Azure SQL Database Connectivity and Network Security improvements
Reviewers:- Andreas Wolter, Rajesh Setlem
Customers can now choose to connect to SQL Database via the private endpoint and deny all public access via the firewall rules.
GA of Private Link for Azure SQL Database
Now in general availability, Private Link enables users to have private connectivity from a Microsoft Azure Virtual Network to Azure SQL Database.
This feature creates a private endpoint which maps a private IP Address from the Virtual Network to your Azure SQL Database.
From security perspective, Private Link provides you with data exfiltration protection on the login path to SQL Database. Additionally, it does not require adding of any IP addresses to the firewall on Azure SQL Database or changing the connection string of your application.
Private Link is built on best of class Software Defined Networking (SDN) functionality from the Azure Networking team. Clients can connect to the Private endpoint from within the same Virtual Network, peered Virtual Networking the same region, or via VNet-to-VNet connection across regions. Additionally, clients can connect from on-premises using ExpressRoute, private peering, or VPN tunneling. More information can be found here
SQL Database Query Editor supports Private Link
Previously, for using Query Editor ( in Azure Portal) customers would add their Client Ip address in the Azure SQL Database firewall. With this new functionality, customers can run Query Editor and connect via private endpoints without having any dependency on IP based firewall. More information can be found here
Server level Connectivity Settings
We have made multiple improvements that allow you to control connectivity settings for Azure SQL Database . These setting are at the logical server level i.e. they apply to all SQL Databases and Data Warehouses created on a server. Note that once these settings are applied they take effect immediately and may result in connection loss for your clients if they do not meet the requirements for each setting. At present these settings are only available in US West 2, US East, US South Central with other regions soon to follow. More information can be found here
Ability to set Connection Policy
Connection policy determines the requirements for clients to establish connections to Azure SQL Server.
Deny Public network access
While Private Link allows access via private endpoint only, we recognize that there are cases where customers may need a mix of private and public connectivity To support these scenarios, we have provided the ability to deny Public Network access to SQL Database.
When this setting is set to Yes only connections via private endpoints are allowed. When this setting is set to No clients can connect using private or public endpoint.
In summary, we hope these improvements shall provide customers with more options to secure connections made to SQL Database and Data Warehouse and to meet the compliance requirements within their organizations where they need to connect to Azure SQL DB over private endpoint. We look forward to your feedback on these features.