Connection to Microsoft Azure MS-SQL is working for some regions and failed for others despite the same rules being applied for all regions
14203
Created On 06/21/24 09:57 AM - Last Modified 06/26/24 05:32 AM
Symptom
- User is connected to GlobalProtect and trying to access Azure MS-SQL
- It works for some gateway locations and fails to other gateway locations for the same user despite the same policies being applied for all gateways.
Environment
- Prisma Access
- GlobalProtect
Cause
There are three ways to connect to Azure SQL DB, Default, Redirect, and Proxy.
- Redirect: the user first will connect to an Azure gateway on port 1433, then, the user will be redirected to a DB on port within 11000-11999.
- Proxy: the user will connect to an Azure gateway on port 1433, and that Azure gateway will work as a proxy between the client and the SQL DB server.
- Default: the default policy is Redirect for all client connections originating inside of Azure and Proxy for all client connections originating outside. By default, Default connection mode is used.
- By default, "Default" mode is selected from the Azure side. (Ref: Azure- Gateway IP Addresses)
- Azure made some changes for their infra, and now more connections are considered "originally inside"
- So the Redirect mode is used instead of the Proxy mode.
- The issue started, as the TCP/11000-11999 range isn't allowed by default for the mssql-db application,
Resolution
One of the following method can be used to resolve this.
On Palo Alto Firewalls:
- Allow mssql-db application on both TCP/1433 and TCP/11000-11999 to get a successful connection to Azure SQL.
- Using this option you are allowing both the Redirect and the Proxy mode connections, so whether Azure decides to connect using Redirect or Proxy, both modes are allowed.
- Choose Proxy instead of "default" from the Azure dashboard under the SQL database > Networking > connectivity.
- This will force all connections to use Proxy.