Allow Azure VMSS instances to connect to a mysql server running on a VM in another resource group

Steve Owen

8/18/24, 2:16 PM

In Microsoft Azure, I've got a Virtual Machine Scale Set in (say) 'resourceGroup1' in region West EU. I also have a single Virtual Machine (let's call it 'VM1') which contains an instance of mySql, also in West EU, but in (say) 'resourceGroup2'.

I've been able to get individual VMs in resourceGroup1 to connect to the mysql server by opening up their IP address for access in the Networking section of VM1, port 3306.

But I can't think how to allow a similar thing for the VMSS. While instances in the VMSS do currently have their own public IP addresses, it's not my intention to keep them, and of course I can't guarantee what they will be in the future as instances come and go.

I've tried looking into Application Security Groups, but can't work out how to assign the VMSS to it. I looked at a Private Link but that doesn't seem to support either VMs or a VMSS. Some documentation says that setting the IP address in Networking firewall to 0.0.0.0 would open it up to Azure in general, which wouldn't be ideal but is better than the entire Internet (and didn't seem to work anyway).

My other thought is that I would turn off the IP addresses for each instance in the VMSS (something I'm planning on doing anyway after testing is complete), and then have outbound traffic from an instance pass through the Load Balancer, so that it appears as the source of the request, and then I can add the LB IP address to the firewall instead. But that looks complicated too, and I'm losing the will to live, as networking is really not my forte.

What is the most elegant, security-focused solution to allow any instances of a VMSS to make read and write requests to a mysql server running on a Windows VM in a separate resource group, but same region?

Thanks!

1 + 0

azure

azure-networking

azure-vm

Score:1

Server

Doug

8/18/24, 6:44 PM

Resources groups are not a consideration for this scenario. They are used to group related resources together, but do not themselves limit what the resources do.

Your choice of networking topology however is critical. You are seeing a bit of that when you discuss using the load balancer, as the load balancer can provide SNAT to the machines behind it to share a public IP address. That IP address can then be put into the network security group to allow "Internet" access. "Internet" with the quotes as this is still within the Microsoft network, but traveling over routes that you would think of as "outside" your network.

Which brings me to my first thought on an answer... design your network appropriately to fit the security model you want.

Specifically this sounds like a case where the VMSS and the VM do not need a network security boundary between them. The default template deploys a VMSS into a new network, but this is not required. If your network security model allows it, just deploy the VMSS into the existing vnet for the VM, or vice versa place the VM into the VMSS vnet.

Remove the creation of a new vnet for the VMSS, and replace it with a reference to the existing vnet. Reference an existing virtual network in an Azure scale set template

You will still need to set the network security group appropriately to allow the traffic, but since it will be between machines on the same vnet this is easy (and default).

Alternatively, you can achieve a very similar result with vnet peering. Peering allows compatible vnets to route traffic with each other. Compatible generally just meaning you must have non-overlapping IP address ranges on each vnet. Peering also allows traffic to flow across subscriptions or regions if you need to setup a wider network spanning cities/countries/continents. There is a management advantage to peering, as you can separate the resources / billing / security, however from a networking perspective there is little functional difference between a single vnet as described above versus peered vnets within the same region.

Virtual network peering

Virtual network peering enables you to seamlessly connect two or more Virtual Networks in Azure. The virtual networks appear as one for connectivity purposes. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Like traffic between virtual machines in the same network, traffic is routed through Microsoft's private network only.

If your network security model does require more extensive separation of the VMSS and the VM there are many solutions that can be built with Azure building blocks. Easiest is that VMs will use the public IP of the load balancer they are attached to for SNAT. Or if a load balancer is not present, an Azure NAT Gateway can be deployed for the same purpose (and is preferred over the load balancer if both are present). This gives you control of the Azure VMSS outbound Internet public IP, which you can then use for securing the network security group on the VM. The networks remain separate, and either form of NAT allows you to treat them as having less trust with each other.

Use Source Network Address Translation (SNAT) for outbound connections

Certain scenarios require virtual machines or compute instances to have outbound connectivity to the internet. The frontend IPs of a public load balancer can be used to provide outbound connectivity to the internet for backend instances. This configuration uses source network address translation (SNAT) to translate virtual machine's private IP into the load balancer's public IP address. SNAT maps the IP address of the backend to the public IP address of your load balancer. SNAT prevents outside sources from having a direct address to the backend instances.

What is Azure NAT Gateway?

Azure NAT Gateway is a fully managed and highly resilient Network Address Translation (NAT) service. You can use Azure NAT Gateway to let all instances in a private subnet connect outbound to the internet while remaining fully private. Unsolicited inbound connections from the internet aren't permitted through a NAT gateway. Only packets arriving as response packets to an outbound connection can pass through a NAT gateway.

+ 1

Steve Owen

8/21/24, 10:05 AM

Perfect, thanks. Peering makes the most sense for us for billing and logical separation, since the mysql server is predominantly used for completely separate business reasons. I had actually tried peering which I'd forgotten to mention, and the connection was still present in my Azure account. What I had failed to do, though, was update my connection string to use the virtual IP address rather than the FQDN! But now I've done that it's all working and I'm relaxed again. Cheers, Doug.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Allow Azure VMSS instances to connect to a mysql server running on a VM in another resource group

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.