https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-architecture?view=azuresql
Connectivity Architecture: For clients connecting to Azure SQL Database, the connection is first established to the gateway that has a public IP address and listens on port 1433. The gateway then redirects or proxies the traffic to the appropriate database cluster.
Connection Policies: Azure SQL supports three connection policies: Redirect, Proxy, and Default. The Default policy is Redirect for all client connections originating inside of Azure and Proxy for all client connections originating outside of Azure, like your on-premise connections. However, Microsoft recommends the Redirect policy for lower latency and higher throughput, although it requires additional network traffic management. Connections to private endpoints only support the Proxy connection policy.
Private Link/Private Endpoints: Azure will create a CNAME on the public DNS to redirect the resolution to the suggested domain names. This allows the applications to connect without changing the connection URL as the DNS server will now resolve to the private endpoints.
DNS Configuration: If your client is in Azure, the DNS on the VM can be a forwarder to Azure DNS. If you are using an on-premise DNS, you might need a Conditional Forwarder. The DNS Domain should be database.windows.net. You can check if the name resolution works correctly by using the nslookup command with your database's FQDN. If you don't want to use a forwarder, you can create a forward lookup zone and manually add the host to match the FQDN.
VNet Integration: To make Azure Function connect to a private endpoint, you'll need to use VNet integration. After your app integrates with your VNet, it uses the same DNS server that your VNet is configured with. To work with Azure DNS Private Zones, add the following app settings:
- WEBSITE_DNS_SERVER with value 168.63.129.16
- WEBSITE_VNET_ROUTE_ALL with value 1.