Azure Private Endpoint - Listening restrictions

%3CLINGO-SUB%20id%3D%22lingo-sub-2314433%22%20slang%3D%22en-US%22%3EAzure%20Private%20Endpoint%20-%20Listening%20restrictions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2314433%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20experiencing%20some%20deeply%20frustrating%20issues%20when%20trying%20to%20connect%20to%20a%20SQL%20server%20Private%20Endpoint.%20Setting%20aside%20for%20a%20moment%20a%20complete%20specification%20of%20the%20problem%2C%20I'd%20like%20answers%20to%20the%20following%20questions%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Is%20it%20the%20case%20that%20a%20SQL%20Server%20Private%20Endpoint%20will%20only%20listen%20to%20connections%20from%20an%20Azure%20Virtual%20Machine%3F%26nbsp%3B%20I%20have%20seen%20it%20suggested%20by%203rd%20parties%20that%20this%20is%20the%20case%20but%20cannot%20find%20this%20explicitly%20documented%20by%20MS.%20(To%20clarify%2C%20if%20only%20VMs%20can%20connect%2C%20then%20this%20would%20mean%2C%20for%20example%2C%20that%20an%20Azure%20Load%20Balancer%20could%20not%20use%20Private%20Endpoint%20as%20a%20backend%20resource%3B%20and%2C%20for%20example%2C%20that%20an%20on-premise%20VM%20could%20not%20connect%20to%20a%20Private%20Endpoint%20through%20a%20VPN%20-%20is%20that%20correct%3F)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20Presuming%20the%20answer%20to%20the%20above%20question%20is%20Yes%2C%20then%20does%20the%20restriction%20apply%20such%20as%20to%20prevent%20Private%20Endpoint%20from%20listening%20to%20connections%20forwarded%20from%20an%20Azure%20VM%20interface%3F%3C%2FP%3E%3CP%3E(For%26nbsp%3Bexample%2C%20say%20a%20firewall%20in%20a%20VM%20in%20Azure.%20Inside%20the%20firewall%20VM%2C%20the%20IP%20192.168.0.10%20is%20configured.%20In%20Azure%2C%20the%20VM%20interface%20is%20associated%20with%20only%20a%20single%20IP%20address%20which%20is%20IP%20192.168.0.6.%26nbsp%3B%20%26nbsp%3B%20In%20this%20scenario%2C%20the%20firewall%20VM%20will%20respond%20to%20ARP%20requests%20with%20ARP%20responses%20saying%20%22I%20have%20192.168.0.10%22%2C%20but%20192.168.0.10%20is%20not%20associated%20by%20Azure%20configuration%20with%20any%20Azure%20virtual%20network%20interface.%26nbsp%3B%20In%20said%20case%2C%20will%20a%20connection%20to%20the%20Private%20Endpoint%20using%20source%20address%20192.168.0.10%20work%3F%26nbsp%3B%20%26nbsp%3BOr%20is%20it%20the%20case%20that%20the%20PE%20will%20listen%20for%20connections%20only%20with%20a%20source%20address%20192.168.0.6%3F)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I'm experiencing some deeply frustrating issues when trying to connect to a SQL server Private Endpoint. Setting aside for a moment a complete specification of the problem, I'd like answers to the following questions

 

1. Is it the case that a SQL Server Private Endpoint will only listen to connections from an Azure Virtual Machine?  I have seen it suggested by 3rd parties that this is the case but cannot find this explicitly documented by MS. (To clarify, if only VMs can connect, then this would mean, for example, that an Azure Load Balancer could not use Private Endpoint as a backend resource; and, for example, that an on-premise VM could not connect to a Private Endpoint through a VPN - is that correct?)

 

2. Presuming the answer to the above question is Yes, then does the restriction apply such as to prevent Private Endpoint from listening to connections forwarded from an Azure VM interface?

(For example, say a firewall in a VM in Azure. Inside the firewall VM, the IP 192.168.0.10 is configured. In Azure, the VM interface is associated with only a single IP address which is IP 192.168.0.6.    In this scenario, the firewall VM will respond to ARP requests with ARP responses saying "I have 192.168.0.10", but 192.168.0.10 is not associated by Azure configuration with any Azure virtual network interface.  In said case, will a connection to the Private Endpoint using source address 192.168.0.10 work?   Or is it the case that the PE will listen for connections only with a source address 192.168.0.6?)

 

 

0 Replies