Today, I worked on an interesting service that our customer has implemented a Private Endpoint for Azure SQL Database and they want that only some subnets of the VNET might be able to connect, they asked how to do it.
Well, the first thing that we need to know is that the configuration that we have defined in our Azure SQL Server (Firewalls and virtual networks) won't have effect when you are using Private Endpoint and if you need to protect your Private Endpoint in your VNET/Subnet you need to use NSG.
Using NSG will be one of the alternatives to meet the requiriments to allow/deny connection to your Private Endpoint from specific subnets.
Enjoy!
