DEV Community

Kenichiro Nakamura
Kenichiro Nakamura

Posted on

4 1

Azure SQL : Service Endpoint vs Private Endpoint Part 2

In the previous article, I explain about Service Endpoint. In this article, I will use same setup and explain about Private Endpoint.

Setup

  • Azure SQL
  • V-NET and subnets
  • VM with SSMS (SQL Server Management Service)

image

VM has following public/private IP

image

Use Private Endpoint

Private endpoint assigns Private IP address to the Azure resource. By having private IP address in particular subnet, any other component can access to the service by using the private IP address rather than Microsoft assigned public IP address.

Unlike Service Endpoint, Private Endpoint is Azure resource we need to provision. Let's do it.

Create Private Endpoint for the Azure SQL.

1. From Add Resources menu, create private endpoint.

image

2. Give it a name and region where VNET is located.

image

3. In the Resource tab, select the Azure SQL.

image

4. Select a VNET and a subnet where you want to locate the private IP of the Azure SQL. I selected subnet2 where no other resource exists. If you don't have private DNS, then create DNS zone at the same time. Private DNS is mandatory to resolve its name to the assigned private IP address.

image

5. Finally, create the resource.

Verify the result from VNET

Once the private endpoint is created, we can see it in the VNET resource where we assigned it to. As we can see, it is added to VNET1/subnet2

image

We can also see the address from "Connected devices" menu. The IP address is "10.0.2.4".

image

Verify name resolution

As private DNS zone is also added, we can check name resolution from the VM by using ping. The name is correctly resolved to the private IP address.

image

Use Private Endpoint to Access to Azure SQL

As we use Private Endpoint, we can change the firewall rule for the Azure SQL.

Update firewall rule

1. Go back to Azure SQL resource and "Firewalls and virtual networks" menu. Remove the subnet we added in the previous article.

image

2. We can also enable "Deny public network access" when we provision Private Endpoint as the Azure SQL now has private IP.

image

3. Go back to VM and re-connect to SQL server. We can successfully connect it without the Azure SQL rule as we connect via Private Endpoint now. Once thing to note here is that VM locates in subnet1, whereas Azure SQL private endpoint locates in subnet2. So cross subnet access is also possible now.

Use NSG (Network Security Group) to control access

NSG for private endpoint is in public preview now. See here for more detail.

Summary

By using Private Endpoint, we can assign private IP address and consider it as local resource as any other resources. This means we can access to the resource from other vnet/subnet even from On-Prem vnet. However, we need private DNS zone to resolve it's name and need to consider security carefully.

API Trace View

Struggling with slow API calls?

Dan Mindru walks through how he used Sentry's new Trace View feature to shave off 22.3 seconds from an API call.

Get a practical walkthrough of how to identify bottlenecks, split tasks into multiple parallel tasks, identify slow AI model calls, and more.

Read more →

Top comments (1)

Collapse
 
noppadol26 profile image
Noppadol26

Thanks! for the explaination, it's super easy and very cleared.

Billboard image

Try REST API Generation for Snowflake

DevOps for Private APIs. Automate the building, securing, and documenting of internal/private REST APIs with built-in enterprise security on bare-metal, VMs, or containers.

  • Auto-generated live APIs mapped from Snowflake database schema
  • Interactive Swagger API documentation
  • Scripting engine to customize your API
  • Built-in role-based access control

Learn more

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay