Hi I am using AKS on Azure which is communicating with Azure SQL and Key Vault, I want that I disable public access and only use private endpoint but, when I enable private endpoint on SQL I cant see VNet of AKS in the list, same goes for Key Vault as well. Please guide on how private endpoint can be enabled?

Hello Najam ul Saqib , Welcome to the Microsoft Q&A and thank you for posting your questions here. I understand that you would like to enable private endpoint between AKS and Azure SQL & Key Vault. You have started a good job; these are the prerequisites and one of these might be missing: An Azure virtual network (VNet) where your AKS cluster resides. A subnet within the virtual network. Owner or contributor permissions for both the Azure SQL database and the virtual network. The private endpoint and virtual network must be in the same region. AKS and SQL in the same region and Azure Key Vault and AKS in the same region. If you have the above in place, then disable public access for the Azure SQL database, and continue by adding a private endpoint to the database, specify the virtual network and subnet. This private endpoint will allow secure communication between AKS and Azure SQL via the VNet in the same region. Follow the links below for more step-by-step details. https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-service. https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/private-aks-and-acr-using-private-endpoint-part-2-2/ba-p/3122281 Accept Answer I hope this is helpful! Do not hesitate to let me know if you have any other questions. ** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution. Best Regards, Sina Salam

How to enable private endpoint between AKS and Azure SQL & Key Vault

Accepted answer

Sina Salam 12,011 Reputation points

2024-08-14T23:05:46.7566667+00:00
Hello Najam ul Saqib,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you would like to enable private endpoint between AKS and Azure SQL & Key Vault.

You have started a good job; these are the prerequisites and one of these might be missing:

An Azure virtual network (VNet) where your AKS cluster resides.

A subnet within the virtual network.

Owner or contributor permissions for both the Azure SQL database and the virtual network.

The private endpoint and virtual network must be in the same region. AKS and SQL in the same region and Azure Key Vault and AKS in the same region.

If you have the above in place, then disable public access for the Azure SQL database, and continue by adding a private endpoint to the database, specify the virtual network and subnet. This private endpoint will allow secure communication between AKS and Azure SQL via the VNet in the same region. Follow the links below for more step-by-step details.

https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-service.

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/private-aks-and-acr-using-private-endpoint-part-2-2/ba-p/3122281

Accept Answer

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

Best Regards,

Sina Salam
Please sign in to rate this answer.
Najam ul Saqib 340 Reputation points

2024-08-15T00:15:22.1866667+00:00

@Sina Salam Is it necessary for both SQL/KV to be in same region of AKS? Like if AKS is in West US 2 and SQL in West US, private endpoint can't work? Is that the reason why VNet of AKS not showing in SQL Private Endpoint dropdown?

Sina Salam 12,011 Reputation points

2024-08-15T08:27:17.77+00:00

Dear Najam ul Saqib,

Thank you for your feedback.

Regarding your question:

Is it necessary for both SQL/KV to be in same region of AKS? Like if AKS is in West US 2 and SQL in West US, private endpoint can't work? Is that the reason why VNet of AKS not showing in SQL Private Endpoint dropdown?

It is not strictly necessary, but that is the best practices.

They can work in different region BUT ensure that cross-region replication is set up for disaster recovery protection.

Finally, if your AKS cluster and SQL/KV are in different regions, private endpoints can still work. However, both the private endpoint and the virtual network must be in the same region. https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-service

NOTE: Make sure that the AKS virtual network (VNet) and SQL Private Endpoint are in the same region and verify that you have the necessary permissions for both the VNet and SQL resources. This could easily solve the issue.

Najam ul Saqib 340 Reputation points

2024-08-15T09:55:59.2366667+00:00

Then the question remains, why the VNet isn't showing up in the dropdown for private endpoint?

Mahesh Kurva 725 Reputation points Microsoft Vendor

2024-08-29T14:30:32.66+00:00

Hi @ Najam ul Saqib,

Thanks for the question and using MS Q&A platform.

Thank you @ Sina Salam, in addition.

If you are having trouble finding the AKS VNet in the dropdown menu for Azure SQL or Key Vault private endpoints, make sure that both the AKS VNet and the SQL resources are in the same region. Also, check that you have the required permissions for both the VNet and the SQL resources.

I hope this information helps. Please do let us know if you have any further queries.

Mahesh Kurva 725 Reputation points Microsoft Vendor

2024-09-02T07:33:36.2466667+00:00

Hi @Najam ul Saqib,

Just checking in to see if the above answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Najam ul Saqib 340 Reputation points

2024-09-09T10:06:17.1+00:00

@Mahesh Kurva when you say "make sure that both the AKS VNet and the SQL resources are in the same region" by AKS VNet do you mean the private endpoint? Because I have earlier mentioned that AKS VNet and SQL resources are not in same subnet, and by creating a private endpoint in the same region as that of AKS's VNET I was able to add SQL's private endpoint to the subnet of AKS.

I haven't tested it yet though but the problem of subnet not appearing in the dropdown was probably due to me trying to create a private endpoint in a region different than AKS's region. Do we have any Microsoft docs that discuss these limitations and restrictions one has to keep in mind before creating pvt endpoint?

Also, FYI now the SQL DB and the private endpoint are in different regions, I hope it's okay because I am not very well versed with the region restriction. Can the resource and its private endpoint be in different regions?

@Sina Salam The whole purpose of this activity is to reduce public exposure to SQL databases, and I see another feature with the name of "Service Connector", here's the docs: https://learn.microsoft.com/en-us/azure/service-connector/tutorial-python-aks-sql-database-connection-string?tabs=azure-portal How is this different from private endpoint and does it achieve the purpose here for us?

Sina Salam 12,011 Reputation points

2024-09-09T13:23:15.3166667+00:00

Hello Najam ul Saqib,

Thank you for your feedback and more clarifications.

On private endpoint: This is likely why the VNet of AKS wasn't showing in the SQL Private Endpoint dropdown when they were in different regions. https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview and others as I have stated above are valid points. Also, the in the link above the Private endpoints provide a private IP address within your VNet, allowing secure access to Azure services without exposing them to the public internet, but while AKS and SQL can be in different regions, you will need to ensure cross-region replication for disaster recovery is configured.

On service connector: Unlike private endpoints, Service Connector does not necessarily require the services to be in the same region. It focuses on simplifying the connection process and managing network configurations - https://learn.microsoft.com/en-us/azure/service-connector/tutorial-python-aks-sql-database-connection-string?tabs=azure-portal - The functionality simplified the process and configuration and met the purpose you specified to reduce public exposure by managing secure connections between services.

Mahesh Kurva 725 Reputation points Microsoft Vendor

2024-09-10T11:30:10.45+00:00

Hi @Najam ul Saqib,

Just checking in to see if the above answer provided by @Sina Salam helped.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to enable private endpoint between AKS and Azure SQL & Key Vault

0 additional answers

Your answer