1

We have a SQL Azure database and enabled VNET service endpoint. The service endpoint is listed in our VNET and the Azure SQL lists our VNET. According to documentation found here, connections applications inside our VNET should use the Azure backbone and not travel through the public internet.

There was another stack overflow article asking a similar question but I still didn't see an answer (maybe I missed it). That article is here

This is great, but I don't see how to build the connection string to utilize this internal network path since the only name available is the public DNS name (which we can still use with SSMS to manage the server from our on-premise location).

Is Azure smart enough to know that this public DNS name is routed differently when used inside the VNET versus when its used from our on-premise site?

Improve this question

1 Answer 1

Reset to default
3

Is Azure smart enough to know that this public DNS name is routed differently when used inside the VNET versus when its used from our on-premise site?

Yes. And that doesn't even require a VNET service endpoint. Connections within Azure, even across Regions never leave Microsoft private networks.

A Virtual Network Service Endpoint is mostly just a firewall rule on your SQL Instance, so you can cut off all public IP access if you want.

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

Umm...are you sure it does not require the service endpoint? When the service endpoint is enabled from my vnet, I can access the Azure SQL server without any IP listed in the firewall from any VM in the VNET. When I remove the service endpoint from the VNET subnet, I get prompted to add the IP to the firewall to connect from that same VM inside the VNET. Documentation also indicated that SQL Azure must be in the same region for this to work (other services did not seem to have this requirement). Thanks for helping...just want to make sure I understand it correctly.
We also have a site to site to this same VNET. Documentation indicates that we would still require public IP to administer Azure SQL from on-premise location. That has not changed has it?
Without a service endpoint you would need another firewall rule to enable access, and would need to open up to all Azure services. And VNet service endpoint doesn't actually remove the public IP of your server, so yes you still need to open a firewall rule to access from on-prem.
Actually we had the Allow Azure Services to off which is why it didn't work without service endpoint. When I enabled it, it did (as you said it would) allow access without it. So the service endpoint really just gives us more fine grain control about which azure subnets to allow versus allowing everything inside Azure if I understand this correctly.
Azure SQL Database Managed Instance, currently in Preview, has native VNet integration. So if you need a big-ish SQL Server in Azure, and don't mind helping us preview the feature, then yes, you can do this now for Azure SQL. See learn.microsoft.com/en-us/azure/sql-database/…
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.