Add ability to use Bastion to tunnel database connection
See original GitHub issueAs a developer using Azure CLI I’m frustrated that I have to set up and maintain a whole Virtual Machine just to access a database that’s in a private VNet
I’d like to be able to use the Azure Bastion native tunnel feature to directly tunnel to a database inside the connected VNet in the same manner as currently is used for accessing a VM via SSH or RDP. In my particular case I’d like to connect to an Azure Database for MySQL flexible server instance that is set to Private Access (VNet Integration) - though it’d be good for any solution to handle any database.
Possible example:
az network bastion tunnel --resource-group test --name bastion-test --target-resource-id "$(az mysql flexible-server show --resource-group test --name db-test --query id --output tsv)" --resource-port 3306 --port 3306
mysql -u db_admin -p -h 127.0.0.1
Alternatives exist:
- Create a VM inside the VNet, expose SSH to the world, use SSH to connect to the VM, then in the VM connect to the database.
- Create a VM inside the VNet, expose SSH to the world, and use SSH to tunnel the database traffic.
- Create a VM inside the VNet, create a Bastion host, connect to the VM via Bastion in Azure Portal, then in the VM connect to the database.
- Create a VM inside the VNet, create a Bastion host, connect to the VM via Azure CLI
az network bastion tunnel
, then in the VM connect to the database.
Note that every alternative requires the creation of a VM. A VM that my company has to maintain. Bastion’s promise is to limit exposure - but is currently limited to VMs. VMs aren’t the only services that should have limited exposure.
Issue Analytics
- State:
- Created a year ago
- Reactions:6
- Comments:5 (1 by maintainers)
Top GitHub Comments
I came here to file this bug also, I’m trying to tunnel to cosmosdb and it fails with this same error.
This is a legit bug at least in the sense that it shouldn’t be crashing with an
Unexpected internal error
and should probably at least give feedback about what is going wrong.@kf6kjg Azure Bastion is currently designed for connecting to VMs like you’ve mentioned. The Azure Feedback forum would be the best place to get this idea recorded and have users up vote for it to gain traction.
Once the service supports it, then Azure CLI too would be updated to support the new scenarios as required.