cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Lesson Learned #126:Deny Public Network Access,Allow Azure Services and Private Link in SQL Database
By
Jose_Manuel_Jurado
Published Mar 21 2020 08:46 AM 20.9K Views
Jose_Manuel_Jurado
Microsoft
‎Mar 21 2020 08:46 AM

Lesson Learned #126:Deny Public Network Access,Allow Azure Services and Private Link in SQL Database

‎Mar 21 2020 08:46 AM

In the latest days, we received a lot of questions about the new options that we have using Azure SQL Database Firewall and Private Link. 

 

Following I would like to share with you my experiences using "Deny Public Network Access", "Allow Azure Services" and Private Link

 

As you could see in the next table, depending on the values of these features, we will have the following behaviours.

 

Deny Public Network Access Allow Azure Services How to connect?
Yes Yes Inside/outside Azure will be not possible. You need to use Private Link.
Yes No Inside/outside Azure will be not possible. You need to use Private Link.
No Yes

Machines/Services running in Azure Environment will be able to connect.

For Azure outside connections you need to specify the public IP.
No No You need to specify the public IP to be able to connect.

 

In summary, pay attention about the value of "Deny Public Network Access" because if this value is YES the connection outside and inside Azure will be affected. 

 

Also, remember that when you create a Private Link this endpoint is a private endpoint within a specific VNet and Subnet. If you try to connect outside this VNet and Subnet the connection will be using the public endpoint.

 

Enjoy!

 

 

5 Comments
Jeff Walzer
Iron Contributor
‎Apr 01 2020 05:07 AM
‎Apr 01 2020 05:07 AM

@Jose_Manuel_Jurado 

 

Thx so much for posting the chart - greatly appreciated!

0 Likes
Like
Jeff Walzer
Iron Contributor
‎Apr 01 2020 05:48 AM
‎Apr 01 2020 05:48 AM

@Jose_Manuel_Jurado

 

Jose, quick question if you don't mind as we have a SQL server that is set for 'No' for 'Deny public access network access' but has one public IP listed for access.

 

I just got an ASC alert for 'Logon from an Unusual Azure Data Center' from a public IP that is not configured for access stating, "Someone logged on to your SQL server..."

 

I assume this means an attempt to logon and that someone did not actually logon from that public IP? The wording is a bit confusing.

 

Thx 

0 Likes
Like
Jzuchora
Copper Contributor
‎Apr 19 2020 02:31 PM
‎Apr 19 2020 02:31 PM

Can you also add a column for service endpoints and how those are impacted? 

0 Likes
Like
isr2020
Copper Contributor
‎Apr 30 2020 11:59 AM
‎Apr 30 2020 11:59 AM

Very nice summary!  I have published a very similar article on medium on how these settings impact Azure Data Factory interaction with Azure Synapse or Azure Sql Database - https://medium.com/@isinghrana/azure-sql-database-network-settings-private-link-vnet-service-endpoin...

 

Deleted
Not applicable
‎Feb 14 2022 04:59 AM
‎Feb 14 2022 04:59 AM

Hello Jose,

Thank you for such useful information, I've a question though and I'd be grateful if you could answer me:

 

I have a postgreSQL single server on Azure, and as part of security best practice, I want to deny public access over that server. But the problem is that when I deny public access, I cannot access it the database through "pgadmin" nor can the APIs of the applications so, the applications also do not work. Fortunately, I'm able to solve the problem of me not able to access the server by the configuration of P2S-VPN and private endpoint and I was successful. However, the APIs still cannot access the database. After escalating this matter to technical support I learned that APIs access the server through the Internet NOT through MS Private network, and therefore, when public access is denied, they won't work since all access from the Internet is denied. Currently, I'm waiting for technical support for more than 45 days now for a meeting with MS devops technical support engineer, but they seem to be very busy and we cannot schedule. Finally, I have been spending some time over this matter. and this is significant for me to be done.

 

I'm wondering, is there a way that I can deny public access yet still enable the applications to access the database??? And if yes, how so???

 

I really appreciate your help.

 

Regards,

Hazem

0 Likes
Like
Version history
Last update:
‎Mar 21 2020 09:03 AM
Updated by: