DEV Community

Kenichiro Nakamura
Kenichiro Nakamura

Posted on

Azure SQL : Service Endpoint vs Private Endpoint Part 1

Azure Service Endpoint and Private Endpoint are little bit confusing, so I will explain them step by step by using SQL Azure and VM as client.

In this article, I will explain how Service Endpoint works.

Setup

  • Azure SQL
  • V-NET and subnets
  • VM with SSMS (SQL Server Management Service)

image

VM has following public/private IP

image

How VM access Azure SQL

When I access Azure SQL from VM now, I see VM tries to use its Public IP address to access Azure SQL and it's blocked by SQL Server firewall.

image

I can configure SQL Server firewall to allow the specific IP.

image

Use Service Endpoint

When we use service endpoint, VM uses its private IP rather than public IP to access Azure resources.

Add Service Endpoint

There are several ways to create service endpoint, and I explain one of them.

1. Go to VNET resource and select "Service endpoints". Click "Add".

image

2. Select service and subnet. By doing this, the connection from this particular subnet to the service will use private IP.

image

3. Once configuration is done, try to connect to SQL again. The error message has been changed.

image

Add Subnet to firewall rule

1. Go to Azure SQL Server and select "Firewalls and virtual networks". Click "Add existing virtual network".

image

2. Add the subnet which we configured for service endpoint. If we don't have service endpoint enabled for the subnet, the blade will add it for us. Click "OK".

image

3. Try connect to SQL again. Now we can connect to the Azure SQL. Run following query shows it uses private IP.

image

Move VM to another subnet

When I move the VM to subnet2, then I cannot access to Azure SQL anymore as expected. To enable this access, we need to

  • Create Service Endpoint
  • Add firewall rule

If we have too many subnets to access to the SQL Azure, it maybe a bit troublesome to manage them in this way.

Summary

It's obvious that SQL Server needs to know client's private IP address to understand which subnet the client belongs to. That's why we need both Service Endpoint entry and firewall rule.

Another important thing to note is that, even though VM uses its private IP address to access to the Azure SQL, the VM still uses Public IP address of the Azure SQL to connecting to.

I will explain Private Endpoint in the next article.

Image of Timescale

Timescale – the developer's data platform for modern apps, built on PostgreSQL

Timescale Cloud is PostgreSQL optimized for speed, scale, and performance. Over 3 million IoT, AI, crypto, and dev tool apps are powered by Timescale. Try it free today! No credit card required.

Try free

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay