Lesson Learned #126:Deny Public Network Access,Allow Azure Services and Private Link in SQL Database

This post has been republished via RSS; it originally appeared at: Azure Database Support Blog articles.

In the latest days, we received a lot of questions about the new options that we have using Azure SQL Database Firewall and Private Link. 


Following I would like to share with you my experiences using "Deny Public Network Access", "Allow Azure Services" and Private Link


As you could see in the next table, depending on the values of these features, we will have the following behaviours.


Deny Public Network Access Allow Azure Services How to connect?
Yes Yes Inside/outside Azure will be not possible. You need to use Private Link.
Yes No Inside/outside Azure will be not possible. You need to use Private Link.
No Yes

Machines/Services running in Azure Environment will be able to connect.

For Azure outside connections you need to specify the public IP.

No No You need to specify the public IP to be able to connect.


In summary, pay attention about the value of "Deny Public Network Access" because if this value is YES the connection outside and inside Azure will be affected. 


Also, remember that when you create a Private Link this endpoint is a private endpoint within a specific VNet and Subnet. If you try to connect outside this VNet and Subnet the connection will be using the public endpoint.





REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.