dave/site
1
0
Fork 0
mirror of https://github.com/davegallant/davegallant.github.io.git synced 2025-08-06 08:43:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
b9102048a3ef1acf5376c3a8d02747937cfd3e45
site/blog/using-aks-and-socks-to-connect-to-a-private-azure-db/index.html
davegallant b9102048a3 deploy: bdd3648e73df6e36d57b14c1a5d07e8fd79bbe46
2024-04-08 12:53:11 +00:00

18 lines
28 KiB
HTML
Raw Blame History

<!doctype html><html lang=en data-theme=dark><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><link rel=preload as=font type=font/woff2 href=/fonts/roboto-slab-latin-400.woff2 crossorigin=anonymous><link rel=preload as=font type=font/woff2 href=/fonts/roboto-slab-latin-700.woff2 crossorigin=anonymous><link rel=preload as=font type=font/woff2 href=/fonts/fira-code-latin-300.woff2 crossorigin=anonymous><link rel=preload as=font type=font/woff2 href=/fonts/fira-code-latin-400.woff2 crossorigin=anonymous><link rel=preload as=font type=font/woff2 href=/fonts/fira-code-latin-700.woff2 crossorigin=anonymous><meta name=robots content="index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1"><title>Using AKS and SOCKS to connect to a private Azure DB</title>
<meta name=description content="I ran into a roadblock recently where I wanted to conveniently connect to a managed postgres database within Azure that was not running on public subnets. And by conveniently, I mean that I&amp;rsquo;d rather not have to spin up an ephemeral virtual machine running in the same network and proxy the connection, and I&amp;rsquo;d like to use a local client (preferably with a GUI). After several web searches, it became evident that Azure does not readily provide much tooling to support this.
"><link rel=canonical href=/blog/using-aks-and-socks-to-connect-to-a-private-azure-db/><meta name=twitter:card content="summary"><meta name=twitter:title content="Using AKS and SOCKS to connect to a private Azure DB"><meta name=twitter:description content="I ran into a roadblock recently where I wanted to conveniently connect to a managed postgres database within Azure that was not running on public subnets. And by conveniently, I mean that I&rsquo;d rather not have to spin up an ephemeral virtual machine running in the same network and proxy the connection, and I&rsquo;d like to use a local client (preferably with a GUI). After several web searches, it became evident that Azure does not readily provide much tooling to support this."><meta property="og:title" content="Using AKS and SOCKS to connect to a private Azure DB"><meta property="og:description" content="I ran into a roadblock recently where I wanted to conveniently connect to a managed postgres database within Azure that was not running on public subnets. And by conveniently, I mean that I&rsquo;d rather not have to spin up an ephemeral virtual machine running in the same network and proxy the connection, and I&rsquo;d like to use a local client (preferably with a GUI). After several web searches, it became evident that Azure does not readily provide much tooling to support this."><meta property="og:type" content="article"><meta property="og:url" content="/blog/using-aks-and-socks-to-connect-to-a-private-azure-db/"><meta property="article:section" content="blog"><meta property="article:published_time" content="2023-05-22T16:31:29-04:00"><meta property="article:modified_time" content="2024-04-06T23:25:57-04:00"><meta itemprop=name content="Using AKS and SOCKS to connect to a private Azure DB"><meta itemprop=description content="I ran into a roadblock recently where I wanted to conveniently connect to a managed postgres database within Azure that was not running on public subnets. And by conveniently, I mean that I&rsquo;d rather not have to spin up an ephemeral virtual machine running in the same network and proxy the connection, and I&rsquo;d like to use a local client (preferably with a GUI). After several web searches, it became evident that Azure does not readily provide much tooling to support this."><meta itemprop=datePublished content="2023-05-22T16:31:29-04:00"><meta itemprop=dateModified content="2024-04-06T23:25:57-04:00"><meta itemprop=wordCount content="616"><meta itemprop=keywords content="aks,aws,azure,bastion,cloud-sql-proxy,database,eks,k8s,kubectl-plugin-socks5-proxy,proxy,socat,socks,"><style>@font-face{font-display:swap;font-family:Roboto Slab;font-style:normal;font-weight:100;src:local("Roboto Slab Thin "),local("Roboto Slab-Thin"),url(/fonts/roboto-slab-latin-100.woff2) format("woff2"),url(/fonts/roboto-slab-latin-100.woff) format("woff")}@font-face{font-display:swap;font-family:Roboto Slab;font-style:normal;font-weight:200;src:local("Roboto Slab Extra Light "),local("Roboto Slab-Extra Light"),url(/fonts/roboto-slab-latin-200.woff2) format("woff2"),url(/fonts/roboto-slab-latin-200.woff) format("woff")}@font-face{font-display:swap;font-family:Roboto Slab;font-style:normal;font-weight:300;src:local("Roboto Slab Light "),local("Roboto Slab-Light"),url(/fonts/roboto-slab-latin-300.woff2) format("woff2"),url(/fonts/roboto-slab-latin-300.woff) format("woff")}@font-face{font-display:swap;font-family:Roboto Slab;font-style:normal;font-weight:400;src:local("Roboto Slab Regular "),local("Roboto Slab-Regular"),url(/fonts/roboto-slab-latin-400.woff2) format("woff2"),url(/fonts/roboto-slab-latin-400.woff) format("woff")}@font-face{font-display:swap;font-family:Roboto Slab;font-style:normal;font-weight:500;src:local("Roboto Slab Medium "),local("Roboto Slab-Medium"),url(/fonts/roboto-slab-latin-500.woff2) format("woff2"),url(/fonts/roboto-slab-latin-500.woff) format("woff")}@font-face{font-display:swap;font-family:Roboto Slab;font-style:normal;font-weight:600;src:local("Roboto Slab SemiBold "),local("Roboto Slab-SemiBold"),url(/fonts/roboto-slab-latin-600.woff2) format("woff2"),url(/fonts/roboto-slab-latin-600.woff) format("woff")}@font-face{font-display:swap;font-family:Roboto Slab;font-style:normal;font-weight:700;src:local("Roboto Slab Bold "),local("Roboto Slab-Bold"),url(/fonts/roboto-slab-latin-700.woff2) format("woff2"),url(/fonts/roboto-slab-latin-700.woff) format("woff")}@font-face{font-display:swap;font-family:Roboto Slab;font-style:normal;font-weight:800;src:local("Roboto Slab ExtraBold "),local("Roboto Slab-ExtraBold"),url(/fonts/roboto-slab-latin-800.woff2) format("woff2"),url(/fonts/roboto-slab-latin-800.woff) format("woff")}@font-face{font-display:swap;font-family:Roboto Slab;font-style:normal;font-weight:900;src:local("Roboto Slab Black "),local("Roboto Slab-Black"),url(/fonts/roboto-slab-latin-900.woff2) format("woff2"),url(/fonts/roboto-slab-latin-900.woff) format("woff")}@font-face{font-display:swap;font-family:Fira Code;font-style:normal;font-weight:300;src:local("Fira Code Light "),local("Fira Code-Light"),url(/fonts/fira-code-latin-300.woff2) format("woff2"),url(/fonts/fira-code-latin-300.woff) format("woff")}@font-face{font-display:swap;font-family:Fira Code;font-style:normal;font-weight:400;src:local("Fira Code Regular "),local("Fira Code-Regular"),url(/fonts/fira-code-latin-400.woff2) format("woff2"),url(/fonts/fira-code-latin-400.woff) format("woff")}@font-face{font-display:swap;font-family:Fira Code;font-style:normal;font-weight:500;src:local("Fira Code Medium "),local("Fira Code-Medium"),url(/fonts/fira-code-latin-500.woff2) format("woff2"),url(/fonts/fira-code-latin-500.woff) format("woff")}@font-face{font-display:swap;font-family:Fira Code;font-style:normal;font-weight:600;src:local("Fira Code SemiBold "),local("Fira Code-SemiBold"),url(/fonts/fira-code-latin-600.woff2) format("woff2"),url(/fonts/fira-code-latin-600.woff) format("woff")}@font-face{font-display:swap;font-family:Fira Code;font-style:normal;font-weight:700;src:local("Fira Code Bold "),local("Fira Code-Bold"),url(/fonts/fira-code-latin-700.woff2) format("woff2"),url(/fonts/fira-code-latin-700.woff) format("woff")}
/*! normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css */html{line-height:1.15;-webkit-text-size-adjust:100%}body{margin:0}main{display:block}h1{font-size:2em;margin:.67em 0}hr{box-sizing:content-box;height:0;overflow:visible}pre{font-family:monospace,monospace;font-size:1em}a{background-color:transparent}abbr[title]{border-bottom:none;-webkit-text-decoration:underline;text-decoration:underline;-webkit-text-decoration:underline dotted;text-decoration:underline dotted}b,strong{font-weight:bolder}code,kbd,samp{font-family:monospace,monospace;font-size:1em}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sub{bottom:-.25em}sup{top:-.5em}img{border-style:none}button,input,optgroup,select,textarea{font-family:inherit;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visible}button,select{text-transform:none}[type=button],[type=reset],[type=submit],button{-webkit-appearance:button}[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inner,[type=submit]::-moz-focus-inner,button::-moz-focus-inner{border-style:none;padding:0}[type=button]:-moz-focusring,[type=reset]:-moz-focusring,[type=submit]:-moz-focusring,button:-moz-focusring{outline:1px dotted ButtonText}fieldset{padding:.35em .75em .625em}legend{box-sizing:border-box;color:inherit;display:table;max-width:100%;padding:0;white-space:normal}progress{vertical-align:baseline}textarea{overflow:auto}[type=checkbox],[type=radio]{box-sizing:border-box;padding:0}[type=number]::-webkit-inner-spin-button,[type=number]::-webkit-outer-spin-button{height:auto}[type=search]{-webkit-appearance:textfield;outline-offset:-2px}[type=search]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}details{display:block}summary{display:list-item}[hidden],template{display:none}
/*! CC BY-SA 3.0 License | https://stackoverflow.com/a/36118384/1154965 */@keyframes blink{50%{opacity:0}to{opacity:1}}
/*! MIT License | github.com/schnerring/hugo-theme-gruvbox */:root[data-theme=dark]{--bg:var(--bg0);--bg0:#1a1b26;--bg0_h:#1d2021;--bg0_s:#32302f;--bg1:#181922;--bg2:#32344a;--bg3:#665c54;--bg4:#32344a;--fg:var(--fg1);--fg0:#a1a1a1;--fg1:#dddfeb;--fg2:#7da6ff;--fg3:#6a6c67;--fg4:#32344a;--gray1:var(--fg4);--gray2:#444b6a;--red1:#f7768e;--red2:#ff7a93;--green1:#9ece6a;--green2:#b9f27c;--yellow1:#e0af68;--yellow2:#ff9e64;--blue1:#63a8d3;--blue2:#63a8d3;--purple1:#ad8ee6;--purple2:#bb9af7;--aqua1:#449dab;--aqua2:#0db9d7;--orange1:#d65d0e;--orange2:#fe8019}:root{--primary:var(--blue1);--primary-alt:var(--blue2);--font-monospace:"Fira Code","Lucida Console",Monaco,monospace;--font-sans-serif:Verdana,Helvetica,sans-serif;--font-serif:"Roboto Slab",Georgia,serif}html{font-family:Roboto Slab,Georgia,serif;font-family:var(--font-serif);font-size:1rem;scroll-behavior:smooth}body{background:var(--bg);color:var(--fg);line-height:1.675;word-wrap:break-word}strong{letter-spacing:.35px}a{color:inherit;-webkit-text-decoration:none;text-decoration:none}a.link--external:after{content:"\2009↗"}img{border:2px solid var(--bg1);height:auto;max-width:100%}::-moz-selection{background:var(--bg4);color:var(--fg0)}::selection{background:var(--bg4);color:var(--fg0)}h1,h2,h3{color:var(--fg0);font-family:Fira Code,Lucida Console,Monaco,monospace;font-family:var(--font-monospace);font-weight:300;line-height:1.4}h1 code,h2 code,h3 code{font-size:1em}h2,h3{border-bottom:1px solid var(--bg1)}h1,h2{font-weight:400}h1{font-size:1.875rem}h2{font-size:1.75rem}h3{font-size:1.625rem}@media (min-width:768px){h1{font-size:2.375rem}h2{font-size:2rem}h3{font-size:1.75rem}}blockquote,code,pre{border-radius:.2rem;padding:0 .2em}pre code{padding:0}blockquote,code,pre{background:var(--bg1)}code,pre{font-family:Fira Code,Lucida Console,Monaco,monospace;font-family:var(--font-monospace)}code code{background:var(--bg2)}blockquote,pre{padding:1rem}pre{background:var(--bg1)!important;overflow:auto}pre code{background:none}blockquote,blockquote.twitter-tweet{border-left:5px solid var(--primary-alt);margin:.5rem 0}blockquote.twitter-tweet code,blockquote:not(.does-not-exist) code{background:var(--bg2)}blockquote.twitter-tweet p:first-of-type,blockquote:not(.does-not-exist) p:first-of-type{margin-top:0}blockquote.twitter-tweet p:last-of-type,blockquote:not(.does-not-exist) p:last-of-type{margin-bottom:0}blockquote.twitter-tweet{border-color:var(--blue2);color:inherit;font:inherit;font-size:inherit;line-height:inherit}blockquote.twitter-tweet a{color:var(--blue2)}blockquote.twitter-tweet a:hover{color:var(--blue1);-webkit-text-decoration:none!important;text-decoration:none!important}pre::-webkit-scrollbar{height:.5rem;scrollbar-width:auto}pre::-webkit-scrollbar-track{background:var(--bg2);border-radius:.2rem}pre::-webkit-scrollbar-thumb{background:var(--bg4);border-radius:.2rem}.layout{display:grid;grid-template-areas:"header" "main" "footer";grid-template-rows:auto 1fr auto;height:100vh}main{align-items:start;display:grid;grid-area:main;grid-template-areas:"empty content sidebar";grid-template-columns:2fr minmax(0,860px) 2fr}header{background:var(--bg1);grid-area:header}footer{grid-area:footer}footer,main{margin:.5em 1.1em}.content{grid-area:content}.sidebar{display:none;flex-direction:column;grid-area:sidebar;margin-top:3rem;position:sticky;top:2rem}@media (min-width:992px){.sidebar{display:flex}}header{display:grid;font-family:Fira Code,Lucida Console,Monaco,monospace;font-family:var(--font-monospace);font-size:1.125rem;grid-template-areas:"heading search nav theme-toggle";grid-template-columns:auto auto 1fr auto;padding:.75rem}.logo{color:var(--fg0);display:flex;font-weight:700;grid-area:heading}.logo:hover .logo__cursor{animation:blink 1s infinite;opacity:1}.logo__chevron,.logo__cursor{margin-left:.5rem}.logo__cursor{opacity:0}.logo__text{display:none}@media (min-width:768px){.logo__text{display:block}}.search{display:flex;grid-area:search;margin:0 1rem}#search__text{background:var(--bg2);border:1px solid var(--bg2);border-radius:.2rem;caret-color:var(--fg);color:var(--fg);outline:none;padding:0 .5rem;width:100%}#search__text:hover{border-color:var(--bg3)}#search__text:focus{border-color:var(--bg4)}#search__text::-moz-placeholder{color:var(--fg1)}#search__text::placeholder{color:var(--fg1)}#search__text[type=search]::-webkit-search-cancel-button{-webkit-appearance:none;appearance:none}#search__suggestions{background:var(--bg);border-radius:.2rem;box-shadow:0 .5rem 1rem var(--bg1);font-family:Roboto Slab,Georgia,serif;font-family:var(--font-serif);left:0;margin-top:2rem;position:absolute;width:95vw;z-index:1000}@media (min-width:768px){.search{position:relative}#search__suggestions{width:60vw}}.search__suggestions--hidden{display:none}.search__suggestion-item{border-bottom:1px dashed var(--bg2);display:grid;grid-template-columns:1fr 2fr}.search__suggestion-item:focus,.search__suggestion-item:focus-visible,.search__suggestion-item:hover{background:var(--bg1);cursor:pointer;outline:none}.search__suggestion-item:last-child{border:none}.search__suggestion-description,.search__suggestion-title{margin:1rem 0;padding:0 1rem}.search__suggestion-title{font-weight:700}.search__suggestion-description{border-left:1px solid var(--bg2)}.search__no-results{padding:.75rem}nav#menu{align-items:center;display:flex;grid-area:nav;justify-content:flex-end}nav#menu .menu__item{color:var(--fg)}nav#menu .menu__item:hover{color:var(--fg3);cursor:pointer}nav#menu ul{list-style:none;margin:0;padding:0}nav#menu ul.menu--horizontal{align-items:center;display:none}nav#menu ul.menu--horizontal li{display:inline-block;margin:0 .75rem}@media (min-width:768px){nav#menu ul.menu--horizontal{display:flex}}nav#menu ul.menu--vertical{background:var(--bg1);bottom:0;margin:0;padding:3rem;position:fixed;right:0;top:0;transform:translate(100%);transition:transform .5s cubic-bezier(.9,0,.1,1);width:50%;z-index:10}nav#menu ul.menu--vertical .menu__item{color:var(--fg1)}nav#menu ul.menu--vertical .menu__item:hover{color:var(--fg3)}nav#menu .menu__burger{display:flex;height:24px;width:24px}nav#menu .menu__burger>*{position:absolute}nav#menu .menu__burger svg{height:inherit;width:inherit;z-index:20}nav#menu .menu__burger input{height:inherit;opacity:0;width:inherit;z-index:30}nav#menu .menu__burger input:checked~ul.menu--vertical{transform:none}nav#menu .menu__burger input:checked~svg{stroke:var(--fg1)}@media (min-width:768px){nav#menu .menu__burger{display:none}}.sidebar{font-family:Fira Code,Lucida Console,Monaco,monospace;font-family:var(--font-monospace);margin-left:auto;margin-right:auto;max-width:350px;padding-left:2.5rem}.sidebar svg{fill:var(--fg)}.content-section,.post{border-bottom:2px dotted var(--bg1);padding:0}.post img:not(figure img){box-sizing:border-box;margin:.5rem 0}.post-header{font-family:Fira Code,Lucida Console,Monaco,monospace;font-family:var(--font-monospace)}.post-content{margin:1.3rem 0}.content-section a,.post-content a,.post-header a{color:var(--blue2);color:var(--primary-alt)}.content-section a:hover,.post-content a:hover,.post-header a:hover{color:var(--blue1);color:var(--primary)}.post-heading__anchor{display:none}h1:hover .post-heading__anchor,h2:hover .post-heading__anchor,h3:hover .post-heading__anchor{display:inline-block}</style><link rel=preload href="/css/non-critical.713869c4c9bcaee5df59301fd32a5d831bdcc701104d142e54e1da442b7b0ed98ab0037e053dce4e3c73ef9b86b2e4d1cecf4444414cce6dc9e979de548736e0.css" as=style onload='this.onload=null,this.rel="stylesheet"'><link id=prism-dark rel=preload href=/prism-themes/prism-coldark-dark.min.5d581efbbe2b412b3b07c80ec0bc2ed68e36e559e8c6e1403b7179e099aec8354a8af1b894c53dd2539979e531625066b76efebf5dfbb5bf5ea0438872c28d54.css as=style onload='this.onload=null,this.rel="stylesheet"'><link id=prism-light rel=preload href=/prism-themes/prism-coldark-dark.min.5d581efbbe2b412b3b07c80ec0bc2ed68e36e559e8c6e1403b7179e099aec8354a8af1b894c53dd2539979e531625066b76efebf5dfbb5bf5ea0438872c28d54.css as=style onload='this.onload=null,this.rel="stylesheet"' disabled><noscript><link rel=stylesheet href=/prism-themes/prism-coldark-dark.min.5d581efbbe2b412b3b07c80ec0bc2ed68e36e559e8c6e1403b7179e099aec8354a8af1b894c53dd2539979e531625066b76efebf5dfbb5bf5ea0438872c28d54.css><link rel=stylesheet href="/css/non-critical.713869c4c9bcaee5df59301fd32a5d831bdcc701104d142e54e1da442b7b0ed98ab0037e053dce4e3c73ef9b86b2e4d1cecf4444414cce6dc9e979de548736e0.css"></noscript><script>(()=>{function e(e){let t=document.getElementById("prism-dark"),n=document.getElementById("prism-light");t.toggleAttribute("disabled",e==="light"),n.toggleAttribute("disabled",e==="dark")}function t(e){if(document.querySelector(".utterances-frame")){let n=document.querySelector(".utterances-frame");var t={type:"set-theme",theme:e=="dark"?"gruvbox-dark":"github-light"};n.contentWindow.postMessage(t,"https://utteranc.es")}}function n(n){document.documentElement.setAttribute("data-theme",n),e(n),t(n)}n("dark"),document.addEventListener("DOMContentLoaded",function(){document.querySelectorAll(".theme__toggle").forEach(e=>{e.addEventListener("click",toggleTheme)})})})()</script><link rel=apple-touch-icon sizes=180x180 href=/apple-touch-icon.png><link rel=icon type=image/png sizes=32x32 href=/favicon-32x32.png><link rel=icon type=image/png sizes=16x16 href=/favicon-16x16.png><link rel=manifest href=/site.webmanifest><link rel=mask-icon href=/safari-pinned-tab.svg color=#282828><meta name=msapplication-TileColor content="#282828"><meta name=theme-color content="#282828"></head><body><div class=layout><header><a class=logo href=/><div class=logo__text>davegallant.ca</div><div class=logo__chevron>></div><div class=logo__cursor></div></a><div class=search><input id=search__text type=search placeholder=Search... aria-label=Search autocomplete=off><div id=search__suggestions class=search__suggestions--hidden></div></div><nav id=menu><ul class=menu--horizontal><li class=menu__item><a href=/>Home</a></li><li class=menu__item><a href=/blog>Blog</a></li></ul><div class=menu__burger><input class=menu__item type=checkbox aria-label="Open main menu"><svg xmlns="http://www.w3.org/2000/svg" class="icon icon-tabler icon-tabler-menu-2" width="24" height="24" viewBox="0 0 24 24" stroke-width="2" stroke="currentcolor" fill="none" stroke-linecap="round" stroke-linejoin="round"><path stroke="none" d="M0 0h24v24H0z" fill="none"/><path d="M4 6h16"/><path d="M4 12h16"/><path d="M4 18h16"/></svg><ul class=menu--vertical><li><a class=menu__item href=/>Home</a></li><li><a class=menu__item href=/blog>Blog</a></li></ul></div></nav></header><main><div class=content><article class=post><div class=post-header><h1>Using AKS and SOCKS to connect to a private Azure DB</h1><div class=post-meta><span>2023-05-22</span></div></div><div class=post-content><p>I ran into a roadblock recently where I wanted to conveniently connect to a managed postgres database within Azure that was not running on public subnets. And by conveniently, I mean that I&rsquo;d rather not have to spin up an ephemeral virtual machine running in the same network and proxy the connection, and I&rsquo;d like to use a local client (preferably with a GUI). After several web searches, it became evident that Azure does not readily provide much tooling to support this.</p><h2 id=go-public>Go Public?<a href=#go-public class=post-heading__anchor aria-hidden=true>#</a></h2><p>Should the database be migrated to public subnets? Ideally not, since it is good practice to host internal infrastructure in restricted subnets.</p><h2 id=how-do-others-handle-this>How do others handle this?<a href=#how-do-others-handle-this class=post-heading__anchor aria-hidden=true>#</a></h2><p>With GCP, connecting to a private db instance from any machine can be achieved with <a href=https://github.com/GoogleCloudPlatform/cloud-sql-proxy class=link--external target=_blank rel=noreferrer>cloud-sql-proxy</a>. This works by proxying requests from your machine to the SQL database instance in the cloud, while the authentication is handled by GCP&rsquo;s IAM.</p><p>So what about Azure? Is there any solution that is as elegant as cloud-sql-proxy?</p><h2 id=a-bastion>A Bastion<a href=#a-bastion class=post-heading__anchor aria-hidden=true>#</a></h2><p>Similar to what <a href=https://aws.amazon.com/blogs/database/securely-connect-to-an-amazon-rds-or-amazon-ec2-database-instance-remotely-with-your-preferred-gui/ class=link--external target=_blank rel=noreferrer>AWS has recommended</a>, perhaps a bastion is the way forward?</p><p>Azure has a fully-managed service called <a href=https://azure.microsoft.com/en-ca/products/azure-bastion class=link--external target=_blank rel=noreferrer>Azure Bastion</a> that provides secure access to virtual machines that do not have public IPs. This looks interesting, but unfortunately it <a href=https://azure.microsoft.com/en-ca/pricing/details/azure-bastion/#pricing class=link--external target=_blank rel=noreferrer>costs money</a> and requires an additional virtual machine.</p><p>Because this adds cost (and complexity), it does not seem like a desirable option in its current state. If it provided a more seamless connection to the database, it would be more appealing.</p><h2 id=socks>SOCKS<a href=#socks class=post-heading__anchor aria-hidden=true>#</a></h2><blockquote><p><strong>2023-12-13:</strong>
An alternative to using a socks proxy is <a href=http://www.dest-unreach.org/socat/ class=link--external target=_blank rel=noreferrer>socat</a>. This would allow you to relay tcp connections to a pod running in k8s, and then port-forward them to your localhost.
If this sounds more appealing, install <a href=https://github.com/antitree/krew-net-forward/tree/master class=link--external target=_blank rel=noreferrer>krew-net-forward</a> and then run &ldquo;kubectl net-forward -i mydb.postgres.database.azure.com -p 5432 -l 5432&rdquo; to access the database through &ldquo;localhost:5432&rdquo;</p></blockquote><p><a href=https://en.wikipedia.org/wiki/SOCKS class=link--external target=_blank rel=noreferrer>SOCKS</a> is a protocol that enables a way to proxy connections by exchanging network packets between the client and the server. There are many implementations and many readily available container images that can run a SOCKS server.</p><p>It&rsquo;s possible to use this sort of proxy to connect to a private DB, but is it any simpler than using a virtual machine as a jumphost? It wasn&rsquo;t until I stumbled upon <a href=https://github.com/yokawasa/kubectl-plugin-socks5-proxy class=link--external target=_blank rel=noreferrer>kubectl-plugin-socks5-proxy</a> that I was convinced that using SOCKS could be made simple.</p><p>So how does it work? By installing the kubectl plugin and then running <code>kubectl socks5-proxy</code>, a SOCKS proxy server is spun up in a pod and then opens up port-forwarding session using kubectl.</p><p>As you can see below, this k8s plugin is wrapped up nicely:</p><div class=highlight><pre tabindex=0 style=color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4><code class=language-console data-lang=console><span style=display:flex><span>$ kubectl socks5-proxy
</span></span><span style=display:flex><span>using: namespace=default
</span></span><span style=display:flex><span>using: port=1080
</span></span><span style=display:flex><span>using: name=davegallant-proxy
</span></span><span style=display:flex><span>using: image=serjs/go-socks5-proxy
</span></span><span style=display:flex><span>Creating SOCKS5 Proxy (Pod)...
</span></span><span style=display:flex><span>pod/davegallant-proxy created
</span></span></code></pre></div><p>With the above proxy connection open, it is possible to access both the DNS and private IPs accessible within the k8s cluster. In this case, I am able to access the private database, since there is network connectivity between the k8s cluster and the database.</p><h2 id=caveats-and-conclusion>Caveats and Conclusion<a href=#caveats-and-conclusion class=post-heading__anchor aria-hidden=true>#</a></h2><p>The above outlined solution makes some assumptions:</p><ul><li>there is a k8s cluster</li><li>the k8s cluster has network connectivity to the desired private database</li></ul><p>If these stars align, than this solution might work as a stopgap for accessing a private Azure DB (and I&rsquo;m assuming this could work similarly on AWS).</p><p>It would be nice if Azure provided tooling similar to cloud-sql-proxy, so that using private databases would be more of a convenient experience.</p><p>One other thing to note is that some clients (such as <a href=https://dbeaver.io/ class=link--external target=_blank rel=noreferrer>dbeaver</a>) <a href=https://github.com/dbeaver/dbeaver/issues/872 class=link--external target=_blank rel=noreferrer>do not provide DNS resolution over SOCKS</a>. So in this case, you won&rsquo;t be able to use DNS as if you were inside the cluster, but instead have to rely on knowing private ip addresses.</p></div><script type=text/javascript src=https://storage.ko-fi.com/cdn/widget/Widget_2.js></script><script type=text/javascript>kofiwidget2.init("Buy me a coffee","#32344a","F1F2S4LWI"),kofiwidget2.draw()</script><br><br><section id=comments class=comments><div class='container sep-before'><div class=comments><script>let theme="dark-blue",script=document.createElement("script");script.src="https://utteranc.es/client.js",script.setAttribute("repo","davegallant/site"),script.setAttribute("issue-term","pathname"),script.setAttribute("theme",theme),script.setAttribute("crossorigin","anonymous"),script.setAttribute("async",""),document.querySelector("div.comments").innerHTML="",document.querySelector("div.comments").appendChild(script)</script></div></div></section></article></div><div class=sidebar></div></main><footer><div class=copyright>Dave Gallant</div></footer><script src=/js/main.c26c1b7b76f4923d8125720886ede9ca08bfe20b924683914ba4c1c35d53667c6c2d764f5482d3860d36b9e58a50255bc22a03ff145555979852c5ec74f15e51.js></script><script src=/js/flexsearch.95f8339f006f50d03b13d2990a2d82bfebb8ff305eb82244913e22ae43e3d6d28dc5fcfc69cb344bcc7824e30c6f1bbf6af6c2e49d8878378fc6040e70a51571.js></script><script defer src=https://static.cloudflareinsights.com/beacon.min.js data-cf-beacon='{"token": "b96799f53f9940dca6f660e6052ba009"}'></script><script async src="https://www.googletagmanager.com/gtag/js?id=G-V8WJDERTX9"></script><script>var doNotTrack=!1;if(!doNotTrack){window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","G-V8WJDERTX9",{anonymize_ip:!1})}</script></div></body></html>
Reference in New Issue View Git Blame Copy Permalink