DEV Community

Kenichiro Nakamura
Kenichiro Nakamura

Posted on

5 1

Azure SQL : Service Endpoint vs Private Endpoint Part 1

Azure Service Endpoint and Private Endpoint are little bit confusing, so I will explain them step by step by using SQL Azure and VM as client.

In this article, I will explain how Service Endpoint works.

Setup

  • Azure SQL
  • V-NET and subnets
  • VM with SSMS (SQL Server Management Service)

image

VM has following public/private IP

image

How VM access Azure SQL

When I access Azure SQL from VM now, I see VM tries to use its Public IP address to access Azure SQL and it's blocked by SQL Server firewall.

image

I can configure SQL Server firewall to allow the specific IP.

image

Use Service Endpoint

When we use service endpoint, VM uses its private IP rather than public IP to access Azure resources.

Add Service Endpoint

There are several ways to create service endpoint, and I explain one of them.

1. Go to VNET resource and select "Service endpoints". Click "Add".

image

2. Select service and subnet. By doing this, the connection from this particular subnet to the service will use private IP.

image

3. Once configuration is done, try to connect to SQL again. The error message has been changed.

image

Add Subnet to firewall rule

1. Go to Azure SQL Server and select "Firewalls and virtual networks". Click "Add existing virtual network".

image

2. Add the subnet which we configured for service endpoint. If we don't have service endpoint enabled for the subnet, the blade will add it for us. Click "OK".

image

3. Try connect to SQL again. Now we can connect to the Azure SQL. Run following query shows it uses private IP.

image

Move VM to another subnet

When I move the VM to subnet2, then I cannot access to Azure SQL anymore as expected. To enable this access, we need to

  • Create Service Endpoint
  • Add firewall rule

If we have too many subnets to access to the SQL Azure, it maybe a bit troublesome to manage them in this way.

Summary

It's obvious that SQL Server needs to know client's private IP address to understand which subnet the client belongs to. That's why we need both Service Endpoint entry and firewall rule.

Another important thing to note is that, even though VM uses its private IP address to access to the Azure SQL, the VM still uses Public IP address of the Azure SQL to connecting to.

I will explain Private Endpoint in the next article.

API Trace View

Struggling with slow API calls? 🕒

Dan Mindru walks through how he used Sentry's new Trace View feature to shave off 22.3 seconds from an API call.

Get a practical walkthrough of how to identify bottlenecks, split tasks into multiple parallel tasks, identify slow AI model calls, and more.

Read more →

Top comments (0)

Billboard image

Try REST API Generation for MS SQL Server.

DevOps for Private APIs. With DreamFactory API Generation, you get:

  • Auto-generated live APIs mapped from database schema
  • Interactive Swagger API documentation
  • Scripting engine to customize your API
  • Built-in role-based access control

Learn more

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay