'Azure SQL Networking Configuration
I am trying to configure the network setting for Azure SQL server. I have got three services interacting with SQL. They are VM, Azure Data Factory and Web Service. Below are their details.
- VM --> It's under Solution VNet
- Azure Data Factory --> Configured with Managed Vnet
- Web App --> Under its own VNet called Web Vnet. This is not peered with solution VNet.
VM will access SQL using Service Endpoint. ADF will access SQL using Private Endpoint as it uses its own managed VNet. Finally, the Web App will access SQL using its public IP whitelisted at the Server's network setting. The following picture explains the setup.
Below are my questions?
- Does this setup work when both private and service endpoints are enabled to access SQL service at the same time?
- If I try to create a Private Endpoint for VM's VNet to SQL, does public IP firewall at SQL still work for Web App?
- When I create a Private Endpoint for VM's VNet to SQL, do I need to add any NSG rules for other subnet resources?
Note: I still keep "Deny public network access: No".
Solution 1:[1]
Does this setup work when both private and service endpoints are enabled to access SQL service at the same time?
• Yes, both the service endpoint and the private endpoint can be enabled to access the SQL server simultaneously because a service endpoint is a publicly routable IP address while a private endpoint is a private IP in the address space of the virtual network where the private endpoint is configured. Also, since both the endpoints have their distinct DNS zones for routing the requests to the SQL server, it wouldn’t be much of a problem if both the service endpoint and the private endpoint access the SQL server at the same time. It’s just that they shouldn’t request data from the same table or database which would surely create some latency in communication and data processing.
If I try to create a Private Endpoint for VM's VNet to SQL, does public IP firewall at SQL still work for Web App?
• Yes, the public IP firewall will still work for the Web app as the private endpoint created for the VM’s virtual network to the SQL server will route the traffic between these two internally over selected and allowed networks privately between the two virtual networks only and thus will surely not interfere with public IP firewall configured to block or allow traffic from identified or validated sources.
When I create a Private Endpoint for VM's VNet to SQL, do I need to add any NSG rules for other subnet resources?
• When you create a private endpoint for VM’s virtual network to SQL server, you create it by referencing the subnet in which your virtual network is hosted thus, you can create multiple private endpoints in a same subnet for as many resources that are hosted in it. As a result, when you create a private endpoint for a resource in a subnet in virtual network, you don’t need to add any NSG rules for other subnet resources as this connection is a private connection to that resource.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | KartikBhiwapurkar-MT |