Forum Discussion

BW_TJ's avatar
BW_TJ
Copper Contributor
Nov 17, 2021

Help needed for Azure Virtual Network Gateway and Azure SQL

Good morning all,

 

Just like the rest of the globe, alot of our staff are now working from home which means we needed to give them access to the data they used daily.  We created an Azure Virtual Desktop solution however, now need to work on getting a VPN working.

 

We have got the Virtual Network Gateway setup and working for access to our Standard SQL VM's.  NSGs are in place for DNS and the SQL ports however, when we turn our attention to Azure SQL, it gets a bit more complicated.

 

I have created the Private Endpoints for each of the Azure SQL instances we require, this wasn't a problem.  Our issue is that the main production database needs to be accessed by an external agent who will not have access to the VPN.  90% of the users who will connect to this database won't have a static IP so leaving 'Deny Public Network Access' unchecked isn't possible.

 

Is there a way to have 'Deny Public Network Access' checked so our VPN users can use the Private Endpoint while still giving public access to a single external user?  Previously, they have had the database firewall configured with their IP ranges so this is only appearing as an issue now with the impending denial of public access.

 

Hope that makes sense.

 

1 Reply

  • Kidd_Ip's avatar
    Kidd_Ip
    MVP
    Nov 08, 2025

    You cannot enable 'Deny Public Network Access' and still allow public access to a specific external IP. However, you can achieve secure access for both VPN users and the external agent by combining Private Endpoint access with a public IP firewall rule and Connection Policy configuration:

     

    For VPN Users (Internal User)

    • Use Private Endpoints: These allow Azure SQL access over your Virtual Network Gateway.
    • Ensure DNS resolution is correctly configured so clients resolve the private endpoint (e.g., via Azure Private DNS Zone).
    • Confirm NSGs and route tables allow traffic from VPN to the SQL Private Endpoint.

    For External Agent (e.g. No VPN)

    • Leave 'Deny Public Network Access' = OFF: This is required to allow any public IP access.
    • Add a firewall rule for the external agent’s IP (or IP range) under Azure SQL Server > Networking > Firewall rules.
    • Set Connection Policy to 'Proxy': This ensures traffic from public IPs is routed through Azure SQL’s gateway, which respects firewall rules.

Resources