Share via

Azure SQL Networking Configuration

Senthilnathan Jegadeeswaran 36 Reputation points
2022-05-04T14:27:08.04+00:00

Hi,

I am trying to configure the network setting for Azure SQL server. I have got three services interacting with SQL. They are VM, Azure Data Factory and Web Service. Below are their details.

  1. VM --> It's under Solution VNet
  2. Azure Data Factory --> Configured with Managed Vnet
  3. Web App --> Under its own VNet called Web Vnet. This is not peered with solution VNet.

VM will access SQL using Service Endpoint. ADF will access SQL using Private Endpoint as it uses its own managed VNet. Finally, the Web App will access SQL using its public IP whitelisted at the Server's network setting. The following picture explains the setup.

198835-image.png

Below are my questions?

  1. Does this setup work when both private and service endpoints are enabled to access SQL service at the same time?
  2. If I try to create a Private Endpoint for VM's VNet to SQL, does public IP firewall at SQL still work for Web App?
    Note: I still keep "Deny public network access: No".
Azure SQL Database
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
0 comments
Answer accepted by question author
  1. Oury Ba-MSFT 21,121 Reputation points Microsoft Employee Moderator
    2022-06-08T20:16:58.383+00:00

    Hi @senthilnathanjegadeeswaran-0788 Thank you for posting your query on Microsoft Q&A and for using Azure services.

    In response to this question: *I have now tested by creating a private endpoint to the VM subnet and the connectivity works from the VM to SQL. However, a VM in another subnet under the same VNet is not able to reach SQL DB. Subnets do have NSGs enforced. Not sure if this was due to DNS issue, routing or NSG rules. *

    Looks like you are pinging from one subnet to another. The traffic must be able to get out of the first subnet and into the second. Therefore, you need to define both inbound and outbound rules.

    See: https://learn.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules
    https://stackoverflow.com/questions/62601960/azure-vms-on-the-same-vnet-different-subnet-can-not-ping-to-port-other-then-338

    Regards,
    Oury

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sam Cogan 10,822 Reputation points Microsoft Employee Volunteer Moderator
    2022-05-04T21:03:45.28+00:00

    SQL server does support access over Private Endpoint and Service Endpoints at the same time, however if your leaving public access on the database, then using service endpoints on your VM has little point. Your not locking down who can connect, and service endpoints traffic still goes over the internet so you may as well use public access. Using a private endpoint with your VM instead would give you the benefit of traffic routing over the private network.

    If you want the most secure configuration you would do the following:

    • Switch the VM to use private endpoints to talk to SQL
    • Enable vnet integration to join your web app to a vnet, configure a SQL private endpoint (if the vNet doesn't already have one) for the web app to talk to SQL
    • Disable public access and access from Azure Services.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.