Azure SQL Private Link Connectivity
Troubleshooting Private Access to Azure SQL Managed Instance (SQL MI)
When public access to a SQL Managed Instance is disabled but no Private Endpoint is configured, the DNS name still resolves — but to a private IP address (e.g., 10.0.10.210) within the VNET.
Pre-requisites for Connectivity
- VPN or ExpressRoute Connection
You must have a secure connection (VPN or ExpressRoute) into the same Azure VNET hosting the SQL MI. - DNS Resolution
The DNS query for<yourservername>.database.windows.netshould resolve to the private IP address of the SQL MI. - Correct Routing
Your system or router must route traffic destined for the SQL MI’s private IP over the VPN/ExpressRoute. - Firewall and NSG Rules
No network-level security rules (e.g., NSGs or firewalls) should block the traffic on required ports (especially port 1433).
🛠 Step-by-Step Troubleshooting
1. Verify DNS Resolution
From a Windows command prompt, run:
nslookup <yourservername>.database.windows.net
- If it resolves to a private IP, that’s correct.
- If it resolves to a public IP or fails, your DNS isn’t set up to resolve Azure private DNS zones.
2. Check DNS Configuration
If DNS is not resolving correctly:
- Determine what your client is using for DNS: local router, on-prem DNS server, or custom DNS.
- Configure Azure DNS forwarding for the
database.windows.netzone:- Optionally, deploy an Azure Private DNS Resolver (note: this is a billable resource).
- Set up conditional forwarding on your DNS server to forward
*.database.windows.netqueries to the Azure DNS Resolver. - Ensure your DHCP or static IP settings point clients to this DNS server.
3. Validate Routing
Make sure your network setup forwards traffic to the SQL MI private IP range over the VPN:
- Check your route tables (on-prem and in Azure).
- Confirm split-tunneling or forced tunneling rules support traffic to the SQL MI subnet.
4. Inspect NSGs and Firewall Rules
Each SQL Managed Instance creates its own subnet and often has an associated Network Security Group (NSG). Check the NSG:
- Allow inbound TCP port 1433 from your VPN or on-prem subnet.
- Ensure no deny rules are blocking traffic.
Refer to official guidance for required NSG configurations:
🔗 Azure SQL MI Connectivity Architecture
Summary Checklist
| Task | Done? |
|---|---|
| DNS resolves to private IP | ☐ |
| VPN/ER tunnel is active | ☐ |
| Traffic routes to MI subnet | ☐ |
| NSG allows port 1433 | ☐ |
| DNS forwarding is configured | ☐ |
Leave a Reply