Azure SQL Private Link Archives - Azure Security Architect https://azuresecurityarchitect.com/tag/azure-sql-private-link/ For all your cloud security needs Tue, 24 Jun 2025 00:31:02 +0000 en-US hourly 1 https://wordpress.org/?v=6.8.2 214478653 Azure SQL Private Link Connectivity https://azuresecurityarchitect.com/azure-sql-security/azure-sql-private-link-connectivity/ https://azuresecurityarchitect.com/azure-sql-security/azure-sql-private-link-connectivity/#respond Tue, 24 Jun 2025 00:31:02 +0000 https://azuresecurityarchitect.com/?p=499 Troubleshooting Private Access to Azure SQL Managed Instance (SQL MI) When public access to a SQL Managed Instance is disabled but no Private Endpoint is configured, the DNS name still […]

The post Azure SQL Private Link Connectivity appeared first on Azure Security Architect.

]]> Troubleshooting Private Access to Azure SQL Managed Instance (SQL MI)

When public access to a SQL Managed Instance is disabled but no Private Endpoint is configured, the DNS name still resolves — but to a private IP address (e.g., 10.0.10.210) within the VNET.

Pre-requisites for Connectivity

  1. VPN or ExpressRoute Connection
    You must have a secure connection (VPN or ExpressRoute) into the same Azure VNET hosting the SQL MI.
  2. DNS Resolution
    The DNS query for <yourservername>.database.windows.net should resolve to the private IP address of the SQL MI.
  3. Correct Routing
    Your system or router must route traffic destined for the SQL MI’s private IP over the VPN/ExpressRoute.
  4. Firewall and NSG Rules
    No network-level security rules (e.g., NSGs or firewalls) should block the traffic on required ports (especially port 1433).

🛠 Step-by-Step Troubleshooting

1. Verify DNS Resolution

From a Windows command prompt, run:

nslookup <yourservername>.database.windows.net
  • If it resolves to a private IP, that’s correct.
  • If it resolves to a public IP or fails, your DNS isn’t set up to resolve Azure private DNS zones.

2. Check DNS Configuration

If DNS is not resolving correctly:

  • Determine what your client is using for DNS: local router, on-prem DNS server, or custom DNS.
  • Configure Azure DNS forwarding for the database.windows.net zone:
    • Optionally, deploy an Azure Private DNS Resolver (note: this is a billable resource).
    • Set up conditional forwarding on your DNS server to forward *.database.windows.net queries to the Azure DNS Resolver.
    • Ensure your DHCP or static IP settings point clients to this DNS server.

3. Validate Routing

Make sure your network setup forwards traffic to the SQL MI private IP range over the VPN:

  • Check your route tables (on-prem and in Azure).
  • Confirm split-tunneling or forced tunneling rules support traffic to the SQL MI subnet.

4. Inspect NSGs and Firewall Rules

Each SQL Managed Instance creates its own subnet and often has an associated Network Security Group (NSG). Check the NSG:

  • Allow inbound TCP port 1433 from your VPN or on-prem subnet.
  • Ensure no deny rules are blocking traffic.

Refer to official guidance for required NSG configurations:
🔗 Azure SQL MI Connectivity Architecture

 Summary Checklist

Task Done?
DNS resolves to private IP
VPN/ER tunnel is active
Traffic routes to MI subnet
NSG allows port 1433
DNS forwarding is configured

 

The post Azure SQL Private Link Connectivity appeared first on Azure Security Architect.

]]> https://azuresecurityarchitect.com/azure-sql-security/azure-sql-private-link-connectivity/feed/ 0 499