Blog Post

Azure Database Support Blog
1 MIN READ

Lesson Learned #126:Deny Public Network Access,Allow Azure Services and Private Link in SQL Database

Jose_Manuel_Jurado's avatar
Jose_Manuel_Jurado
Icon for Microsoft rankMicrosoft
Mar 21, 2020

In the latest days, we received a lot of questions about the new options that we have using Azure SQL Database Firewall and Private Link. 

 

Following I would like to share with you my experiences using "Deny Public Network Access", "Allow Azure Services" and Private Link

 

As you could see in the next table, depending on the values of these features, we will have the following behaviours.

 

Deny Public Network Access Allow Azure Services How to connect?
Yes Yes Inside/outside Azure will be not possible. You need to use Private Link.
Yes No Inside/outside Azure will be not possible. You need to use Private Link.
No Yes

Machines/Services running in Azure Environment will be able to connect.

For Azure outside connections you need to specify the public IP.
No No You need to specify the public IP to be able to connect.

 

In summary, pay attention about the value of "Deny Public Network Access" because if this value is YES the connection outside and inside Azure will be affected. 

 

Also, remember that when you create a Private Link this endpoint is a private endpoint within a specific VNet and Subnet. If you try to connect outside this VNet and Subnet the connection will be using the public endpoint.

 

Enjoy!

 

 

Updated Mar 21, 2020
Version 3.0

5 Comments

  • Deleted's avatar
    Deleted
    Feb 14, 2022

    Hello Jose,

    Thank you for such useful information, I've a question though and I'd be grateful if you could answer me:

     

    I have a postgreSQL single server on Azure, and as part of security best practice, I want to deny public access over that server. But the problem is that when I deny public access, I cannot access it the database through "pgadmin" nor can the APIs of the applications so, the applications also do not work. Fortunately, I'm able to solve the problem of me not able to access the server by the configuration of P2S-VPN and private endpoint and I was successful. However, the APIs still cannot access the database. After escalating this matter to technical support I learned that APIs access the server through the Internet NOT through MS Private network, and therefore, when public access is denied, they won't work since all access from the Internet is denied. Currently, I'm waiting for technical support for more than 45 days now for a meeting with MS devops technical support engineer, but they seem to be very busy and we cannot schedule. Finally, I have been spending some time over this matter. and this is significant for me to be done.

     

    I'm wondering, is there a way that I can deny public access yet still enable the applications to access the database??? And if yes, how so???

     

    I really appreciate your help.

     

    Regards,

    Hazem

  • isr2020's avatar
    isr2020
    Copper Contributor
    Apr 30, 2020

    Very nice summary!  I have published a very similar article on medium on how these settings impact Azure Data Factory interaction with Azure Synapse or Azure Sql Database - https://medium.com/@isinghrana/azure-sql-database-network-settings-private-link-vnet-service-endpoint-and-azure-data-factory-b0f72b5d2af2

     

  • Jzuchora's avatar
    Jzuchora
    Copper Contributor
    Apr 19, 2020

    Can you also add a column for service endpoints and how those are impacted? 

  • Jeff Walzer's avatar
    Jeff Walzer
    Iron Contributor
    Apr 01, 2020

    Jose_Manuel_Jurado

     

    Jose, quick question if you don't mind as we have a SQL server that is set for 'No' for 'Deny public access network access' but has one public IP listed for access.

     

    I just got an ASC alert for 'Logon from an Unusual Azure Data Center' from a public IP that is not configured for access stating, "Someone logged on to your SQL server..."

     

    I assume this means an attempt to logon and that someone did not actually logon from that public IP? The wording is a bit confusing.

     

    Thx