Private endpoint has listening restrictions?

Robert Ellis 1 Reputation point
2021-05-02T20:24:47.88+00:00

I'm experiencing some deeply frustrating issues when trying to connect to a SQL server Private Endpoint. Setting aside for a moment a complete specification of the problem, I'd like answers to the following questions

Is it the case that a SQL Server Private Endpoint will only listen to connections from an Azure Virtual Machine? I have seen it suggested by 3rd parties that this is the case but cannot find this explicitly documented by MS. (To clarify, if only VMs can connect, then this would mean, for example, that an Azure Load Balancer could not use Private Endpoint as a backend resource; and, for example, that an on-premise VM could not connect to a Private Endpoint through a VPN - is that correct?)

Presuming the answer to the above question is Yes, then does the restriction apply such as to prevent Private Endpoint from listening to connections forwarded from an Azure VM interface?
(For example, say a firewall in a VM in Azure. Inside the firewall VM, the IP 192.168.0.10 is configured. In Azure, the VM interface is associated with only a single IP address which is IP 192.168.0.6. In this scenario, the firewall VM will respond to ARP requests with ARP responses saying "I have 192.168.0.10", but 192.168.0.10 is not associated by Azure configuration with any Azure virtual network interface. In said case, will a connection to the Private Endpoint using source address 192.168.0.10 work? Or is it the case that the PE will listen for connections only with a source address 192.168.0.6?)

Azure SQL Database
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,142 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
462 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. msrini-MSFT 9,256 Reputation points Microsoft Employee
    2021-05-05T11:56:54.743+00:00

    Hi RobertEllis-7486,

    You can connect to the PE from VM, VMSS, On-Prem (Provided you have IP connectivity to the VNET where the PE is deployed) and also few PAAS services like Web App, ASE, etc.

    Currently there are no restrictions at the PE end as NSG support of PE is not yet supported.

    In order for your setup to work, you need to make sure the below steps:

    1. Is you PE deployment complete ? - Is it in succeeded state?
    2. Is your PE connection to SQL approved ?
    3. When you try to do a nslookup from the source to the SQL FQDN, are you getting Private IP address of your PE?
    4. PE only works on TCP. So ICMP, ARP packets will be failing. Test using TCP port 1433 using any layer 4 connectivity tool and let me know the results
    1 person found this answer helpful.
    0 comments