DEV Community

Kenichiro Nakamura
Kenichiro Nakamura

Posted on

Azure SQL : Service Endpoint vs Private Endpoint Part 1

Azure Service Endpoint and Private Endpoint are little bit confusing, so I will explain them step by step by using SQL Azure and VM as client.

In this article, I will explain how Service Endpoint works.


  • Azure SQL
  • V-NET and subnets
  • VM with SSMS (SQL Server Management Service)


VM has following public/private IP


How VM access Azure SQL

When I access Azure SQL from VM now, I see VM tries to use its Public IP address to access Azure SQL and it's blocked by SQL Server firewall.


I can configure SQL Server firewall to allow the specific IP.


Use Service Endpoint

When we use service endpoint, VM uses its private IP rather than public IP to access Azure resources.

Add Service Endpoint

There are several ways to create service endpoint, and I explain one of them.

1. Go to VNET resource and select "Service endpoints". Click "Add".


2. Select service and subnet. By doing this, the connection from this particular subnet to the service will use private IP.


3. Once configuration is done, try to connect to SQL again. The error message has been changed.


Add Subnet to firewall rule

1. Go to Azure SQL Server and select "Firewalls and virtual networks". Click "Add existing virtual network".


2. Add the subnet which we configured for service endpoint. If we don't have service endpoint enabled for the subnet, the blade will add it for us. Click "OK".


3. Try connect to SQL again. Now we can connect to the Azure SQL. Run following query shows it uses private IP.


Move VM to another subnet

When I move the VM to subnet2, then I cannot access to Azure SQL anymore as expected. To enable this access, we need to

  • Create Service Endpoint
  • Add firewall rule

If we have too many subnets to access to the SQL Azure, it maybe a bit troublesome to manage them in this way.


It's obvious that SQL Server needs to know client's private IP address to understand which subnet the client belongs to. That's why we need both Service Endpoint entry and firewall rule.

Another important thing to note is that, even though VM uses its private IP address to access to the Azure SQL, the VM still uses Public IP address of the Azure SQL to connecting to.

I will explain Private Endpoint in the next article.

Top comments (0)