DEV Community

Kenichiro Nakamura
Kenichiro Nakamura

Posted on

Azure SQL : Service Endpoint vs Private Endpoint Part 2

In the previous article, I explain about Service Endpoint. In this article, I will use same setup and explain about Private Endpoint.

Setup

  • Azure SQL
  • V-NET and subnets
  • VM with SSMS (SQL Server Management Service)

image

VM has following public/private IP

image

Use Private Endpoint

Private endpoint assigns Private IP address to the Azure resource. By having private IP address in particular subnet, any other component can access to the service by using the private IP address rather than Microsoft assigned public IP address.

Unlike Service Endpoint, Private Endpoint is Azure resource we need to provision. Let's do it.

Create Private Endpoint for the Azure SQL.

1. From Add Resources menu, create private endpoint.

image

2. Give it a name and region where VNET is located.

image

3. In the Resource tab, select the Azure SQL.

image

4. Select a VNET and a subnet where you want to locate the private IP of the Azure SQL. I selected subnet2 where no other resource exists. If you don't have private DNS, then create DNS zone at the same time. Private DNS is mandatory to resolve its name to the assigned private IP address.

image

5. Finally, create the resource.

Verify the result from VNET

Once the private endpoint is created, we can see it in the VNET resource where we assigned it to. As we can see, it is added to VNET1/subnet2

image

We can also see the address from "Connected devices" menu. The IP address is "10.0.2.4".

image

Verify name resolution

As private DNS zone is also added, we can check name resolution from the VM by using ping. The name is correctly resolved to the private IP address.

image

Use Private Endpoint to Access to Azure SQL

As we use Private Endpoint, we can change the firewall rule for the Azure SQL.

Update firewall rule

1. Go back to Azure SQL resource and "Firewalls and virtual networks" menu. Remove the subnet we added in the previous article.

image

2. We can also enable "Deny public network access" when we provision Private Endpoint as the Azure SQL now has private IP.

image

3. Go back to VM and re-connect to SQL server. We can successfully connect it without the Azure SQL rule as we connect via Private Endpoint now. Once thing to note here is that VM locates in subnet1, whereas Azure SQL private endpoint locates in subnet2. So cross subnet access is also possible now.

Use NSG (Network Security Group) to control access

NSG for private endpoint is in public preview now. See here for more detail.

Summary

By using Private Endpoint, we can assign private IP address and consider it as local resource as any other resources. This means we can access to the resource from other vnet/subnet even from On-Prem vnet. However, we need private DNS zone to resolve it's name and need to consider security carefully.

Discussion (0)