In the latest days, we received a lot of questions about the new options that we have using Azure SQL Database Firewall and Private Link. 


Following I would like to share with you my experiences using "Deny Public Network Access", "Allow Azure Services" and Private Link


As you could see in the next table, depending on the values of these features, we will have the following behaviours.


Deny Public Network Access Allow Azure Services How to connect?
Yes Yes Inside/outside Azure will be not possible. You need to use Private Link.
Yes No Inside/outside Azure will be not possible. You need to use Private Link.
No Yes

Machines/Services running in Azure Environment will be able to connect.

For Azure outside connections you need to specify the public IP.

No No You need to specify the public IP to be able to connect.


In summary, pay attention about the value of "Deny Public Network Access" because if this value is YES the connection outside and inside Azure will be affected. 


Also, remember that when you create a Private Link this endpoint is a private endpoint within a specific VNet and Subnet. If you try to connect outside this VNet and Subnet the connection will be using the public endpoint.








Thx so much for posting the chart - greatly appreciated!




Jose, quick question if you don't mind as we have a SQL server that is set for 'No' for 'Deny public access network access' but has one public IP listed for access.


I just got an ASC alert for 'Logon from an Unusual Azure Data Center' from a public IP that is not configured for access stating, "Someone logged on to your SQL server..."


I assume this means an attempt to logon and that someone did not actually logon from that public IP? The wording is a bit confusing.




Can you also add a column for service endpoints and how those are impacted? 

Senior Member

Very nice summary!  I have published a very similar article on medium on how these settings impact Azure Data Factory interaction with Azure Synapse or Azure Sql Database -