1

Environment

  1. ASPNET MVC App running on docker
  2. Docker image: microsoft/aspnet:4.7.2-windowsservercore-1803 running on Docker-for-Windows on Win10Ent host
  3. SQL Server running on AWS EC2 in a private subnet
  4. VPN Connection to subnet

Background

The application is able to connect to database when VPN is activated and everything works fine. However when app runs on docker, the underlying connection to database is refused. Since the database is in a private subnet, VPN is needed to connect. I am able to ping the database server as well as the general internet successfully from the command prompt launched inside the container, thus underlying networking is working fine.

Configuration

Dockerfile

FROM microsoft/aspnet:4.7.2-windowsservercore-1803
ARG source
WORKDIR /inetpub/wwwroot
COPY ${source:-obj/Docker/publish} .

Docker Compose

version: '3.4'

services:
  myWebApp:
    image: ${DOCKER_REGISTRY}myWebApp
    build:
      context: .
      dockerfile: Dockerfile

The network entry is removed as NAT is mapped to Ethernet and I am running on WiFi thus having it disabled.

SQL Connection string (default instance on def port)

"Data Source=192.168.1.100;Initial Catalog=Admin;Persist Security Info=True;User ID=admin;Password=WVU8PLDR" providerName="System.Data.SqlClient"

Local network configuration

Local network configuration

Ping status

Ping status for db server and google

Let me know what needs to be fixed. Any environment or configuration-specific information can be provided

Improve this question
6
  • looks like your networking is the problem, the docker network doesnt use the vpn as default route, so you cant connect to the database. To check it set a test database as public accessible in aws rds, and try to connect your application to this one Commented Oct 30, 2019 at 12:39
  • @Isparia I can ping to the db server only with the VPN connected, once it disconnects, can no longer ping. Is there a way I can fetch my network config and post out here? Commented Oct 30, 2019 at 12:42
  • ping is only half of it. Use TELNET to check the port is open. Please post the actual error message you get for underlying connection to database is refused. Commented Oct 30, 2019 at 13:01
  • The port (and other connectivity) is open as I can otherwise connect using sql enterprise manager and apps not running on docker. If docker is able to send packet out via the sole network enabled (and VPN'ised), it should be able to connect to server also. Commented Oct 30, 2019 at 13:06
  • Any solution to that? I have the same issue now. Thanks Commented Jan 7, 2020 at 7:28

1 Answer 1

Reset to default
2

After multiple iterations of different ways to address this issue, we finally figured out the solution which we incorporated in our production environment.

The SQL Server primary instance was in a private subnet, hence it cannot be accessed from any application outside the subnet. The SQL Enterprise manager and other apps living on local machines are able to access it via VPN as the OS tunnels that traffic to the private network. However, since docker cannot join the VPN network easily (would be too complicated, may not be actually impossible), we need to figure out a possible solution.

For this, we set up a Reverse Proxy on the private subnet, which lives on the public IP, hence accessible via the public Internet. This server has permission granted in the underlying security group setting to talk to the SQL Server (port 1433 being opened to the private IP).

So the application running on docker calls the IP of the Reverse Proxy, which in turn routes it to the SQL Server. There's a cost of one additional hop involved here, but that's something we gotta live with.

Let me know if anyone can figure out a better design. Thanks

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.