Why is the database on a public subnet? about moodle HOT 9 CLOSED

My understanding is that it has been always the case, and being addressed by the Virtual Network Service Endpoints. It wasn't available on the region I wanted with Azure SQL when I needed earlier, but it seems like at least Azure SQL is available as preview for this feature in all regions. Not sure when MySQL & Postgres will be supported.

from moodle.

OK, so it's a "feature" not a "bug" I'll change the labels and drop to P1 as it seems we can't do anything about it right now.

from moodle.

Still, I think the template should be enhanced so that the database endpoint IP is not exposed to world (0.0.0.0-255.255.255.255), which is the current DB firewall setting. I'm not sure, though, how easy it would be to pass the obtained public IP of the load balancer to the firewall rule.

from moodle.

This was closed due to a commit message that said it "partially fixes", so re-opening.

@hosung having "fixes #issue_number" in a commit message will close the issue, so if it is a partial fix you need a different note (e.g. "applies to #" or something similar)

from moodle.

I know that, but I personally think that tightening up the firewall to the only public IPs from a deployed cluster is really enough for us, at least for now. Besides, the vnet service endpoint for MySQL/PostgreSQL won't come any time soon. Leaving this open is just fine with me anyway. We probably should fix the diagram to not confuse customers with strange terms like "public subnet".

from moodle.

OK, so it's not a "partial fix"? I only re-opened because of the word "partial". Happy to close again.

from moodle.

I said it's "partial" in that the issue statement is "Why the database is on a public subnet?" and this fix doesn't move the DB to the private vnet using the Azure vnet service endpoints feature (which is not available for Azure MySQL/PostgreSQL for now). It still configures the DB on an Azure public IP (we really don't have a separate public subnet in our deployment), but all access to the DB is rejected except for our 2 public IP addresses (from the VMSS load balancer and the controller VM).

from moodle.

@hosungsmsft VNET Service endpoints for MySQL and PostgreSQL are now in preview - https://azure.microsoft.com/en-us/blog/vnet-service-endpoints-for-azure-database-services-for-mysql-and-postgresql-in-preview/

Should we reopen this issue? Think it might be a good one for the community to address.

from moodle.

@hosungsmsft Just an FYI - VNet Service endpoints are now GA in case this work is still planned. Currently there is no open issue for this in case we want to reopen this.

from moodle.