Skip to content

IFS Analysis Models - Azure Artifact setup - Private Endpoint

General

A private endpoint is a network interface that uses a private IP address from your virtual network. This network interface connects you privately and securely to a service that's powered by Azure Private Link. By enabling a private endpoint, you're bringing the service into your virtual network. https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview

Creating Azure Private Endpoint

Note: This private endpoint is used to secure the SQL environment

  1. Create a VNET
  2. Disable public access to SQL server.
  3. Create a private endpoint connection which is connected to the v-net in step 1.
  4. Use SSMS from a VM within the v-net of the private endpoint connection to connect to the database.

Important Must use the FQDN of the server in the connection string Can connect to the SQL server within the v-net. Cannot connect from outside (Azure or Local machine).

Microsoft Documentation

  1. https://docs.microsoft.com/en-us/azure/azure-sql/database/private-endpoint-overview
  2. https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-sql-portal

Creating a v-net to v-net VPN gateway connection (IFS Preferred Method)

NOTE: If the Analysis Model solution is self hosted in customer Azure and IFS Cloud is hosted in IFS Managed Cloud, please contact Cloud Ops to setup an IPSec VPN between the two Environments.

If you have two separate VNET's a VPN can be setup between them for communication.

Follow the steps in the below Microsoft Documentation to create a VPN between the 2 v-nets. These v-nets can reside in same subscription or different subscriptions.

After the creation of the VPN, go to the private DNS zone resource created which is connected to the private endpoint of the SQL server and add the remote v-net (the v-net which is not hosting the private endpoint) as a virtual network link.

All the resources acts as they are in the same v-net after establishing the VPN gateway between 2 v-nets.

  1. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal

Required setup - Using a data gateway to access SQL DB over private endpoint

Due to disabling the public access to the SQL server, the AAS cannot communicate with the SQL server since the SQL server is now only accessible within the v-net.

There is no way to associate the azure analysis service to a v-net (MS ref). Must use an on-prem data gateway installed in a VM which is connected to the v-net of the SQL server.

Microsoft Documentation

  1. https://docs.microsoft.com/en-us/azure/analysis-services/analysis-services-vnet-gateway
  2. https://docs.microsoft.com/en-us/azure/analysis-services/analysis-services-gateway-install?tabs=azure-portal