Azure SQL Database Connectivity and Network Security improvements

Azure SQL Database Connectivity and Network Security improvements

Reviewers:- Andreas Wolter, Rajesh Setlem

We are proud to announce several improvements to Azure in the areas of Connectivity and Security.

Customers can now choose to connect to via the private endpoint and deny all public access via the rules. 

GA of Private Link for Azure SQL Database

Now in general availability, Private Link enables users to have private connectivity from a Microsoft Azure Virtual to Azure SQL Database.

This feature creates a private endpoint which maps a private IP Address from the Virtual Network to your Azure SQL Database.

From security perspective, Private Link provides you with data exfiltration protection on the login path to SQL Database. Additionally, it does not require adding of any IP addresses to the on Azure SQL Database or changing the connection string of your application.

Private Link is built on best of class Software Defined Networking () functionality from the Azure Networking team. Clients can connect to the Private endpoint from within the same Virtual Network, peered Virtual Networking the same region, or via VNet-to-VNet connection across regions. Additionally, clients can connect from on-premises using ExpressRoute, private peering, or tunneling. More information can be found here

SQL Database Query Editor supports Private Link

Previously, for using Query Editor ( in Azure Portal) customers would add their Client Ip address in the Azure SQL Database . With this new functionality, customers can run Query Editor and connect via private endpoints without having any dependency on IP based firewall. More information can be found here

Server level Connectivity Settings

We have made multiple improvements that allow you to control connectivity settings for Azure SQL Database . These setting are at the logical server level i.e. they apply to all SQL Databases and Data Warehouses created on a server. Note that once these settings are applied they take effect immediately and may result in connection loss for your clients if they do not meet the requirements for each setting.  At present these settings are only available in US West 2, US East, US South Central with other regions soon to follow. More information can be found here



Ability to set Connection Policy

Connection policy determines the requirements for clients to establish connections to Azure .

Deny Public network access

While Private Link allows access via private endpoint only, we recognize that there are cases where  customers may need a mix of private and public connectivity To support these scenarios, we have provided the ability to  deny Public Network access to SQL Database.

When this setting is set to Yes only connections via private endpoints are allowed. When this setting is set to No clients can connect using private or public endpoint.

In summary, we hope these improvements shall  provide customers with more options to secure connections made to SQL Database and Data Warehouse and to meet the compliance requirements within their organizations where they need to connect to Azure SQL DB over private endpoint. We look forward to your feedback on these features.


This article was originally published by Microsoft's Entra (Azure AD) Blog. You can find the original article here.