Restrict SQL Server Instance Access to a Single Subnet

Question

How can I configure my SQL Server instance on Azure to allow connections only from a specific subnet and deny access from all other subnets in a Hub and spoke topology?

PS - Based on common issues that we have seen from customers and other sources; we are posting these questions to help the Azure community.

Answer 1

To configure your SQL Server instance on Azure to allow connections only from a specific subnet while denying access from all other subnets in a Hub and spoke topology, follow these steps:

1. Use Private Endpoints and enable network policies: Ensure that your SQL Server instance is using a private endpoint. This allows you to leverage Azure's network security features to control access.
2. Add/Modify Network Security Group (NSG) Rules:
   • Navigate to the Azure portal and find the SQL Server instance.
   • Locate the "Networking" section and identify the private endpoint associated with the SQL Server.
   • Confirm that the NSG is applied to the subnet containing the private endpoint.
   • Modify the NSG rules to allow traffic only from the specific subnet by adding an "Allow" rule for the IP range of that subnet.
   • Add "Deny" rules for other subnets or ensure a default deny rule is in place to block traffic from all other subnets.

For comprehensive guidance, please refer to the Microsoft documentation on managing network policies for private endpoints: Manage network policies for private endpoints - Azure Private Link.

Additional References:

• Connectivity architecture for Azure SQL Managed Instance
• Azure Private Link for Azure SQL Managed Instance

Please do not forget to "up-vote" wherever the information provided helps you, as this can be beneficial to other community members.