Hashicorp Boundary with Azure SQL Server

In this post we're going to use Hashicorp Boundary to connect to azure SQL database

How it works

Its very simple. Client connect to hashicorp boundary cluster which we have in cloud then connection goes through one of your worker nodes and then at the end worker connect to your final target.

Pre-Requisites

• Hashicorp Boundary cloud cluster
• Azure Account
• Sql Server Management Studio installed on your desktop
• Hahsicorp boundary client

Steps

• Create Azure SQL Server
• Create Azure VNET
• Create SQL Server private endpoint
• Create Hashicorp Boundary worker node
• Create Hashicorp Boundary target
• Test from Sql server management studio

Create Azure SQL Server

• Open azure portal
• Search for SQL Server
• Click on Create

Use SQL Authentication and add username and password, This will be your SQL admin.

• In Networking, Please don't use allow azure services to access this server

• Keep rest of options as default and then review and create

Create Azure VNET
Now after SQL Server creation we need to create Azure virtual network, so as we mentioned worker node can communicate with this database through this network.

• Open Azure VNET
• Just add name of vnet and the only thing you need to be aware of is address space which we will leave by default to 10.0.0.0/16

Create SQL Server private endpoint
Now we have created SQL Server and This is now still not accessible we need to confirm that public access is disabled and create private endpoint to be able to access this server on this private link.

• Open created database server
• Go to "Show Networking Settings"

• Confirm that public access is disabled

• Go to private Access and choose create private endpoint
• Add details to basics

• Choose vnet which we created recently

• This is one of the most important steps is to integrate with private DNS Zone, Just leave it as default since we don't have created DNS Zone before.

• Just review and create

After getting this created you will have vnet , SQL Server and private endpoint linked to this Server, The next step is to create a server which can connect to SQL Server. To do this we will need to create it part of created vnet.

Create Hashicorp Boundary worker node
Now we need to create worker node which our cloud instance will communicate with in order to reach target database. In order to do this .. you just need to install boundary worker and start it but you will need also to have this worker node with public IP and whitelist its port to make it reachable by boundary cloud cluster.

• Go to create vm , its better for testing purpose to make it with small size , The most important thing is to create it inside our recently created vnet.

• After filling all details .. review and create

• Now VM is created and we need to access it and confirm it can reach database without any issue, So we need to install SQL Server CLI in order to test with it

• You need also to Allow port 9202 which will be worker service port which boundary cluster will connect to worker through it.

• Run the below code in order to confirm that you can connect to Created azure SQL database from this node.
  

## nc database instance to confirm its port is reachable 
nc -zv  boundary-test-database.database.windows.net 1433
## This one should work if it didn't work please check previous steps or comment on the post 
## Please follow this post in order to install your CLI tools. In this post we will install on ubuntu 
curl https://packages.microsoft.com/keys/microsoft.asc | sudo tee /etc/apt/trusted.gpg.d/microsoft.asc
curl https://packages.microsoft.com/config/ubuntu/20.04/prod.list | sudo tee /etc/apt/sources.list.d/mssql-release.list
sudo apt-get update
sudo apt-get install mssql-tools18 unixodbc-dev -y 
echo 'export PATH="$PATH:/opt/mssql-tools18/bin"' >> ~/.bash_profile
echo 'export PATH="$PATH:/opt/mssql-tools18/bin"' >> ~/.bashrc
source ~/.bashrc
sqlcmd -S boundary-test-database.database.windows.net  -d master -U boundary -P "<put your created password>" -Q "SELECT COUNT(*)  FROM INFORMATION_SCHEMA.TABLES "
## This should return an output from database if it didn't, Please check above steps

• Now if the above commands worked fine, You will need to install worker software
• Go to hashicorp boundary and choose open admin UI

• After providing login details, Go to workers Then click on new
• You need to add
  • Public IP
  • Config file path
  • tags

• This will give you steps you need to do

• Execute these steps on worker node

• In my case I got this error , but fixed it with sudo ./boundary instead of ./boundary

Error initializing worker: Failed to lock memory: cannot allocate memory

This usually means that the mlock syscall is not available.
Boundary uses mlock to prevent memory from being swapped to
disk. This requires root privileges as well as a machine
that supports mlock. Please enable mlock on your system or
disable Boundary from using it. To disable Boundary from using it,
set the `disable_mlock` configuration option in your configuration
file.

• Boundary worker will start with a token and you will need to add it to New worker page in hashicorp boundary cloud cluster

• You should see this

• You will be able to see new worker part of your current workers

Create Hashicorp Boundary target
This is the last step is to create your database target

• Go to targets , click on "New Target"

• Choose name for the target
• Target Address ==> "boundary-test-database.database.windows.net"
• Default port and client port ==> 1433
• ingress filter ==> "boundary" in "/tags/name"

Now we have created target the last step is to test target

• Open boundary client and authenticate
• You should see now the target which you created

• Add to your hosts file this line 127.0.0.1 boundary-test-database.database.windows.net