Edit

Share via


How to access Azure SQL with a service endpoint using Microsoft Entra Private Access

Access Azure services using Microsoft Entra Private Access with a virtual network service endpoint. The combination provides direct connectivity using an optimal network route. A virtual network service endpoint lets you limit network access to Azure service resources and remove access from the internet. Service endpoints provide a direct connection between your virtual network and supported Azure services. You use your virtual networks private address space to access the Azure services.

To learn more about virtual networks, see What is Azure Virtual Network?.

This article shows you how to access Azure SQL with a service endpoint using Microsoft Entra Private Access.

Prerequisites

Change Azure SQL Server connection policy to proxy

Since users are connecting from outside Azure, your Azure SQL server should have a connection policy of proxy. The proxy policy establishes the Transmission Control Protocol (TCP) session via the Azure SQL Database gateway and all subsequent packets flow via the gateway. 

To set the policy to proxy:

  1. Sign in to the Azure portal and navigate to your SQL server.
  2. In the left hand navigation under Security, select Networking.
  3. On the Connectivity tab, set Connection Policy to Proxy.
  4. Select Save.

Screenshot showing the connectivity tab on the networking page within Security section.

Create a Global Secure Access application for the Azure SQL server

  1. Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
  2. Browse to Global Secure Access > Applications > Enterprise applications.
  3. Select New application.
  4. Choose the right connector group with the connector deployed in the service endpoint subnet.
  5. Select Add application segment:
    • Destination type: FQDN
    • Fully Qualified Domain Name (FQDN): <fqdn of the storage account>. For example, contosodbserver1.database.windows.net.
    • Ports: 1443
    • Protocol: TCP
  6. Select Apply to add the application segment.
  7. Select Save to save the application.
  8. Assign users to the application.

Validate the configuration

Ensure connectivity to the SQL server works from the connector machine. The connector is deployed on the service endpoint subnet.

Check connectivity to the SQL server from outside the service endpoint subnet. Computers that don't the Global Secure Access client installed should fail. Computers that have the Global Secure Access client installed should succeed.

Next steps