This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 1%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHR%3C/text%3E%3C/svg%3E)
I am wanting to configure my Azure SQL Server to only be accessible through the VPN Gateway. Is this possible? I've read through much documentation to affirm this and I cannot find a direct solution.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 15%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Hello @Hector Robles ,
Could you please provide an update on this post?
Kindly let us know if the below helps or you need further assistance on this issue.
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
The solution ended up being resolved with using another host as a DNS server that redirected the IP called by a host connected to the VPN, to the private endpoint
You want to restrict Azure SQL server access only via the VPN gateway i.e traffic from onprem to reach SQL server via private network not via public network.
You can achieve it via Site to Site or Point to site connectivity.
Site to Site connectivity between Onprem to Azure need to be in place.
https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
Or
Point to site connectivity between Onprem to Azure need to be in place.
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-rm-ps
Create private endpoint for your SQL server to enable private connectivity.
https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-sql-portal.
For Site to site connectivity, on-premises workloads to resolve the FQDN of a private endpoint, use a DNS forwarder to resolve the Azure service public DNS zone in Azure.
https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder
Or
For Point to site connectivity, have an Host entry on the client machine for the FQDN of SQL(Ex:SQLsevername.privatelink.database.windows.net) pointing to the Private endpoint IP.
Deny public network access under Firewalls and virtual networks of SQL server.
https://learn.microsoft.com/en-gb/azure/azure-sql/database/connectivity-settings#deny-public-network-access.
Once the setup is in place then from onprem(S2S)/Client machine (P2S) you should be able to access the Azure SQL server via VPN gateway
Hope this was helpful. Please let us know in case of any additional questions or concerns.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
I am still finding a challenge with this solution. I can still connect to the SQL server, with P2S, using the private link/endpoint WITHOUT being logged into the VPN.
@Hector Robles When you establish point to site connectivity, you need to setup point to site configuration under the Virtual network gateway. Before Azure accepts a P2S VPN connection, the user has to be authenticated first based on the protocol you use for the P2S connection. The IP address pool defined under P2S configuration are the IP address your client machine are going to get for the private communication. From the Client machine when you access the SQL server FQDN it resolves to the private IP of the SQL server private endpoint IP (As we have host entries on the client machine) and the private IP communication traverse through the VPN gateway from your client machine and reaches the Private endpoint of SQL server.
Ref https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about#protocol
Please let us know in case of any additional questions or concerns.
I setup P2S config with the VPN and the private link works in SSMS when Im connected to the VPN. But when Im NOT connected to the VPN and use the private link, I can STILL connect to the SQL server through SSMS. I do not want to be able to connect to the sql server through SSMS if Im NOT on the VPN. It prompts me to add a VPN rule to allow my machine's IP. I do not want to be able to connect at all without being connected to the VPN.
Enable Deny Public access under Security--> Firewalls and Virtual Network of your SQL server, this will disable public access to your SQL server.
The FQDN private link stops working in SSMS when I disable public access to the SQL Server. It doesn't work when Im on the VPN too.
Please have an host entry on your client machine for the private endpoint name Ex: SQLsevername.privatelink.database.windows.net
Disable the public access on the SQL server
In SSMS use FQDN as SQLsevername.privatelink.database.windows.net you should be able to access the SQL server via P2S when public access is disabled
I completed those steps and am using that FQDN structure you mention. It is not working still.
I am not connecting to the SQL server through a VM on the virtual network. I am connecting to the vnet with P2S, then directly attempting to connect to the SQL server private endpoint.
Its strange that you are not able to access when I am able to reach from my point to site connectivity.
From command prompt try to ping SQLsevername.privatelink.database.windows.net and see the IP it is resolving to, if it is private IP then you should be able to, if it is public IP then the host entry is not resolving to private IP.
yeah, I ended up having to change the host file in order for it resolve to the private IP.
steps 4-6 on this page helped: https://techcommunity.microsoft.com/t5/azure-database-support-blog/azure-sql-db-private-link-private-endpoint-connectivity/ba-p/1235573