Azure SQL private endpoint

Diego Juanes 21 Reputation points

Hi there,
I set up a private endpoint to connect to the Azure SQL database, following the documentation:


When trying to connect from the portal, it shows me the following error:
Reason: An instance-specific error occurred while establishing a connection to SQL Server. Connection was denied since Deny Public Network Access is set to Yes ( To connect to this server, use the Private Endpoint from inside your virtual network ( private-link-for-azure-sql-database).
If I connect from Sql Server Management Studio (on-premises), the error is:
A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: TCP Provider, error: 0 - The semaphore timeout period has expired.) (Microsoft SQL Server, Error: 121)

Any ideas?

Azure SQL Database
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
327 questions
{count} votes

Accepted answer
  1. Ricardo Costa 76 Reputation points

    Hey @Diego Juanes

    If you check the IP that's being resolved when you query the FQDN, you'll probably see that it is resolving to a Public IP instead of resolving to the Private IP of the Private Endpoint.

    You can use the PowerShell command Test-NetConnection to test it. Something, like:
    Test-NetConnection -ComputerName -Port 1433

    If this is the situation, you have 2 ways to solve it:

    • define an entry in the host file pointing to
    • or setup DNSs to do that for you.

    All info, including DNS scenarios, is at

1 additional answer

Sort by: Most helpful
  1. KalyanChanumolu-MSFT 8,256 Reputation points Microsoft Employee

    @Diego Juanes Apologies for the delayed response on this thread.

    When you set up a private endpoint for an Azure resource, you are isolating the resource to a Virtual network. Access from public internet is completely restricted.

    The private IP address can be resolved from an Azure resource (VM for example) on the VNet or from your on-premises environment (using SSMS) if you have set up an Express route connection to Azure.

    Using the Query editor on Azure portal to connect to your Azure SQL Database is analogous to establishing a connection from the public internet, hence the connection is denied.

    Please let us know if you have further questions.


    If an answer is helpful, please click on 130616-image.png or upvote 130671-image.png which might help other community members reading this thread.

    1 person found this answer helpful.
    0 comments No comments