All Collections
Tutorials and Walkthroughs
Azure SQL
Azure SQL - Private Link
Azure SQL - Private Link

Configure Azure SQL to use Azure Private Link

Nick Smith avatar
Written by Nick Smith
Updated over a week ago

Prerequisites

All droplets must be within an Azure Resource Group, configured with a valid name and location.

Private Link requires the use of a Private DNS Zone.

Example Topology

This tutorial takes you through creating a Private Link Endpoint within Subnet A in Region A. Private Link is then enabled on the primary Azure SQL Server securely connecting it to Subnet A

The purpose of this tutorial is to demonstrate configuring Private Endpoint and Private Link for Azure SQL. Please reach out if you would like further information.

Configure the Network Infrastructure

The first step is to create the network infrastructure within which the private endpoint will reside.

  1. Drag an Azure Resource Group onto your blueprint

  2. On the Properties Panel set the Name and Location for Resource Group A

  3. Drag & drop an Azure Virtual Network into Resource Group A

  4. Set the Name for your Virtual Network and check the Address Space is as required

  5. Drag & drop an Azure Subnet into your Virtual Network (this will automatically add an NSG)

  6. Set the Name for your NSG

  7. Set the Name for your Subnet and check the Address Prefix is as required

  8. Set 'Private Endpoint Network Policies' to 'Disabled'

Configure Azure SQL to use Private Link

In this step, Azure SQL will have public access disabled and only allowing secure connections over a private IP.

  1. Drag & drop an Azure SQL instance into Resource Group A

  2. Set the name of the Azure SQL Server (N.B. this can only be lowercase, numbers, and hyphens)

  3. Set the Administrator Login Name

  4. Set the Secret Parameter for the Administrator Login Password

  5. Set 'Public Network Access' to 'Disabled'

  6. Select 'Databases' and create a new database by clicking Add new Database

  7. Set the name for the database, e.g. primarydb (this can only be lowercase, numbers, and hyphens)

  8. Set the 'Edition' property to Basic (the 'Edition' property is the main influence on the cost of deploying Azure SQL Server. Unless you have any specific requirements we recommend using the Basic edition)

Configure a DNS Private Zone

In order for connections between the desired services in Subnet A to connect to Azure SQL using domain name resolution over Azure Private Link, a DNS Private Zone is required.

  1. Add a DNS Private Zone droplet into Resource Group A

  2. Set the Name property (The name must be a DNS domain name with at least 2 labels (parts) separated by periods ('.'), lowercase, alpha-numeric characters and hyphen. e.g. myprivatesql.local)

  3. Select 'Virtual Network Links' and click on 'Add new Virtual Network Link'

  4. Set the Name and set the 'Linked Virtual Network' to be the Azure Virtual Network created earlier

  5. Set 'Registration Enabled' to 'False'

Add the Azure Private Endpoint to Subnet A

  1. Drag & Drop an Azure Network Private Endpoint droplet into the Subnet A

  2. Set the Name property of the Private Endpoint

  3. Select 'Private Link Service Connections'

  4. Click on 'Unnamed Private Link Service Connection 1'

  5. Set the Name for the Private Link Service Connection

  6. Set 'Private Link Target' to the name of the Azure SQL Server added earlier

  7. Select 'Private DNS Zone Group' on the properties tree

  8. Click 'Add new Private DNS Zone Group'

  9. Set the Name for the Private DNS Zone Group

  10. Click 'Add new Private DNS Zone Config'

  11. Set the Name for the Private DNS Zone Config

  12. Set 'Private DNS Zone' to the Private DNS Zone created earlier

Optional: Add a Client VM to test the connection to Azure SQL

  1. Drag & drop an Azure Virtual Machine into the Subnet

  2. Set the Name for the Virtual Machine

  3. Under 'Storage Profile' set the OS Disk Name for the Virtual Machine

  4. Under 'Network Interfaces' set the Network Interface Card Name for the Virtual Machine

  5. Under 'OS Profile' set the Computer Name, Admin Username and Password secret parameter for the Virtual Machine

You're all set! Private Link on the Azure SQL Server is configured to connect to the Private Endpoint in Subnet A. Public Access to the Azure SQL Server has also been disabled.

Did this answer your question?