In the previous article, I explain about Service Endpoint. In this article, I will use same setup and explain about Private Endpoint.
- Azure SQL
- V-NET and subnets
- VM with SSMS (SQL Server Management Service)
VM has following public/private IP
Private endpoint assigns Private IP address to the Azure resource. By having private IP address in particular subnet, any other component can access to the service by using the private IP address rather than Microsoft assigned public IP address.
Unlike Service Endpoint, Private Endpoint is Azure resource we need to provision. Let's do it.
1. From Add Resources menu, create private endpoint.
2. Give it a name and region where VNET is located.
3. In the Resource tab, select the Azure SQL.
4. Select a VNET and a subnet where you want to locate the private IP of the Azure SQL. I selected subnet2 where no other resource exists. If you don't have private DNS, then create DNS zone at the same time. Private DNS is mandatory to resolve its name to the assigned private IP address.
5. Finally, create the resource.
Once the private endpoint is created, we can see it in the VNET resource where we assigned it to. As we can see, it is added to VNET1/subnet2
We can also see the address from "Connected devices" menu. The IP address is "10.0.2.4".
As private DNS zone is also added, we can check name resolution from the VM by using ping. The name is correctly resolved to the private IP address.
As we use Private Endpoint, we can change the firewall rule for the Azure SQL.
1. Go back to Azure SQL resource and "Firewalls and virtual networks" menu. Remove the subnet we added in the previous article.
2. We can also enable "Deny public network access" when we provision Private Endpoint as the Azure SQL now has private IP.
3. Go back to VM and re-connect to SQL server. We can successfully connect it without the Azure SQL rule as we connect via Private Endpoint now. Once thing to note here is that VM locates in subnet1, whereas Azure SQL private endpoint locates in subnet2. So cross subnet access is also possible now.
NSG for private endpoint is in public preview now. See here for more detail.
By using Private Endpoint, we can assign private IP address and consider it as local resource as any other resources. This means we can access to the resource from other vnet/subnet even from On-Prem vnet. However, we need private DNS zone to resolve it's name and need to consider security carefully.