PaaS to PaaS communication is not working via Service Endpoint
Hi folks,
Hope you are doing well!
We've a SQL MI which needs to write backup to an Azure Storage Account. Both of the resources have Private Endpoints created and the subnet of SQL MI has service endpoint enabled for Storage.
Now, I added the Vnet/Subnet of SQL MI to the allowed list of Vnets in Storage Account firewall and allowed connection to 'Storage' Service Tag in the NSG of SQL MIs subnet, since the connection is PaaS to PaaS (SQL MI to Storage), I thought that the Service Endpoint connection will work, and the traffic from SQL MI will not be using the Private Endpoint.
But, when I took a remote of SQL MI from one Azure hosted AVD to run DB backups jobs, the jobs were failing with connection error to the Storage.
I had to allow the Blob PE IP on the NSG instead of 'Storage' Service Tag to fix the issue.
After, some digging in the logs I learned that Endpoint URL of the storage account was resolving to the private IP of the storage account (i.e. IP of Blob private endpoint).
I am unable to understand, that if I've enabled service endpoint in the subnet of SQL MI, and have whitelisted the Vnet/Subnet in the Firewall of Storage:
Why:
- SSMS SQL queries are resolving to the private IP address.
- And, why the connection is going via private endpoint (private IP) and not via Service Endpoint.
Pasting some snips for more clarity:
SQL MI Vnet details:
Whitelisted SQL MI subnet and endpoint enabled
SQL MI backup job referring to private ip (blob private endpoint):
Note: This was failing until we allowed the private IP on the SQL MI's NSG instead of Storage service Tag.
After, this incident, I am really confused on the working of Service Endpoints and Private Endpoints. I believe, that if connection is PaaS to PaaS, the traffic should follow the public endpoints, is my understanding wrong?
Any help would be superbly appreciated!
Thanks in advance!
Cheers!