Forum Discussion
Help needed for Azure Virtual Network Gateway and Azure SQL
Good morning all, Just like the rest of the globe, alot of our staff are now working from home which means we needed to give them access to the data they used daily. We created an Azure Virtual ...
You cannot enable 'Deny Public Network Access' and still allow public access to a specific external IP. However, you can achieve secure access for both VPN users and the external agent by combining Private Endpoint access with a public IP firewall rule and Connection Policy configuration:
For VPN Users (Internal User)
- Use Private Endpoints: These allow Azure SQL access over your Virtual Network Gateway.
- Ensure DNS resolution is correctly configured so clients resolve the private endpoint (e.g., via Azure Private DNS Zone).
- Confirm NSGs and route tables allow traffic from VPN to the SQL Private Endpoint.
For External Agent (e.g. No VPN)
- Leave 'Deny Public Network Access' = OFF: This is required to allow any public IP access.
- Add a firewall rule for the external agent’s IP (or IP range) under Azure SQL Server > Networking > Firewall rules.
- Set Connection Policy to 'Proxy': This ensures traffic from public IPs is routed through Azure SQL’s gateway, which respects firewall rules.