I'm deploying database changes, and I could very well use a VPN for that. But for internal connections, as from a web server to the database server, if there was no VPN involved, what would you use? One person told me to use the external name ([service].cloudapp.net, [port]), and Azure will route it it internally. But another told me to use the server name, and obviously that's causing problems so I'm trying to get more information. :)
Sorry, I was referring to internally. Internally in Azure's network you can create a Virtual Network (this is differnet than a VPN) and allows you to place your SQL VMs and Cloud Service VMs into their own network. They get ips like 10.10.10.2 and are static and only accessible to the VN. The documentation is not clear, but in the portal just say New | Networks | Virtual Network. The VPN portion of this is separate and optional.
Just bring this up to date.. .Azure SQL no allows for the PAAS service to be locked down to a virtual network... see learn.microsoft.com/en-us/azure/sql-database/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.