Azure SQL Networking Configuration

Does this setup work when both private and service endpoints are enabled to access SQL service at the same time?

• Yes, both the service endpoint and the private endpoint can be enabled to access the SQL server simultaneously because a service endpoint is a publicly routable IP address while a private endpoint is a private IP in the address space of the virtual network where the private endpoint is configured. Also, since both the endpoints have their distinct DNS zones for routing the requests to the SQL server, it wouldn’t be much of a problem if both the service endpoint and the private endpoint access the SQL server at the same time. It’s just that they shouldn’t request data from the same table or database which would surely create some latency in communication and data processing.

If I try to create a Private Endpoint for VM's VNet to SQL, does public IP firewall at SQL still work for Web App?

• Yes, the public IP firewall will still work for the Web app as the private endpoint created for the VM’s virtual network to the SQL server will route the traffic between these two internally over selected and allowed networks privately between the two virtual networks only and thus will surely not interfere with public IP firewall configured to block or allow traffic from identified or validated sources.

When I create a Private Endpoint for VM's VNet to SQL, do I need to add any NSG rules for other subnet resources?

• When you create a private endpoint for VM’s virtual network to SQL server, you create it by referencing the subnet in which your virtual network is hosted thus, you can create multiple private endpoints in a same subnet for as many resources that are hosted in it. As a result, when you create a private endpoint for a resource in a subnet in virtual network, you don’t need to add any NSG rules for other subnet resources as this connection is a private connection to that resource.