Hello @krishna kumar
Thank you for posting this concern on this community space.
I was reading your case scenario description and I would like to gather few observations:
-Create firewall rule to allow few specific IP addresses >>> Related to this statement, I was wondering if you are referring to Network Security Group and if yes, you are using a PIP(Public IP) on the SQL machine by allowing IP address as well as listening port.
-Allow connection only through VPN >>> When you are referring to VPN... Is this a Firewall appliance with P2S VPN or Gateway VPN azure feature configured as P2S VPN for remote access. If yes, you can set it up to allow access to your Subnet or Vnet.
-Furthermore, you can either use Azure Bastion in order to avoid from assigning a PIP directly to the SQL resources and expose it to internet.
I hope that can be useful for you.
Looking forward to your feedback,
Cheers,
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.