This is a part of series “Stairway to being an Azure SQL DBA“, where I will be covering all the topics that an Azure SQL DBA should know about.
Azure SQL Database, by default, is a service which exist on Azure Network backbone which makes it accessible over Internet and can be connected once the IP is whitelisted from the Security tab of the SQL Server or via T-SQL. As it is not tied to any Virtual Network (VNet) there isn’t any private IP assigned to it.
For your On-Premise machine to connect with the Azure SQL Server, VM has to have it’s public IP whitelisted, check my other blog Network Configuration For Azure SQL Database. The important thing to consider is if you have multiple VMs or users that need to connect to your Azure SQL Database then you need to whitelist all the IPs for the users/VM connecting to the Azure SQL database.
Private Endpoint for Azure SQL Database can help you out in this scenario. Creating a Private Endpoint inside a VNet in Azure, the Azure SQL Database will be assigned a private IP address from that VNet address space making it available to any VM/Application/User inside that VNet or any traffic that can flow from the VNet. Below is an example of using Private Endpoint Connection to connect to the Azure SQL Database from On-premise environment without white-listing the IPs.
Configuring Private Endpoint Connections
To configure Private Endpoint connection the first thing to do is create an Private Endpoint. You can create one by either searching for it in the Azure Portal search bar at the top or directly from SQL Server resource in the portal. The option for creating Private endpoint is available inside the Private endpoint connection under the security section.
When you select to add new Private Endpoint, in the first tab you need to provide the name and the Region which should be same as region of the Virtual Network.
In the Resource tab you need to firstly mention the Connection method which is where does your resource exist. It could be in the same AAD where you are creating your endpoint or a resource in some other AAD, in which case you need to provide the Resource ID. For this demo we are creating the endpoint in the same Active Directory.
For the resource in the same directory you need to choose the subscription, Resource type and then the Resource.
In the next “Configuration” tab you need to choose the VNet in which you are creating this Endpoint it’s SQLDBVNET-EUS in the first pic.
Apart from the VNet you also need to provide the Private DNS integration which will resolve to the Private IP Address allocated to the resource for which we are creating the Private Endpoint.
In the next tab “Tags”, the most important of all the tags PLEASE choose an appropriate tag to better manage the resource after it’s build. It’s a “please” on-behalf of all the Azure Administrators out there. It actually becomes difficult to track down the resources not having appropriate Tags.
Once you chosen the Tags in the tab “Review + Create” review if everything is as it supposed to be, might be, you have not chosen a SQL Server which was not supposed to be inside a VNet. You may never now.
Note: If you are create point as per the above method you dont need to Approve the usage of the Endpoint as it gets auto-approved but if you are creating the Private Endpoint first then you need to approve the usage of the Private endpoint from the “Private endpoint connections”.
Pricing for Azure Private Link
The important thing to note here is using this feature is not free, each Private Endpoint and the Inbound/Outbound data are charged.
The Azure Private Endpoint helps in securing the connections coming to your Azure SQL Database when used we can deny the public network access for the Azure SQL Server (see below) and just make it available from a specific VNet using DNS or the Private IP.