Azure Service Endpoint and Private Endpoint are little bit confusing, so I will explain them step by step by using SQL Azure and VM as client.
In this article, I will explain how Service Endpoint works.
- Azure SQL
- V-NET and subnets
- VM with SSMS (SQL Server Management Service)
VM has following public/private IP
When I access Azure SQL from VM now, I see VM tries to use its Public IP address to access Azure SQL and it's blocked by SQL Server firewall.
I can configure SQL Server firewall to allow the specific IP.
When we use service endpoint, VM uses its private IP rather than public IP to access Azure resources.
There are several ways to create service endpoint, and I explain one of them.
1. Go to VNET resource and select "Service endpoints". Click "Add".
2. Select service and subnet. By doing this, the connection from this particular subnet to the service will use private IP.
3. Once configuration is done, try to connect to SQL again. The error message has been changed.
1. Go to Azure SQL Server and select "Firewalls and virtual networks". Click "Add existing virtual network".
2. Add the subnet which we configured for service endpoint. If we don't have service endpoint enabled for the subnet, the blade will add it for us. Click "OK".
3. Try connect to SQL again. Now we can connect to the Azure SQL. Run following query shows it uses private IP.
When I move the VM to subnet2, then I cannot access to Azure SQL anymore as expected. To enable this access, we need to
- Create Service Endpoint
- Add firewall rule
If we have too many subnets to access to the SQL Azure, it maybe a bit troublesome to manage them in this way.
It's obvious that SQL Server needs to know client's private IP address to understand which subnet the client belongs to. That's why we need both Service Endpoint entry and firewall rule.
Another important thing to note is that, even though VM uses its private IP address to access to the Azure SQL, the VM still uses Public IP address of the Azure SQL to connecting to.
I will explain Private Endpoint in the next article.