Using Failover Groups with Private Link for Azure SQL Database

Reviewers:- Abdul Sathar Sait

Azure offers the ability to manage geo replication and of a group of databases by adding them into group.  A group spans two servers – a primary server where the databases are accessed by the end user or application & a secondary server in a different region where a copy of each database is kept in sync using active geo-replication.

With Private Link, we are offering the ability to associate a logical server to a specific private IP address (called a private endpoint) within the Vnet(& subnet). This blog outlines how Failover Groups can be implemented using private endpoint for instead of the public endpoint thus ensuring that customers can get security benefits that it offers as outlined here.  

At a very high level you need to do the following steps to accomplish this

1. Start by picking a list of DR paired regions where you will host the primary and secondary servers

2. Create Vnets/subnets to host private endpoints for primary and secondary servers and make sure that they do not have overlapping IP address spaces. I.e. if the primary Vnet is and the secondary is these are overlapping. To understand more about how Vnet ranges are specified in Azure refer to this blog

3. Create private endpoints for primary and secondary servers so that they can communicate with each other via a shared Azure Private DNS Zone.

a) Create a private endpoint(PE) + Azure Private Zone for the primary from the Portal per At the end of this process you should see a single entry in the zone that refers to the primary (as shown in the screenshot below)


b) Create a PE for the secondary via the Portal but choose to reuse the same Private DNS Zone that was created for the primary.  At the end of this process you will have two entries in the DNS Zone – one for primary and another for secondary SQL Database (as shown in the screenshot below)


4. After both Private endpoints are setup (as shown above), you can create a new Failover Group just like before, using the Azure portal as described here or using PowerShell script as described here

In summary, this quick blog post shows you get started with using failover groups and Private link for Azure SQL Database. We hope you find this useful and look forward to your feedback.


This article was originally published by Microsoft's Secure Blog. You can find the original article here.