Private link / VNet integration between App Service and MySQL Database

Question

Hello,

Between an App Service and an Azure Database for MySQL I created a Private Link with VNet integration, so that the Database for MySQL is only reachable through the App Service and not through the public internet.

When looking at the App Service Network Settings under "Outbound traffic configuration" it shows the active VNet integration. However, it also shows Outbound addresses which are public IP's.

What are these outbound addresses for? Because I configured it so that the Database Server is only reachable through the private IP of the Private Link. Are these public outbound addresses still in use or why are they there?

Is there a way I can prove that the Azure Database for MySQL is only reachable through the Private Link private IP?

Thank you in advance.

Answer 1

@JohnC92 ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

For your requirement, the App Service should be VNET Integrated and the SQL DB should have a Private EndPoint in the same VNET or a VNET that is peered to the VNET where the App Service is integrated.

To check if the traffic from App Service to the SQL DB is going via Public or PE (private),

• You can use Kudu service from App Service.
• From the Kudu Console, do a nslookup <FQDNofSqlDb>
• If this resolves to the Public IP - connection is going via Internet
• If this resolves to the Private IP of the Private EndPoint - this means traffic is restricted to the virtual network only.

Hope this makes it clear.

Cheers,

Kapil