Azure SQL Basics - Setting up Private Endpoints on an Azure SQL Server
@20aman Feb 20, 2020Note that this post is a part of the series. You can view all posts in this series here: Azure SQL and Data Factory Basics - Index
A Private Endpoint is a fundamental block for a private link in Azure. It enables Azure resources, like Virtual Machines (VMs), to communicate privately with linked resources. Under the hood, it creates a network interface card (NIC) on the Azure SQL Server and attaches that to your Virtual network. That way you get a private IP address assigned to your Azure SQL Server. Now from any other resource on this network, you can securely access the Azure SQL Server without the communication leaving the network at all.
Microsoft also goes one step further by creating a Private DNS integration. It leverages a private DNS zone to provide a DNS name for your Azure SQL Database Server which is mapped to the Private IP address (instead of the usual Public).
In this post, you will be setting up the private endpoints to the SQL server through Azure Portal. Then, you can securely access the Azure SQL Database Server from the VM.
Create a private endpoint
In this section, you will create a private endpoint to it.
On the upper-left side of the screen in the Azure portal, select Create a resource > Private Link Center (Preview).
In Private Link Center - Overview, on the option select Private Endpoints and click Add.
Enter or select this information:
- Subscription - Select your subscription.
- Resource group - Select myResourceGroup. You created this in the previous section.
Under instance details provide:
- Name - Enter myPrivateEndpoint. If this name is taken, create a unique name.
- Region - Select the geo region where you want to deploy the underlying resources
In the next screen for "Create a private endpoint - Resource", enter or select this information:
- Connection method - Select the radio button for "Connect to an Azure resource in my directory"
- Subscription - Select your subscription.
- Resource type - Select Microsoft.Sql/servers.
- Resource - Select your server
- Target sub-resource - Select sqlServer
Click next once done.
In Create a private endpoint (Preview) - Configuration, enter or select this information:
Under the networking section, provide:
- Virtual network - Select MyVirtualNetwork.
- Subnet - Select mySubnet.
Under the Private DNS integration, provide:
- Integrate with private DNS zone - Select Yes.
- Private DNS Zone - Select (New)privatelink.database.windows.net
Select Review + create. You're taken to the Review + create page where Azure validates your configuration. When you see the "Validation passed" message, select Create.
Once the private endpoint is created your Azure SQL Server is ready to be connected via it's new Private IP address. This address will be in the Virtual network you connected it to. There will also be a network interface card (NIC) resource that actually links the Azure SQL Server to the Virtual Network.