Technical Challenges with Pritunl VPN and Azure SQL Database Connectivity

LuisGustavo187 · July 11, 2024, 9:46pm

We are experiencing technical difficulties after attempting to remove the 0.0.0.0/0 route in our Pritunl VPN, which has impacted communication with some essential services. One of the critical issues we’ve identified is related to the connection with our database hosted on Azure, which is configured with a public DNS only. This has become a stumbling block when we try to remove the 0.0.0.0/0 route and add either the Azure database IP range or individual IPs, as the database does not support direct connection via private IP.

Is there a way to enable connectivity to the Azure SQL database, currently accessed through a DNS with the domain “.database.windows.net”, while removing the 0.0.0.0/0 route from Pritunl?

LuisGustavo187 · July 15, 2024, 7:24pm

Could you clarify the actions we should take in this case? Could you help us with this?

LuisGustavo187 · July 16, 2024, 5:01pm

Hi Zach,
Actually, what we need is configure appropriate routes in Pritunl to reach our Azure SQL Databases. These Azure SQL have some public domains (reaching public dynamic IPs), such as:
mydatabase.database.windows.net
We currently have a route 0.0.0.0/0 configured on Pritunl, which means that every request our clients make will be routed through Pritunl, which we don’t want, because we pay much more data transfer on AWS to it (where the Pritunl server is hosted).
What we want is to forward requests to Azure IPs, by creating specific routes within Pritunl, ir order to be able to remove this 0.0.0.0/0
We already tried to set known Azure Public IPs, such as these list: Azure Speed Test
But it didn’t work, the traffic isn’t routed to Pritunl, although the DNS lookup for the mydatabase.database.windows.net indeed resolve to some IP range of this list.

zach · July 17, 2024, 6:37pm

You will need to use dig +short A domain find the all IP addresses for the domain and route those addresses. Domains can’t be added to the routes.

LuisGustavo187 · July 23, 2024, 7:10pm

This test has already been performed, and the IPs have been added directly to the Printunl, yet it still does not work. Is there another solution for this issue?

LuisGustavo187 · July 25, 2024, 1:55pm

Hi @zach .Azure has a set of known IPs. The SQL Server/database we want to reach is in Brazil South region. We have a firewall rule in this database to allow connections from the Pritunl Server IP, hosted in an AWS account.

Currently we have a 0.0.0.0/0 route configured in the Pritunl Server. It means that once connected, clients will route all traffic through Pritunl. With this, users are able to establish the connection to Azure SQL database. However, the side effect is that literally all traffic is redirect through Pritunl:

When people access external websites, such as youtube.com, google.com, or any other
Due this, we pay higher data transfer fees on AWS

What we want to do is to remove the 0.0.0.0/0 route and add the known Azure public IPs (Azure SQL has a unique public domain, with pattern *.database.windows.net → your-database.database.windows.net).

If we “nslookup” the database domain, we will see the public IP it solves. However, it could change from time to time.

We tried to setup known Azure IP ranges, listed here: Azure SQL Database connectivity architecture - Azure SQL Database and Azure Synapse Analytics | Microsoft Learn added those IPs on Pritunl

Server routes:
191.233.200.14/32
191.234.144.16/32
191.234.152.3/32
191.233.200.32/29
191.234.144.32/29
191.234.152.32/27
191.234.153.32/27
191.234.157.136/29

It didn’t work.

What are we doing wrong, as the 0.0.0.0/0 works?

Tks

zach · July 26, 2024, 2:13pm

If 0.0.0.0/0 works and the routes don’t you have either not added the complete range of utilized addresses or the NAT option is disabled on the routes. For a public IP the NAT option must be enabled.