I'm relatively new to Azure and currently working with a hub and spoke network setup. One scenario we have is that a team in an Azure Virtual Desktop (AVD) virtual network needs to connect to a SQL Managed Instance (SQL MI) which is set up with Private Link in a different virtual network. However, when they try to access sqlmi.abcd.privatelink.database.windows.net, they're running into SSL mismatch issues. I don't want to create a Private DNS zone for database.windows.net since we have various applications that depend on switching Azure SQL databases and instances frequently. Using a DNS private resolver feels like overkill for managing only a couple of records. For now, the Session Hosts are just using a hosts file as a temporary fix. I'm looking for other options to resolve this while avoiding the need for dedicated VMs, especially since our setup uses Entra and Intune, without Active Directory.
2 Answers
Have you considered linking your existing Private DNS zone to the AVD virtual network? That’s essential for your setup. If the AVD VNET uses Azure's Managed DNS, you shouldn't need to do anything else. But if you're relying on your own DNS, then setting up a conditional forwarder for .privatelink.database.windows.net might be necessary. The connection issues are likely happening because you're attempting to connect directly to the .privatelink ending, which isn't supported. The Private Endpoint's role is to redirect traffic to the main .database endpoint instead.
Exactly! Just double-check how the SSL settings are configured and if mirroring for the Private DNS zone is fully implemented. Sometimes these hostname mismatches can be tricky to solve.
Linking the Private DNS zone is definitely the way to go. But if you’re facing SSL errors, ensure that your DNS resolution and the actual traffic to the SQL MI align. It might help to check which SSL certificates are being used by the SQL MI, as inconsistencies can often cause these issues. If using a hosts file is just a temporary patch, hopefully, you can find a more permanent solution without needing to spin up dedicated VMs!
Right, consistency with the SSL certificates is key! You want to confirm that all connections are using the right endpoints and certificates to maintain proper encryption.
Thanks for the advice! I'll definitely look into the SSL certificates and see if that resolves the matching issue.
It sounds like you have the right idea with linking the DNS zone. If SSL hostname mismatches occur while connecting from tools like Power BI, it might be worth revisiting how those queries are being made. Sometimes, the way the client application resolves the endpoint could lead to those mismatches.