This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 53%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETN%3C/text%3E%3C/svg%3E)
We have set up a PaaS SQL Server with no public access. It's connected via a Private Endpoint.
The network card has a private IP which we use to connect, and we have internal DNS on Windows Server to provide a suitable "A Record" for the IP.
Problem is, to connect to the database, I have to say TrustServerCertificate=yes in ODBC connection strings and in SSMS.
Would I just need to create an internal certificate for the "A record" I created so I can trust the certificate?
I looked in the Azure portal but was not able to see anything relating to certificates.
Look forward to hearing from you.
An Azure relational database service.
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
Hi, @Anonymous Welcome to Microsoft Q&A Platform, and thanks for your query.
You can follow the tutorial below:
Tutorial: Connect to an Azure SQL server using an Azure Private Endpoint - Azure portal | Microsoft Learn
No need to deal with certificates and DNS records, you can just use the public server name and it will be resolved in the private IP address automatically.
Regards
Geetha
Morning,
When I do an nslookup I get the public IP information, not my private IP I need.
How do I get Azure DNS to resolve to my private IP?
Regards
Tommy
@Anonymous Please confirm if you tried as mentioned below
Regards
Geetha
Hi yes, I have tried this but I get the same issue. We use custom DNS servers for the virtual network in Azure. Would that have anything to do with it?
Looking online it seems I may have to create a new zone on my Windows internal DNS server with the SQL server hostname and IP.
The following video shows how to do it at 4 minutes 22 seconds. I will give this a try.
https://www.youtube.com/watch?v=rXbamGNz-xQ&ab_channel=JohnSavill%27sTechnicalTraining
@Anonymous It does it automatically when you disable public access. please give a try.
Regards
Geetha
I have had public access disabled all along, but due to the Azure vnet using custom DNS servers in Active Directory I'm pretty sure I need to create a new DNS zone as per the above. I will test and get back to you all.
So I have a SQL PaaS Server in Azure, typically you connect to it using the server name which is a domain name that resolves to a public IP address. Now we have disabled public access, so we connect to it via a Private Endpoint.
Private Endpoints link the Azure Virtual Network (vnet), and our network config is done so the routing tables send the traffic to the correct location via SD-WAN etc. Connecting to the SQL Database is done via the server name, but that resolves to a public IP, which I can’t use, due to public access being disabled.
Enabling Private Endpoints creates this private DNS alias, if public access was still enabled then this alias would not exist.
So in Azure you can have Private DNS Zones which use Azure’s own DNS servers and services.
We don’t use Private DNS for the virtual network in production, we use our own DNS servers in AD.
If I do an nslookup on the server name you will see it has an alias with the zone I need to add.
When you do the nslookup for the main server name sql-server.datbase.windows.net, it resolves to the alias sql-server.privatelink.database.windows.net.
So by creating the zone in our DNS servers in AD, Azure will look at this zone return the private IP I need of 10.X.X.X for sql-server.privatelink.database.windows.net. Now because its an alias looking up the original server name will then eventually return my private IP.
The reason Microsoft do it this way is so if you wanted public access back again, Azure would add / remove this alias address providing you the correct IP you need.
Hope that helps.
@Anonymous Thanks for sharing the information here,
Thank you for visiting the Microsoft QA forums! Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.
Regards
Geetha
How do I mark my own answer as the correct answer?