Blog Post

Azure Database Support Blog
2 MIN READ

Connect from Azure VM (VNet) to an Azure SQL Database

hugo_sql's avatar
hugo_sql
Icon for Microsoft rankMicrosoft
Jul 24, 2023

I'm going to show you different configurations to connect your Azure VM (Vnet) to your Azure SQL Database. These are the four options:

 

OPTION 1

PUBLIC ENDPOINT: DISABLED

PRIVATE ENDPOINT: ENABLED

OPTION 2

PRIVATE ENDPOINT: DISABLED

PUBLIC ENDPOINT: ENABLED

FIREWALL RULE: VIRTUAL NETWORK RULE

OPTION 3

PRIVATE ENDPOINT: DISABLED

PUBLIC ENDPOINT: ENABLED

FIREWALL RULE: ALLOW AZURE SERVICES AND RESOURCES TO ACCESS THIS SERVER 

OPTION 4

PRIVATE ENDPOINT: DISABLED

PUBLIC ENDPOINT: ENABLED

FIREWALL RULE: PUBLIC IP ADDRESS OF THE AZURE VM 

 

 

In all my examples I will use the default "connectivity" configuration:

 

 

 

OPTION 1 

PUBLIC ENDPOINT: DISABLED

PRIVATE ENDPOINT: ENABLED

 

I have disabled the "Public Access":

 

 

Then I'm going to create a Private Endpoint Connection:

 

 

 

 

 

 

 

 

 

Don't forget to verify that your VNet is linked to your Private Endpoint:

 

This is my Virtual Machine:

 

The subnet of my Vnet:

 

 

Default outbound rules in the NSG:

If I check the Azure SQL Server FQDN through "nslookup" command, it resolves the correct private IP address:

 

 

The connection is successful:

 

 

 

OPTION 2

PRIVATE ENDPOINT: DISABLED

PUBLIC ENDPOINT: ENABLED

FIREWALL RULE: VIRTUAL NETWORK RULE

 

I don't have a private endpoint connection:

 

 

I have created a Virtual Network rule in the Public Endpoint firewall:

 

 

 

 

 

 

When I check the Azure SQL Database FQDN in the Azure VM through "nslookup" command, it resolves the Public IP address (Public Endpoint):

 

The connection is successful:

 

 

 

 

 

OPTION 3

PRIVATE ENDPOINT: DISABLED

PUBLIC ENDPOINT: ENABLED

FIREWALL RULE: ALLOW AZURE SERVICES AND RESOURCES TO ACCESS THIS SERVER 

 

I don't have a private endpoint connection:

 

 

I have to enable the exception firewall rule  "Allow Azure services and resources to access this server":

 

 

 

When I check the Azure SQL Database FQDN in the Azure VM through "nslookup" command, it resolves the Public IP address (Public Endpoint):

 

The connection is successful:

 

 

 

OPTION 4

PRIVATE ENDPOINT: DISABLED

PUBLIC ENDPOINT: ENABLED

FIREWALL RULE: PUBLIC IP ADDRESS OF THE AZURE VM 

 

If I try to add a firewall rule in the Public Endpoint to allow access to the Azure SQL Server from the Public IP address of the Azure VM, the connection will fail because the Azure VM will try to access through the Private IP address and these rules only support Public IP addresses:

 

 

The connection fails:

 

 

 

 

 

 

 

 

Updated Jul 22, 2023
Version 1.0
azure
connection
connectivityt
firewall
firewall rules
pricvate endpoint connection
Private Link
public endpoint
sql
SQL Database
No CommentsBe the first to comment