Reviewers:- Abdul Sathar Sait
Azure SQL Database offers the ability to manage geo replication and failover of a group of databases by adding them into failover group. A failover group spans two servers – a primary server where the databases are accessed by the end user or application & a secondary server in a different region where a copy of each database is kept in sync using active geo-replication.
With Private Link, we are offering the ability to associate a logical server to a specific private IP address (called a private endpoint) within the Vnet(& subnet). This blog outlines how Failover Groups can be implemented using private endpoint for SQL Database instead of the public endpoint thus ensuring that customers can get security benefits that it offers as outlined here.
At a very high level you need to do the following steps to accomplish this
1. Start by picking a list of DR paired regions where you will host the primary and secondary servers
2. Create Vnets/subnets to host private endpoints for primary and secondary servers and make sure that they do not have overlapping IP address spaces. I.e. if the primary Vnet is 10.0.0.0/16 and the secondary is 10.0.0.1/16 these are overlapping. To understand more about how Vnet ranges are specified in Azure refer to this blog
3. Create private endpoints for primary and secondary servers so that they can communicate with each other via a shared Azure Private DNS Zone.
a) Create a private endpoint(PE) + Azure Private DNS Zone for the primary from the Portal per https://docs.microsoft.com/azure/private-link/create-private-endpoint-portal. At the end of this process you should see a single entry in the DNS zone that refers to the primary SQL Database (as shown in the screenshot below)
b) Create a PE for the secondary via the Portal but choose to reuse the same Private DNS Zone that was created for the primary. At the end of this process you will have two entries in the DNS Zone – one for primary and another for secondary SQL Database (as shown in the screenshot below)
4. After both Private endpoints are setup (as shown above), you can create a new Failover Group just like before, using the Azure portal as described here or using PowerShell script as described here
In summary, this quick blog post shows you how to get started with using failover groups and Private link for Azure SQL Database. We hope you find this useful and look forward to your feedback.