Add ability to use Bastion to tunnel database connection

As a developer using Azure CLI I’m frustrated that I have to set up and maintain a whole Virtual Machine just to access a database that’s in a private VNet

I’d like to be able to use the Azure Bastion native tunnel feature to directly tunnel to a database inside the connected VNet in the same manner as currently is used for accessing a VM via SSH or RDP. In my particular case I’d like to connect to an Azure Database for MySQL flexible server instance that is set to Private Access (VNet Integration) - though it’d be good for any solution to handle any database.

Possible example:

az network bastion tunnel --resource-group test --name bastion-test --target-resource-id "$(az mysql flexible-server show --resource-group test --name db-test --query id --output tsv)" --resource-port 3306 --port 3306

mysql -u db_admin -p -h 127.0.0.1

Alternatives exist:

• Create a VM inside the VNet, expose SSH to the world, use SSH to connect to the VM, then in the VM connect to the database.
• Create a VM inside the VNet, expose SSH to the world, and use SSH to tunnel the database traffic.
• Create a VM inside the VNet, create a Bastion host, connect to the VM via Bastion in Azure Portal, then in the VM connect to the database.
• Create a VM inside the VNet, create a Bastion host, connect to the VM via Azure CLI az network bastion tunnel, then in the VM connect to the database.

Note that every alternative requires the creation of a VM. A VM that my company has to maintain. Bastion’s promise is to limit exposure - but is currently limited to VMs. VMs aren’t the only services that should have limited exposure.