How to connect to a on premise SQL Server from Azure Managed Grafana

Sean Lively 0

I have a new Azure Managed Grafana instance, and I'd like to connect to a on-premise SQL Server.

We have all of the VPN/Virtual networks setup, and from a vnet connected VM, I'm able to query data.

I have a Private Endpoint (not managed) setup, and it's landing in the correct vnet.

When I attempt to setup the MSSQL data source in Grafana by DNS name (prd-sql01.company.net), I get an immediate failure: lookup prd-sql01.company.net on 127.0.0.11:53: no such host

What's necessary to get an Azure Managed Grafana instance connected to a SQL Instance on a private network?

Pavan Minukuri 1,045 Reputation points Microsoft Vendor

2025-01-11T02:32:02.32+00:00

Hi Sean Lively
Welcome to Microsoft Q&A, Thanks for asking question here!
Please follow with below steps:
1.Both Azure Managed Grafana, and your SQL Server should be in the same virtual network (VNet) or connected through VNet peering. This is important for private connectivity.
2.Create a private endpoint for your SQL Server within the VNet. This allows Grafana to access SQL Server privately, without using the public internet.
3.Since you're using a private endpoint, set up DNS resolution. You may need to link a Private DNS Zone to your VNet, so that the DNS name of your SQL Server (e.g., prd-sql01.company.net) resolves to its private IP
4,Ensure Grafana can resolve the SQL Server’s private IP by checking the DNS settings in Azure Managed Grafana.
5.Ensure the Network Security Group (NSG) rules allow traffic between the Grafana private endpoint and the SQL Server’s private IP. There should be no rules blocking traffic within the VNet or between peered VNets.
6.Update your SQL Server firewall to allow traffic from the private IP of Azure Managed Grafana or from the entire VNet.
7.Make sure you are using a supported authentication method, like SQL authentication or Managed Identity, for connections over private endpoints.
8.After setting everything up, test the connection from Grafana to your SQL Server again. If there are still issues, double-check all settings and make sure there are no typos in DNS names or IP addresses.

Please let us know if you required anything!
Sean Lively 0 Reputation points

2025-01-13T16:11:24.07+00:00

@Pavan Minukuri 4: Ensure Grafana can resolve the SQL Server's private IP- Where exactly is the DNS Settings, and how can I test DNS resolution?
Pavan Minukuri 1,045 Reputation points Microsoft Vendor

2025-01-14T07:00:34.3433333+00:00
Hi Sean Lively
Thanks for replying back!
DNS Settings Configuration:
1.Azure Managed Grafana and Azure SQL Server are in the same virtual network (VNet) or connected via VNet peering for internal communication.
2.Set up private endpoints for both services, with Grafana having a private endpoint in the same VNet as Azure SQL Server or in a peered VNet.
3.Configure Network Security Group (NSG) rules to allow traffic between the Grafana private endpoint and the SQL Server's private IP, ensuring no rules block internal traffic.
4.Link a Private DNS Zone to your VNet to resolve the SQL Server's private IP address, creating and linking the DNS zone correctly.
5.Update the SQL Server VM firewall rules to allow traffic from Grafana's private IP or the virtual network range.
Testing DNS Resolution:
To test if your DNS settings are correctly resolving the SQL Server's private IP, you can use several methods:

1.Using **nslookup **Command:

Open your command prompt. run the below command

nslookup <SQL_Server_Hostname>

Replace <SQL_Server_Hostname> with your SQL Server's actual hostname to get the resolved IP address if DNS is working correctly.
2.Using **ping **Command:
You can also use ping to check if the hostname resolves.

ping <SQL_Server_Hostname>

This command will show you if there’s a response from the server, indicating successful resolution
3.try flushing your DNS cache
Windows
ipconfig /flushdns

Linux
sudo systemd-resolve --flush-caches

After flushing, retry the nslookup or ping commands

Please let us know if you required anything!
Benz, Dennis 0 Reputation points

2025-01-14T13:49:39.17+00:00

I encountered the same issue. It seems that using a custom hostname like "prd-sql01.company.net" in the Azure Managed Grafana version is not supported. This limitation likely arises because the Microsoft-managed worker, where the Grafana instance runs, cannot resolve custom DNS entries such as a private DNS Zone in Azure. As a result, using an IP address appears to be the only viable option.
Azure Managed Grafana might not be the best option for a hybrid scenario. You could try using the IP address of the SQL Database as an alternative, but keep in mind the importance of the database's SSL/TLS settings. Grafana can only establish a connection if the SSL/TLS configuration aligns with the requirements of your SQL database.
Sean Lively 0 Reputation points

2025-01-14T16:57:33.9833333+00:00

@Pavan Minukuri I currently have App Services on Azure successfully connecting to on premise SQL Servers, so the VNet/VPN/DNS infrastructure is setup correctly, and the custom DNS servers are set correctly on the vnet the Grafana's private endpoint is connected to.

How can I test the DNS resolution inside of Grafana?

Can you also comment on Dennis's experience?
Pavan Minukuri 1,045 Reputation points Microsoft Vendor

2025-01-14T17:56:22.6666667+00:00
Thanks for replying backSean Lively
1.How can I test the DNS resolution inside of Grafana?
Grafana doesn't resolve DNS names directly, but you can use dashboards with ping and response tests to check DNS resolution issues by measuring response times.
For a direct approach without external tools like Telegraf, use a custom script or plugin to execute DNS queries.
1.create a custom data source plugin for Grafana to connect with your DNS server and retrieve the information.
2.Check the Grafana plugin repository for plugins that support network monitoring or DNS queries.
3.If you know JavaScript, you can write a simple function in Node.js to resolve domain names.

const dns = require('dns'); dns.resolve4('dns.google.com', (err, addresses) => { if (err) throw err; console.log(`Addresses: ${JSON.stringify(addresses)}`); });

2.Can you also comment on Dennis's experience?

The challenges with Azure Managed Grafana and custom hostnames, like "prd-sql01.company.net," are due to the service's limitation in resolving private DNS entries.

1.Azure Managed Grafana doesn't support custom domain names, so users must use the default Azure-generated URLs, and custom domains often lead to connection failures due to DNS resolution issues.

2.Azure Managed Grafana is designed for public network access and doesn’t support direct connections to private IPs or networks without additional setup, like a Virtual Network (VNet) or VPN.

3.Due to DNS resolution limitations, using the IP address of your SQL database is a recommended workaround, but make sure SSL/TLS settings are properly configured for a secure connection.

4.Using the SQL Database's IP address is a viable alternative, but ensure the SSL/TLS configuration is compatible with Grafana's requirements.

5.In a hybrid environment, you may need to set up a Private Endpoint for Azure Managed Grafana within your VNet to ensure secure access to Azure resources while following network security protocols.

6.Microsoft announcements on updates to Azure Managed Grafana, particularly regarding custom domains and private network connections, as these features may change based on user feedback.

Reference link: https://learn.microsoft.com/en-us/azure/managed-grafana/troubleshoot-managed-grafana

https://stackoverflow.com/questions/76005443/azure-managed-grafana-with-custom-url

Please let us know if you required anything
Benz, Dennis 0 Reputation points

2025-01-15T13:13:06.3966667+00:00

I attempted to connect to the On-Premises SQL Server using its private IP address (Managed Grafana with Private Endpoint, VNet Peering, VPN Gateway, etc.), but the connection still fails. I believe the issue lies in the fact that the On-Premises SQL Server forces SSL/TLS encryption, and since this is an Azure Managed Grafana instance, it’s not possible to load a certificate file path due to the limitations of the managed environment.

Disabling the SSL/TLS encryption enforcement on the On-Premises SQL Server is not an option. Additionally, using a certificate with a private IP address as the common name (CN) is generally not feasible. It seems I may need to explore an alternative solution for this scenario.

@Pavan Minukuri what do think about that?
Sean Lively 0 Reputation points

2025-01-15T17:37:17.01+00:00

@Pavan Minukuri So Azure Managed Grafana does not use the DNS settings on the Private Endpoint's VNet, and there's no way to set custom DNS Servers?
Pavan Minukuri 1,045 Reputation points Microsoft Vendor

2025-01-15T19:46:45.4266667+00:00

Sean Lively
Azure Managed Grafana does not support custom DNS servers for private endpoints and uses Azure's default DNS resolution instead.
can integrate a private endpoint for Azure Managed Grafana with a private DNS zone, but it won't allow custom DNS server configurations and will still use Azure's DNS service for name resolution.
Azure Managed Grafana does not support custom domain names, and users have reported 404 errors when setting up CNAME records due to misconfigurations or unsupported features.
Ensure the private DNS zone is correctly linked to the VNet and necessary records are created, but DNS changes must be made within Azure's provided services.
Azure Managed Grafana allows for private access through private endpoints and private DNS zones, it does not permit the configuration of custom DNS servers or direct support for custom domain names.
Sean Lively 0 Reputation points

2025-01-15T20:15:17.4066667+00:00

@Pavan Minukuri Is there an open request somewhere for Azure Managed Grafana to use custom DNS servers like App Services does?

Is there also an open request to attach Grafana directly to a VNet?
Pavan Minukuri 1,045 Reputation points Microsoft Vendor

2025-01-20T20:31:31.2733333+00:00

There are currently no open requests or features available for Azure Managed Grafana that allow the use of custom DNS servers in the same way that Azure App Services does. As of now, setting custom domain names for Azure Managed Grafana instances is not supported, and users have reported issues with configuring CNAME records to point to their instances, resulting in 404 errors. This feature remains on the backlog and has not been scheduled for development yet.

Regarding the ability to attach Azure Managed Grafana directly to a Virtual Network (VNet), this functionality is available. Users can create private endpoints that allow Azure Managed Grafana to connect privately to data sources within their VNet. This setup involves using Azure Private Link to establish a private connection, which ensures that traffic does not traverse the public internet. Additionally, you can configure private DNS zones to manage DNS resolution for these private endpoints.

Custom DNS Servers: Not supported; no open request for this feature.

Attach to VNet: Supported via private endpoints and Azure Private Link.

Please let me know if you required anything!
Sean Lively 0 Reputation points

2025-01-20T22:18:13.89+00:00

@Pavan Minukuri Since Grafana won't use the DNS settings in the private endpoint or the underlying VNet, it's not really supported, it doesn't matter what private DNS zones are configured.
Pavan Minukuri 1,045 Reputation points Microsoft Vendor

2025-01-21T18:38:41.0466667+00:00

Sean Lively Grafana isn't using the DNS settings from the private endpoint or VNet because it relies on specific DNS configurations that don't match Azure's Private Link setup.
1.When a private endpoint is created in Azure, DNS settings must be configured to resolve the private IP address, often by linking a Private DNS Zone to the VNet where the endpoint is located.
2.Grafana might not automatically use the DNS settings for its Private Link, meaning it could still resolve to public endpoints unless explicitly configured otherwise, even if the private DNS zones are set up correctly.
3.Create a private DNS zone this zone should be linked to your VNet and configured with appropriate A records pointing to your private endpoint's IP address.
4.Override public DNS entries If there are existing public DNS configurations, they need to be overridden by ensuring that requests for Grafana resolve to the private endpoint instead
5.After setup, it's important to test DNS resolution by querying the DNS within the VNet to confirm it resolves to the private IP address of the Grafana service.

Please let me know if anything required!
Pavan Minukuri 1,045 Reputation points Microsoft Vendor

2025-01-22T19:04:40.4866667+00:00

Hi @Sean Lively We haven't heard back from you. Please reply if you have any questions in this matter and we will gladly continue the discussion.
Pavan Minukuri 1,045 Reputation points Microsoft Vendor

2025-01-24T01:35:05.1+00:00

Hi @Sean Lively We haven't heard back from you. Please reply if you have any questions in this matter and we will gladly continue the discussion.

1 answer

Alemu Abate Asheber 80 Reputation points

2025-01-20T22:32:28.5766667+00:00

To connect your Azure Managed Grafana instance to an on-prem SQL Server, you’ll need to ensure proper DNS resolution for the private endpoint. Since Azure Managed Grafana doesn’t automatically resolve private endpoint DNS names, you'll need to configure a custom DNS solution that can resolve prd-sql01.company.net to the private IP. This may involve setting up DNS forwarding or using Azure DNS to handle private endpoint names. Additionally, ensure that your Azure VNet can route traffic to your on-prem network via the VPN or ExpressRoute connection, and check that the firewall and network security rules allow traffic to your SQL Server (usually port 1433 for SQL Server). From a VM within the same VNet as Grafana, test the DNS resolution to confirm the private DNS is working correctly by running tools like nslookup or ping. When configuring the SQL Server data source in Grafana, make sure to use the private DNS name and the appropriate authentication method. Lastly, if the issue persists, confirm that the Grafana instance has proper VNet integration, ensuring it has network access to the on-prem SQL Server. Proper DNS setup, network routing, and security rules are critical for making this connection work.
Please sign in to rate this answer.
Sean Lively 0 Reputation points

2025-01-20T22:47:26.7266667+00:00

@Alemu Abate Asheber Incorrect. Even with a properly configured private endpoint, vnet, private DNS, and VPN, Azure Managed Grafana does NOT use any of this for DNS resolution.

I know my infrastructure is configured correctly because we have App Services connecting successfully via DNS name to on premise SQL Servers.

This is a lot of work to avoid saying "Private SQL Servers are not supported via DNS name at this time, and we don't have it on our roadmap."
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to connect to a on premise SQL Server from Azure Managed Grafana

1 answer

Your answer