Blog Post

Azure Database Support Blog
2 MIN READ

Connect from Azure SQL database to Storage account using Private Endpoint

Editah's avatar
Editah
Icon for Microsoft rankMicrosoft
Jun 19, 2024

We have cases where our customers want to access from Azure SQL Database to Azure Storage Account(SA) using Private Endpoint(PE).

 

For additional information how you can configure PE for your storage account, please visit the following link: Tutorial: Connect to a storage account using an Azure Private Endpoint.  The process involves configuring the private endpoint for the storage account to allow secure and private communication between the Azure resources and your storage account. 

 

I would like to clarify that the use of a private endpoint is a connection from a VNET to a resource. However, since Azure SQL DB is not VNET integrated, it is not possible to access from Azure SQL Database to a storage account via a private endpoint.The PE can still exist for other resources that can connect to the SA using PE, as example Azure SQL MI or Virtual Machines, but Azure SQL DB can't use it. 

 

To ensure secure access, please use the Selected Networks, which are public but restricted, and opt for the Trusted option. Make sure to specify the trusted server, verify that the server's managed identity is granted RBAC access, and opt for managed identity instead of SAS for the Database credential.

 

Let me share the step-by-step configuration:

1.- Enable de managed identity (MI) from the server:

 

2.- From the SA specify server that will have access to your storage account based on their MI: 

 

3.- Add the Storage Blob Data Contributor role to the container:

4.- Upload your file to the container:

 

5.- From SSMS connect to your database:

5.1: Create credential to use the Azure SQL System Managed Identity:

 

--Step 1: Create credential to use the Azure SQL System Managed Identity
CREATE DATABASE SCOPED CREDENTIAL <credential_name> WITH IDENTITY = 'MANAGED IDENTITY';

 

 

5.2: Create Data Source:

 

--Step 2: Create Data Source
CREATE EXTERNAL DATA SOURCE <datasource_name>    
WITH (        
TYPE = BLOB_STORAGE,        
LOCATION = '<https://saaccount.blob.core.windows.net/container>',        
CREDENTIAL = <credential_name from step 1>    
);

 

 

5.3: Import from Data Source:

 

--Step 3: Import from Data Source
BULK INSERT dbo.<table name>  --Table to insert data into
FROM '<filename>.<fileextension>' --Location of the file [containername/filename]     
WITH (      
DATA_SOURCE = '<datasource_name from step 2>' -- External datasource name      
,FIRSTROW = 2      
,FORMAT='CSV'      
,FIELDTERMINATOR = '|'  -- set the right one    
,ROWTERMINATOR = '0x0a'      
,CODEPAGE = '65001'      
,BATCHSIZE=100000      
,TABLOCK);

 

 

Updated Jul 05, 2024
Version 2.0
No CommentsBe the first to comment