DEV Community

Kenichiro Nakamura
Kenichiro Nakamura

Posted on

Azure SQL : Service Endpoint vs Private Endpoint Part 2

In the previous article, I explain about Service Endpoint. In this article, I will use same setup and explain about Private Endpoint.

Setup

  • Azure SQL
  • V-NET and subnets
  • VM with SSMS (SQL Server Management Service)

image

VM has following public/private IP

image

Use Private Endpoint

Private endpoint assigns Private IP address to the Azure resource. By having private IP address in particular subnet, any other component can access to the service by using the private IP address rather than Microsoft assigned public IP address.

Unlike Service Endpoint, Private Endpoint is Azure resource we need to provision. Let's do it.

Create Private Endpoint for the Azure SQL.

1. From Add Resources menu, create private endpoint.

image

2. Give it a name and region where VNET is located.

image

3. In the Resource tab, select the Azure SQL.

image

4. Select a VNET and a subnet where you want to locate the private IP of the Azure SQL. I selected subnet2 where no other resource exists. If you don't have private DNS, then create DNS zone at the same time. Private DNS is mandatory to resolve its name to the assigned private IP address.

image

5. Finally, create the resource.

Verify the result from VNET

Once the private endpoint is created, we can see it in the VNET resource where we assigned it to. As we can see, it is added to VNET1/subnet2

image

We can also see the address from "Connected devices" menu. The IP address is "10.0.2.4".

image

Verify name resolution

As private DNS zone is also added, we can check name resolution from the VM by using ping. The name is correctly resolved to the private IP address.

image

Use Private Endpoint to Access to Azure SQL

As we use Private Endpoint, we can change the firewall rule for the Azure SQL.

Update firewall rule

1. Go back to Azure SQL resource and "Firewalls and virtual networks" menu. Remove the subnet we added in the previous article.

image

2. We can also enable "Deny public network access" when we provision Private Endpoint as the Azure SQL now has private IP.

image

3. Go back to VM and re-connect to SQL server. We can successfully connect it without the Azure SQL rule as we connect via Private Endpoint now. Once thing to note here is that VM locates in subnet1, whereas Azure SQL private endpoint locates in subnet2. So cross subnet access is also possible now.

Use NSG (Network Security Group) to control access

NSG for private endpoint is in public preview now. See here for more detail.

Summary

By using Private Endpoint, we can assign private IP address and consider it as local resource as any other resources. This means we can access to the resource from other vnet/subnet even from On-Prem vnet. However, we need private DNS zone to resolve it's name and need to consider security carefully.

Image of Timescale

Timescale – the developer's data platform for modern apps, built on PostgreSQL

Timescale Cloud is PostgreSQL optimized for speed, scale, and performance. Over 3 million IoT, AI, crypto, and dev tool apps are powered by Timescale. Try it free today! No credit card required.

Try free

Top comments (1)

Collapse
 
noppadol26 profile image
Noppadol26

Thanks! for the explaination, it's super easy and very cleared.

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

👋 Kindness is contagious

Explore a sea of insights with this enlightening post, highly esteemed within the nurturing DEV Community. Coders of all stripes are invited to participate and contribute to our shared knowledge.

Expressing gratitude with a simple "thank you" can make a big impact. Leave your thanks in the comments!

On DEV, exchanging ideas smooths our way and strengthens our community bonds. Found this useful? A quick note of thanks to the author can mean a lot.

Okay