How to connect to a on premise SQL Server from Azure Managed Grafana

Sean Lively 0

I have a new Azure Managed Grafana instance, and I'd like to connect to a on-premise SQL Server.

We have all of the VPN/Virtual networks setup, and from a vnet connected VM, I'm able to query data.

I have a Private Endpoint (not managed) setup, and it's landing in the correct vnet.

When I attempt to setup the MSSQL data source in Grafana by DNS name (prd-sql01.company.net), I get an immediate failure: lookup prd-sql01.company.net on 127.0.0.11:53: no such host

What's necessary to get an Azure Managed Grafana instance connected to a SQL Instance on a private network?

Pavan Minukuri 1,130 Reputation points Microsoft Vendor

2025-01-11T02:32:02.32+00:00

Hi Sean Lively
Welcome to Microsoft Q&A, Thanks for asking question here!
Please follow with below steps:
1.Both Azure Managed Grafana, and your SQL Server should be in the same virtual network (VNet) or connected through VNet peering. This is important for private connectivity.
2.Create a private endpoint for your SQL Server within the VNet. This allows Grafana to access SQL Server privately, without using the public internet.
3.Since you're using a private endpoint, set up DNS resolution. You may need to link a Private DNS Zone to your VNet, so that the DNS name of your SQL Server (e.g., prd-sql01.company.net) resolves to its private IP
4,Ensure Grafana can resolve the SQL Server’s private IP by checking the DNS settings in Azure Managed Grafana.
5.Ensure the Network Security Group (NSG) rules allow traffic between the Grafana private endpoint and the SQL Server’s private IP. There should be no rules blocking traffic within the VNet or between peered VNets.
6.Update your SQL Server firewall to allow traffic from the private IP of Azure Managed Grafana or from the entire VNet.
7.Make sure you are using a supported authentication method, like SQL authentication or Managed Identity, for connections over private endpoints.
8.After setting everything up, test the connection from Grafana to your SQL Server again. If there are still issues, double-check all settings and make sure there are no typos in DNS names or IP addresses.

Please let us know if you required anything!
Sean Lively 0 Reputation points

2025-01-13T16:11:24.07+00:00

@Pavan Minukuri 4: Ensure Grafana can resolve the SQL Server's private IP- Where exactly is the DNS Settings, and how can I test DNS resolution?
Pavan Minukuri 1,130 Reputation points Microsoft Vendor

2025-01-14T07:00:34.3433333+00:00
Hi Sean Lively
Thanks for replying back!
DNS Settings Configuration:
1.Azure Managed Grafana and Azure SQL Server are in the same virtual network (VNet) or connected via VNet peering for internal communication.
2.Set up private endpoints for both services, with Grafana having a private endpoint in the same VNet as Azure SQL Server or in a peered VNet.
3.Configure Network Security Group (NSG) rules to allow traffic between the Grafana private endpoint and the SQL Server's private IP, ensuring no rules block internal traffic.
4.Link a Private DNS Zone to your VNet to resolve the SQL Server's private IP address, creating and linking the DNS zone correctly.
5.Update the SQL Server VM firewall rules to allow traffic from Grafana's private IP or the virtual network range.
Testing DNS Resolution:
To test if your DNS settings are correctly resolving the SQL Server's private IP, you can use several methods:

1.Using **nslookup **Command:

Open your command prompt. run the below command

nslookup <SQL_Server_Hostname>

Replace <SQL_Server_Hostname> with your SQL Server's actual hostname to get the resolved IP address if DNS is working correctly.
2.Using **ping **Command:
You can also use ping to check if the hostname resolves.

ping <SQL_Server_Hostname>

This command will show you if there’s a response from the server, indicating successful resolution
3.try flushing your DNS cache
Windows
ipconfig /flushdns

Linux
sudo systemd-resolve --flush-caches

After flushing, retry the nslookup or ping commands

Please let us know if you required anything!
Benz, Dennis 0 Reputation points

2025-01-14T13:49:39.17+00:00

I encountered the same issue. It seems that using a custom hostname like "prd-sql01.company.net" in the Azure Managed Grafana version is not supported. This limitation likely arises because the Microsoft-managed worker, where the Grafana instance runs, cannot resolve custom DNS entries such as a private DNS Zone in Azure. As a result, using an IP address appears to be the only viable option.
Azure Managed Grafana might not be the best option for a hybrid scenario. You could try using the IP address of the SQL Database as an alternative, but keep in mind the importance of the database's SSL/TLS settings. Grafana can only establish a connection if the SSL/TLS configuration aligns with the requirements of your SQL database.
Sean Lively 0 Reputation points

2025-01-14T16:57:33.9833333+00:00

@Pavan Minukuri I currently have App Services on Azure successfully connecting to on premise SQL Servers, so the VNet/VPN/DNS infrastructure is setup correctly, and the custom DNS servers are set correctly on the vnet the Grafana's private endpoint is connected to.

How can I test the DNS resolution inside of Grafana?

Can you also comment on Dennis's experience?
Pavan Minukuri 1,130 Reputation points Microsoft Vendor

2025-01-14T17:56:22.6666667+00:00
Thanks for replying backSean Lively
1.How can I test the DNS resolution inside of Grafana?
Grafana doesn't resolve DNS names directly, but you can use dashboards with ping and response tests to check DNS resolution issues by measuring response times.
For a direct approach without external tools like Telegraf, use a custom script or plugin to execute DNS queries.
1.create a custom data source plugin for Grafana to connect with your DNS server and retrieve the information.
2.Check the Grafana plugin repository for plugins that support network monitoring or DNS queries.
3.If you know JavaScript, you can write a simple function in Node.js to resolve domain names.

const dns = require('dns'); dns.resolve4('dns.google.com', (err, addresses) => { if (err) throw err; console.log(`Addresses: ${JSON.stringify(addresses)}`); });

2.Can you also comment on Dennis's experience?

The challenges with Azure Managed Grafana and custom hostnames, like "prd-sql01.company.net," are due to the service's limitation in resolving private DNS entries.

1.Azure Managed Grafana doesn't support custom domain names, so users must use the default Azure-generated URLs, and custom domains often lead to connection failures due to DNS resolution issues.

2.Azure Managed Grafana is designed for public network access and doesn’t support direct connections to private IPs or networks without additional setup, like a Virtual Network (VNet) or VPN.

3.Due to DNS resolution limitations, using the IP address of your SQL database is a recommended workaround, but make sure SSL/TLS settings are properly configured for a secure connection.

4.Using the SQL Database's IP address is a viable alternative, but ensure the SSL/TLS configuration is compatible with Grafana's requirements.

5.In a hybrid environment, you may need to set up a Private Endpoint for Azure Managed Grafana within your VNet to ensure secure access to Azure resources while following network security protocols.

6.Microsoft announcements on updates to Azure Managed Grafana, particularly regarding custom domains and private network connections, as these features may change based on user feedback.

Reference link: https://learn.microsoft.com/en-us/azure/managed-grafana/troubleshoot-managed-grafana

https://stackoverflow.com/questions/76005443/azure-managed-grafana-with-custom-url

Please let us know if you required anything
Benz, Dennis 0 Reputation points

2025-01-15T13:13:06.3966667+00:00

I attempted to connect to the On-Premises SQL Server using its private IP address (Managed Grafana with Private Endpoint, VNet Peering, VPN Gateway, etc.), but the connection still fails. I believe the issue lies in the fact that the On-Premises SQL Server forces SSL/TLS encryption, and since this is an Azure Managed Grafana instance, it’s not possible to load a certificate file path due to the limitations of the managed environment.

Disabling the SSL/TLS encryption enforcement on the On-Premises SQL Server is not an option. Additionally, using a certificate with a private IP address as the common name (CN) is generally not feasible. It seems I may need to explore an alternative solution for this scenario.

@Pavan Minukuri what do think about that?
Sean Lively 0 Reputation points

2025-01-15T17:37:17.01+00:00

@Pavan Minukuri So Azure Managed Grafana does not use the DNS settings on the Private Endpoint's VNet, and there's no way to set custom DNS Servers?
Pavan Minukuri 1,130 Reputation points Microsoft Vendor

2025-01-15T19:46:45.4266667+00:00

Sean Lively
Azure Managed Grafana does not support custom DNS servers for private endpoints and uses Azure's default DNS resolution instead.
can integrate a private endpoint for Azure Managed Grafana with a private DNS zone, but it won't allow custom DNS server configurations and will still use Azure's DNS service for name resolution.
Azure Managed Grafana does not support custom domain names, and users have reported 404 errors when setting up CNAME records due to misconfigurations or unsupported features.
Ensure the private DNS zone is correctly linked to the VNet and necessary records are created, but DNS changes must be made within Azure's provided services.
Azure Managed Grafana allows for private access through private endpoints and private DNS zones, it does not permit the configuration of custom DNS servers or direct support for custom domain names.
Sean Lively 0 Reputation points

2025-01-15T20:15:17.4066667+00:00

@Pavan Minukuri Is there an open request somewhere for Azure Managed Grafana to use custom DNS servers like App Services does?

Is there also an open request to attach Grafana directly to a VNet?
Pavan Minukuri 1,130 Reputation points Microsoft Vendor

2025-01-20T20:31:31.2733333+00:00

There are currently no open requests or features available for Azure Managed Grafana that allow the use of custom DNS servers in the same way that Azure App Services does. As of now, setting custom domain names for Azure Managed Grafana instances is not supported, and users have reported issues with configuring CNAME records to point to their instances, resulting in 404 errors. This feature remains on the backlog and has not been scheduled for development yet.

Regarding the ability to attach Azure Managed Grafana directly to a Virtual Network (VNet), this functionality is available. Users can create private endpoints that allow Azure Managed Grafana to connect privately to data sources within their VNet. This setup involves using Azure Private Link to establish a private connection, which ensures that traffic does not traverse the public internet. Additionally, you can configure private DNS zones to manage DNS resolution for these private endpoints.

Custom DNS Servers: Not supported; no open request for this feature.

Attach to VNet: Supported via private endpoints and Azure Private Link.

Please let me know if you required anything!
Sean Lively 0 Reputation points

2025-01-20T22:18:13.89+00:00

@Pavan Minukuri Since Grafana won't use the DNS settings in the private endpoint or the underlying VNet, it's not really supported, it doesn't matter what private DNS zones are configured.
Pavan Minukuri 1,130 Reputation points Microsoft Vendor

2025-01-21T18:38:41.0466667+00:00

Sean Lively Grafana isn't using the DNS settings from the private endpoint or VNet because it relies on specific DNS configurations that don't match Azure's Private Link setup.
1.When a private endpoint is created in Azure, DNS settings must be configured to resolve the private IP address, often by linking a Private DNS Zone to the VNet where the endpoint is located.
2.Grafana might not automatically use the DNS settings for its Private Link, meaning it could still resolve to public endpoints unless explicitly configured otherwise, even if the private DNS zones are set up correctly.
3.Create a private DNS zone this zone should be linked to your VNet and configured with appropriate A records pointing to your private endpoint's IP address.
4.Override public DNS entries If there are existing public DNS configurations, they need to be overridden by ensuring that requests for Grafana resolve to the private endpoint instead
5.After setup, it's important to test DNS resolution by querying the DNS within the VNet to confirm it resolves to the private IP address of the Grafana service.

Please let me know if anything required!
Pavan Minukuri 1,130 Reputation points Microsoft Vendor

2025-01-22T19:04:40.4866667+00:00

Hi @Sean Lively We haven't heard back from you. Please reply if you have any questions in this matter and we will gladly continue the discussion.
Pavan Minukuri 1,130 Reputation points Microsoft Vendor

2025-01-24T01:35:05.1+00:00

Hi @Sean Lively We haven't heard back from you. Please reply if you have any questions in this matter and we will gladly continue the discussion.

3 answers

Alemu Abate Asheber 80 Reputation points

2025-01-20T22:32:28.5766667+00:00

To connect your Azure Managed Grafana instance to an on-prem SQL Server, you’ll need to ensure proper DNS resolution for the private endpoint. Since Azure Managed Grafana doesn’t automatically resolve private endpoint DNS names, you'll need to configure a custom DNS solution that can resolve prd-sql01.company.net to the private IP. This may involve setting up DNS forwarding or using Azure DNS to handle private endpoint names. Additionally, ensure that your Azure VNet can route traffic to your on-prem network via the VPN or ExpressRoute connection, and check that the firewall and network security rules allow traffic to your SQL Server (usually port 1433 for SQL Server). From a VM within the same VNet as Grafana, test the DNS resolution to confirm the private DNS is working correctly by running tools like nslookup or ping. When configuring the SQL Server data source in Grafana, make sure to use the private DNS name and the appropriate authentication method. Lastly, if the issue persists, confirm that the Grafana instance has proper VNet integration, ensuring it has network access to the on-prem SQL Server. Proper DNS setup, network routing, and security rules are critical for making this connection work.
Please sign in to rate this answer.
Sean Lively 0 Reputation points

2025-01-20T22:47:26.7266667+00:00

@Alemu Abate Asheber Incorrect. Even with a properly configured private endpoint, vnet, private DNS, and VPN, Azure Managed Grafana does NOT use any of this for DNS resolution.

I know my infrastructure is configured correctly because we have App Services connecting successfully via DNS name to on premise SQL Servers.

This is a lot of work to avoid saying "Private SQL Servers are not supported via DNS name at this time, and we don't have it on our roadmap."

Vinod Pittala 240 Reputation points Microsoft Vendor

2025-01-30T22:31:38.13+00:00

Hello Sean Lively,

Apologies for the delay in response.

Yes, perhaps you are right for this moment.

Here is the clear explanation why the Private SQL Servers are not supported at this time to connect with the Grafana via DNS name, is because here we aim to connect Grafana with On-prem SQL server via private endpoints. So DNS resolution for these private endpoint names is required.

However, Azure Managed Grafana is a fully managed service that doesn't have built-in access to the Azure DNS resolution for private endpoints by default.

Therefore, to ensure Azure Managed Grafana can resolve private endpoint DNS names, you’ll need to configure DNS resolution manually.

So that in this approach you’ll need to create a Private DNS Zone. However, azure Managed Grafana cannot automatically use your private DNS zone by default.

As a result, you need to adopt a custom DNS solution to resolve private endpoint DNS names.

To connect a private endpoint hosted in Azure from an on-premises environment (via VPN or ExpressRoute), you must configure DNS forwarding to resolve private endpoint DNS names from your on-premises network.

Unfortunately, the custom DNS solution is not supported at this time, as users have reported 404 errors while configuring the CNAME records due to unsupported features.

Therefore, it seems currently connecting to a private SQL Server from Grafana via DNS name might not supported for now.

Thank you.

Vinod Pittala 240 Reputation points Microsoft Vendor

2025-01-31T22:22:23.4866667+00:00

Hello Sean Lively,

If you have any further questions, please do not hesitate to reach out. I am here to assist you.

If you found the above answer helpful, kindly click "Upvote it".

Thank you

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Naveena Patlolla 160 Reputation points Microsoft Vendor

2025-02-03T03:41:51.85+00:00

Hello Sean Lively,
I'm currently reviewing this and will get back to you with a solution soon
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Wuyi Weng 151 Reputation points Microsoft Employee

2025-02-06T19:39:43.46+00:00

As a managed service, Azure Managed Grafana (AMG) is running in a Microsoft owned network. It is outside of the customer owned network. I.e. AMG is not runing in your on-premise network or your own azure virtual network.

AMG has a feature called managed private endpoint to support the network connection from the AMG network to customer owned network. You can use a managed private endpoint to connect one AMG to your own private link service inside your network. e.g. you can have one azure VM running SQL server on it in your own virtual network. You can put private link service before this Azure VM. Then AMG can connect to this Azure VM through managed private endpoint without going through public network.

If the SQL server is running on on-premise machine, then extra network setup will be needed to connect one pirvate link service to the on-premise machine, e.g. express route, site-to-site VPN, one Azure VM acting as proxy. But this network setup is highly depend on your current network setup.

There is one example for using managed private endpoint:

https://learn.microsoft.com/en-us/azure/managed-grafana/tutorial-mpe-oss-prometheus
Please sign in to rate this answer.
Sean Lively 0 Reputation points

2025-02-06T20:24:17.8166667+00:00

@Wuyi Weng I did setup a managed private endpoint into AMG, but it was unable to connect to the on-prem SQL server by name due to private DNS.

I have Azure App Services connected by private endpoints and VNets able to connect successfully to on-prem SQL servers via DNS name due to Custom DNS configurations, and I now have Grafana running as a Azure Container App, and it's also able to resolve the on-prem names via VNet DNS resolution.

So again, AMG is unable to connect to a on-prem SQL Server via DNS name due to missing support for custom DNS.

Wuyi Weng 151 Reputation points Microsoft Employee

2025-02-07T17:00:24.34+00:00

Hi, did you setup a private link service in front of your on-prem SQL Server? Managed private endpoint can support you put a domain name for it. The network setup for App Service / Azure Container App is different from Azure Managed Grafana. App Service / Azure Container App can put the compute inside your network, i.e. VNet injection. Azure Managed Grafana (AMG) is running in a service managed network. To start a network connection from AMG network into your own network, AMG is using the feature managed private endpoint.

Exposing your on-premise SQL server through private link service will need some network setup. This is one tutorial for a similar doc: https://learn.microsoft.com/en-us/azure/data-factory/tutorial-managed-virtual-network-on-premise-sql-server
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Naveena Patlolla 160 Reputation points Microsoft Vendor

2025-02-03T13:49:57.7366667+00:00
Hi @Sean Lively

Steps to Connect Grafana to an On-Premises SQL Server from an Azure VM

1.Access Grafana

              Open Grafana on an Azure VM within the same VNet where Grafana is deployed.

2.Test Connection Using SQL Server IP Address

               Instead of using the hostname, enter the SQL Server IP address while configuring the data source in Grafana.

If the connection is successful, proceed to the next step.

3.Add a Host Entry for SQL Server

Open the hosts file located at:

C:\Windows\System32\Drivers\etc\hosts

Add an entry mapping the SQL Server IP to its hostname as shown below:

                                   <SQL_Server_IP> <SQL_Server_Hostname>

4.Flush DNS Cache

             Open Command Prompt as Administrator and run:

             ipconfig /flushdns

5.Test Connection Using Hostname

·       Now, try connecting to the SQL Server using the hostname in Grafana.

Solution 2:

Step1.Open the Grafana on Sql server if the Grafana is unable to Open on SQL server, go to step number 2

Step2.

1.Add a Host Entry in SQL server as shown below, Private endpoint NIC IP address of Grafana and URL

2.Then Browse the Grafana and try to Configure the Data source MSSQL with Hostname.

Solution 3

Step 1: Verify DNS Configuration in Azure VNet

Azure Managed Grafana inherits DNS settings from the VNet it’s integrated with. Ensure:

The VNet’s DNS Servers are configured to resolve on-premises DNS names (e.g., your company’s internal DNS servers).

·       Go to Azure Portal > VNet > DNS Servers.

·       If using a hybrid setup, configure Custom DNS pointing to your on-premises DNS servers or an Azure DNS Private Resolver with forwarding rules to on-prem.

2.If your on-prem DNS zone (company.net) is not reachable from Azure, use Azure DNS Private Resolver:

·       Deploy a DNS Forwarding Ruleset to forward company.net queries to your on-prem DNS servers via the VPN/ExpressRoute connection.

Step 2: Test DNS Resolution from Grafana

Since you can’t run commands directly on Grafana, validate DNS resolution indirectly:

1.Use the SQL Server’s IP address instead of the DNS name in Grafana’s data source configuration.

If this works, the issue is purely DNS-related.

Example Grafana config:

Host: 192.168.1.100 (on-prem SQL Server IP)

Port: 1433

2.If the IP address works, ensure the VNet’s DNS servers can resolve prd-sql01.company.net.

Step 3: Configure Azure DNS for Hybrid Resolution

If your VNet uses Azure’s default DNS (168.63.129.16), it won’t resolve on-prem names. Fix this by:

Option 1: Use Custom DNS Servers

·       Point the VNet’s DNS to your on-prem DNS servers (requires firewall rules to allow DNS traffic over VPN/ExpressRoute).

Option 2: Azure DNS Private Resolver

·       Deploy an Azure DNS Private Resolver to forward company.net queries to your on-prem DNS servers.

Please provide your valuable comments

Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.
Please sign in to rate this answer.
Ashok Gandhi Kotnana 3,225 Reputation points Microsoft Vendor

2025-02-04T12:21:08.99+00:00

Hi @Sean Lively ,

Just want to check if the above answer worked for you or else please let us know if any help, we are always here to help whenever you need us.

Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Sean Lively 0 Reputation points

2025-02-04T20:03:29.65+00:00

@Ashok Gandhi Kotnana @Naveena Patlolla None of these steps will configure Azure Managed Grafana to use the custom DNS settings on the VNet, so resolution of internal DNS names will fail from Grafana.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to connect to a on premise SQL Server from Azure Managed Grafana

3 answers

Your answer