Azure VNET with NVA and Azure SQL Traffic

Maji, Kaushik 1 Reputation point

Hi All,

If we have a VM in a subnet with its default route pointing to a NVA (Firewall) VM in same or different(e.g. Peered VNET) and if we also have Service Endpoint enabled on the subnet for SQL, how does the traffic from VM towards SQL Database Servers? Does it go via NVA or internally/privately?

Does the same pattern is true for other PaaS services being accessed from VMs in such a subnet?

Thanks and Regards,

Azure SQL Database
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Mike Ubezzi 2,776 Reputation points

    Hi @MajiKaushik-0053 - Without an image for reference, as I am not sure if the default route and Microsoft.Sql private endpoint are in the same subnet but, for it to route correctly, a private link instance must exist and be associated with the Microsoft.Sql private endpoint and the Azure SQL Database FQDN name must be called. Azure internal DNS should resolve the internal private link address and route through internal Azure networking. The NVA for your deployment may need a UDR to in some scenarios. Please see the following resources for additional information:

    • Azure SQL DB Private Link / Private Endpoint - Connectivity Troubleshooting (Link)

    Explains how to test the route and make sure it is using private and not public interfaces.

    • Azure Private Link for Azure SQL Database and Azure Synapse Analytics (Link)

      Private Link allows you to connect to various PaaS services in Azure via a private endpoint. For a list of PaaS services that support Private Link functionality, go to the Private Link Documentation page. A private endpoint is a private IP address within a specific VNet and subnet.

    • Deploy highly available network virtual appliances (Link)

    Not necessarily the HA aspect but some good examples where UDR is used for traffic flow.

    • Service-aided subnet configuration (Link)

    Using Azure SQL Database Managed Instance as an example of advanced networking, the following is an example of using UDRs to separate out data traffic from systems traffic.