Configure network connectivity to SQL Server sources on Azure

This page describes how to configure network connectivity to SQL Server sources on Microsoft Azure for heterogeneous SQL Server to Cloud SQL for PostgreSQL migrations with Database Migration Service. Database Migration Service supports Microsoft Azure SQL Managed Instance and Microsoft Azure SQL Database as source databases.

There are three different methods you can use to configure the necessary network connectivity for migrations from SQL Server sources on Azure:

• Public IP allowlist
• Forward-SSH tunnel
• Requires Cloud VPN or Cloud Interconnect: Private IP connectivity with Virtual Private Cloud peering

To learn more about source database network connectivity, see Source networking methods overview.

Configure IP allowlist connectivity

To use the public IP allowlist connectivity method, follow these steps:

1. Configure your source Microsoft Azure SQL Managed Instance to allow public network access from Database Migration Service public IP addresses for the region where you create the migration job.

   For more information, see Change public network access in the Microsoft documentation.

2. At a later stage, when you create the source connection profile, do the following:

   1. In the Define connection details section, use your instance's fully qualified server name for the source database IP.

      For more information about how to view the connection details of your Microsoft Azure SQL Managed Instance instance, see Get server connection information in the Microsoft documentation.

   2. In the Define connectivity method section, select IP allowlist.

Configure connectivity over a forward-SSH tunnel

To connect to your source database with a Secure Shell (SSH) tunnel, follow these steps:

1. Create a virtual machine in Microsoft Azure to serve as a dedicated forward-SSH tunnel server. Make sure you configure it in the same Azure Virtual Network where your source SQL Server has a private IP assigned.

   For more information, see Quickstart: Create a Linux virtual machine in the Azure portal in the Microsoft documentation. You don't need to create the web server mentioned in the quickstart.

2. Connect to your EC2 instance and set up the SSH tunnel. Follow these steps:
   1. Create a separate, dedicated user account for Database Migration Service to connect as:

      adduser TUNNEL_ACCOUNT_USERNAME

   2. Restrict shell access for the Database Migration Service account to enhance security:

      usermod -s /usr/sbin/nologin TUNNEL_ACCOUNT_USERNAME

   3. Decide what authentication method you want Database Migration Service to use when connecting to the tunnel.

      You can use a simple password, or generate SSH keys in the PEM format that you can later upload to Database Migration Service when you create the source connection profile.

      • If you want to use a password, you don't need to configure anything additional. Remember what password you created for the TUNNEL_ACCOUNT_USERNAME account.
      • If you want to use key-based authentication, you need to generate a private-public key pair. For example, you can use the ssh-keygen utility:
        1. Generate the key pair:

               ssh-keygen -m PEM -f YOUR_KEY_NAME
               

        2. Copy the public key (YOUR_KEY_NAME.pub) to the ~/.ssh/ directory on your tunnel server.
        3. Save the private key. You need to upload it later to Database Migration Service when you create the source connection profile.
   4. Edit the /etc/ssh/sshd_config file to configure the forward-SSH tunnel to match your organization's requirements. We recommend using the following settings:

      # Only allow the Database Migration Service user to connect.
      AllowUsers TUNNEL_ACCOUNT_USERNAME
      
      # Send keep-alive packets every 60 seconds to ensure that
      # the tunnel doesn't close during the migration
      ServerAliveInterval=60
      
      # Optional: Force key-based authentication
      PasswordAuthentication no
      
      # Enables Database Migration Service to connect from a different host
      PermitTunnel yes
      GatewayPorts yes

   5. Run the ssh command to start the tunnel.

      Before using any of the command data below, make the following replacements:

      • TUNNEL_SERVER_SSH_PORT with the port number where your server is listening for SSH connections.
      • SOURCE_DATABASE_PRIVATE_IP with the private IP address of your source database. The SSH server needs to be able to reach that IP.
      • SOURCE_DATABASE_PORT with the port number where your source database is listening for connections. The default port number for TCP connections on SQL Server is 1433.
      • USERNAME with the name of the user account that will be running the tunnel. This is a separate account from TUNNEL_ACCOUNT_USERNAME.
      • TUNNEL_SERVER_PUBLIC_IP with the public IP of your SSH tunnel server.

      ssh -N -L \
      TUNNEL_SERVER_SSH_PORT:SOURCE_DATABASE_PRIVATE_IP:SOURCE_DATABASE_PORT \
      USERNAME@TUNNEL_SERVER_PUBLIC_IP

3. At a later stage, when you create the source connection profile, do the following:
   1. In the Define connection details section, enter the private IP of your Microsoft Azure SQL Managed Instance source.
   2. In the Define connectivity method section, select Forward-SSH tunnel.
   3. Provide the public IP address or hostname of your SSH server.
   4. Provide the port that you designated for the SSH connections on the tunnel server.
   5. Enter the username for the user you created for Database Migration Service to connect as (that is, the value of TUNNEL_ACCOUNT_USERNAME).
   6. From the Authentication method drop-down menu, select the authentication method you want to use with TUNNEL_ACCOUNT_USERNAME:
      • If you want to use the user password, select Password and enter TUNNEL_ACCOUNT_USERNAME password in the form.
      • If you configured your SSH server to use key-based authentication, select Private/Public key pair and upload the private key you generated in with the ssh-keygen command.

Configure private connectivity with VPC peering

To use private connectivity with Microsoft Azure SQL Managed Instance sources, you need to have a Cloud VPN or Cloud Interconnect configured in the same VPC network where you intend to create the private connectivity configuration for Database Migration Service. If you can't create the private connectivity configuration in the VPC network where you have your Cloud VPN or Cloud Interconnect, then you also need a reverse proxy Virtual Machine (VM) on Compute Engine to establish the connection.

If you can't use Cloud VPN or Cloud Interconnect, we recommend that you use the forward-SSH tunnel or the IP allowlist connectivity methods instead.

To use private connectivity with VPC peering and Cloud VPN, follow these steps:

1. Set up direct connectivity with Cloud VPN to your Microsoft Azure SQL Managed Instance source.

   For more information, see Create HA VPN connections between Google Cloud and Azure in the Cloud VPN documentation.

2. Optional: If you can't create the private connectivity configuration in the same VPC network where you have the Cloud VPN, create a reverse proxy Virtual Machine (VM) on Compute Engine to forward the connections between VPCs.
3. In Database Migration Service, create a private connectivity configuration to peer with the VPC network where you have your Cloud VPN.
4. At a later stage, when you create the source connection profile, do the following:
   1. In the Define connection details section, enter the private IP of your Microsoft Azure SQL Managed Instance source.
   2. In the Define connectivity method section, select Private connectivity (VPC peering).
   3. From the drop-down menu, select the private connectivity configuration you created in the previous step.