All droplets must be within an Azure Resource Group, configured with a valid name and location.
Private Link requires the use of a Private DNS Zone.
This tutorial takes you through creating a Private Link Endpoint within Subnet A in Region A. Private Link is then enabled on the primary Azure SQL Server securely connecting it to Subnet A
The purpose of this tutorial is to demonstrate configuring Private Endpoint and Private Link for Azure SQL. Please reach out if you would like further information.
Configure the Network Infrastructure
The first step is to create the network infrastructure within which the private endpoint will reside.
Drag an Azure Resource Group onto your blueprint
On the Properties Panel set the Name and Location for Resource Group A
Drag & drop an Azure Virtual Network into Resource Group A
Set the Name for your Virtual Network and check the Address Space is as required
Drag & drop an Azure Subnet into your Virtual Network (this will automatically add an NSG)
Set the Name for your NSG
Set the Name for your Subnet and check the Address Prefix is as required
Set 'Private Endpoint Network Policies' to 'Disabled'
Configure Azure SQL to use Private Link
In this step, Azure SQL will have public access disabled and only allowing secure connections over a private IP.
Drag & drop an Azure SQL instance into Resource Group A
Set the name of the Azure SQL Server (N.B. this can only be lowercase, numbers, and hyphens)
Set the Administrator Login Name
Set the Secret Parameter for the Administrator Login Password
Set 'Public Network Access' to 'Disabled'
Select 'Databases' and create a new database by clicking Add new Database
Set the name for the database, e.g. primarydb (this can only be lowercase, numbers, and hyphens)
Set the 'Edition' property to Basic (the 'Edition' property is the main influence on the cost of deploying Azure SQL Server. Unless you have any specific requirements we recommend using the Basic edition)
Configure a DNS Private Zone
In order for connections between the desired services in Subnet A to connect to Azure SQL using domain name resolution over Azure Private Link, a DNS Private Zone is required.
Add a DNS Private Zone droplet into Resource Group A
Set the Name property (The name must be a DNS domain name with at least 2 labels (parts) separated by periods ('.'), lowercase, alpha-numeric characters and hyphen. e.g. myprivatesql.local)
Select 'Virtual Network Links' and click on 'Add new Virtual Network Link'
Set the Name and set the 'Linked Virtual Network' to be the Azure Virtual Network created earlier
Set 'Registration Enabled' to 'False'
Add the Azure Private Endpoint to Subnet A
Drag & Drop an Azure Network Private Endpoint droplet into the Subnet A
Set the Name property of the Private Endpoint
Select 'Private Link Service Connections'
Click on 'Unnamed Private Link Service Connection 1'
Set the Name for the Private Link Service Connection
Set 'Private Link Target' to the name of the Azure SQL Server added earlier
Select 'Private DNS Zone Group' on the properties tree
Click 'Add new Private DNS Zone Group'
Set the Name for the Private DNS Zone Group
Click 'Add new Private DNS Zone Config'
Set the Name for the Private DNS Zone Config
Set 'Private DNS Zone' to the Private DNS Zone created earlier
Optional: Add a Client VM to test the connection to Azure SQL
Drag & drop an Azure Virtual Machine into the Subnet
Set the Name for the Virtual Machine
Under 'Storage Profile' set the OS Disk Name for the Virtual Machine
Under 'Network Interfaces' set the Network Interface Card Name for the Virtual Machine
Under 'OS Profile' set the Computer Name, Admin Username and Password secret parameter for the Virtual Machine
You're all set! Private Link on the Azure SQL Server is configured to connect to the Private Endpoint in Subnet A. Public Access to the Azure SQL Server has also been disabled.