As far as I know there are 3 possible solutions:
- allow Microsoft services to connect to the public endpoint of your database server
- in your deployment pipeline, grab the IP address of the agent and automatically add that to the firewall rules of your database server. After deployment automatically remove the agent IP address from the firewall again.
- use a self-hosted pipeline agent (https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/agents?view=azure-devops&tabs=browser)
The last one is the only solution that does not (temporarily) open you database firewall to the outside world.