This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 7.000000000000001%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPC%3C/text%3E%3C/svg%3E)
I have an Azure Web App connecting to SQL FO Group at the moment using the Read/Write Listener of the SQL FO group connection string. I would like to use Private Link with Private Endpoint for the SQL DBs. So my Web App has to be enabled for Regional VNET integration if i am not wrong. I would like to know whether i need to create two private endpoints per Server or not for my Web App to work correctly if there is a failover of the SQL Database from primary to secondary.
I am following this url :
https://learn.microsoft.com/en-us/azure/architecture/example-scenario/sql-failover/app-service-private-sql-multi-region#alternatives
I am using Terraform for provisioning infrastructure.
So i would like to know if i have to specify one SQL Private Link for the two private endpoints or not
resource "azurerm_private_endpoint" "sql-primary-endpoint" {
name = module.names-pvt-endpoint.location.private_endpoint.name_unique
location = var.resource_group_location
resource_group_name = var.resource_group_name
subnet_id = data.azurerm_resources.sub-net.id
private_service_connection {
name = "sql-primary-connection"
private_connection_resource_id = azurerm_private_link_service.sql-pvt-link.id
is_manual_connection = false
}
}
resource "azurerm_private_endpoint" "sql-secondary-endpoint" {
name = module.names-pvt-endpoint-secondary.location.private_endpoint.name_unique
location = "eastus2"
resource_group_name = var.resource_group_name
subnet_id = data.azurerm_resources.sub-net.id
private_service_connection {
name = "sql-secondary-connection"
private_connection_resource_id = azurerm_private_link_service.sql-pvt-link.id
is_manual_connection = false
}
}
An Azure relational database service.
Tag not monitored by Microsoft.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 97%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Hi @Anonymous , welcome to Microsoft Q&A forum. We are checking this and will get back at the earliest.
@AnuragSharma-MSFT Hi Anurag, thanks for that. I would appreciate if you can let me know quickly as i have to deploy this before going live. I have an additional question in relation to SQL FO Group over a private link
I was looking at the URI : https://learn.microsoft.com/en-us/azure/azure-sql/database/auto-failover-group-configure?tabs=azure-portal#use-private-link
If you see the section "Use Private Link" there point # 5 mentions that : "Once the private link is established, you can create the failover group following the steps outlined previously in this article."
So i would like to know is this mandatory or i can create the Private Link after i have configured my SQL FO Group.
At the moment my SQL FO Group is already there and i am right now planning to configure the Private Link. So will my use case work or not or i have to break my FO group and do it again.
Looking forward to hearing from you with some pointers on this.
Hi @Anonymous , I have sought help of product group on this issue and escalated it to them already and will respond back at the earliest once I receive the response back.
Hi @Anonymous , we have received the response back from PG and they provided below article. Could you please take a look into this:
Using Failover Groups with Private Link for Azure SQL Database
----------
If this helps, please mark it 'Accept Answer'
Hi anurag i have seen this link already. I was following this link which is kind of my use case except that i don't have two Web Apps.
[https://learn.microsoft.com/en-us/azure/architecture/example-scenario/sql-failover/app-service-private-sql-multi-region#alternatives][1]
My case is one 4 Web Apps sitting in US Central connecting to a FO Group with the Primary SQL being in Central US and Secondary in East US 2. I would like to know if it's ok to configure Private Link after you have SQL FO Group. Will that be an issue?
As i already have FO group configured and my app is pointing to the SQL FO Group R/W Listener at the moment.
Also, it is mentioned in the link that i have posted, that you need to configure two private endpoints per region so that my Web Apps in Central US can talk to the SQL DB in Secondary East US 2 when the DB fails over in case of a disaster. This is because of limitation of talking to a resource across cross region peering. Is that correct?
We are using Terraform to build resources. So when i am putting this, i should be having total four private endpoints right, two private DNS zones for each region, both pointing to "privatelink.database.windows.net" and two private dns zone virtual network links. Is this correct?
Thanks for replying back. I posted this query back to product group and awaiting their reply.
Answer accepted by question author
Thanks for your patience. Another reply we received from PG "Configuring Private Endpoint for Azure SQL Database doesn’t require any connection string changes, so there shouldn’t be any issues from the POV of connecting to the FOG R/W or read only listener. Of course, you will need to make sure that the apps have access to the VNet where the Private Endpoint is deployed."
Please let us know if this answers your query.
Ok thanks for that. I was able to successfully configure my SQL FO Group Private Link and my apps can talk to it also. So you can mark this as answer.Thanks
Hi @Anonymous , really glad it worked out for you. As you raised the thread only you could mark it as answer. Could you please do that as it could help others having similar queries?
@AnuragSharma-MSFT Hi Anurag, just got one more question before i close this thread. Can you please check with the product team whether i need to enable firewall rules for my on prem folks who want to connect via VPN to the SQL DB Server? At the moment , public access to the Primary and Secondary SQL Server is disabled. Only rule that i have set now is the VNET rule and allowing my App Subnet only to talk to SQL Subnet.
So do i need to add another firewall rule for my on prem CIDRs? I thought if you have enabled private endpoint your on prem should be connecting directly via Express Route to the SQL Server, but that's not the case it seems. Could you please clarify this. Thanks
Thanks for replying, I have asked the same to PG and waiting for their inputs.
Hi @Anonymous , I received the response back from PG group, "The basic requirement for private link connectivity is a successful DNS resolution from FQDN to private endpoint. Depending on how the on-premises to Azure path is setup, this can be different as outlined in the scenarios here Azure Private Endpoint DNS configuration | Microsoft Learn"
Hi @Anonymous , I hope we were able to provide all the information needed.