Secure connection to Azure SQL database with Azure Private Link

A customer asked if there was a secure method to connect to an Azure SQL Database. Employees were connecting to the SQL database from home and connected with the public interface. When users want to access the database, a firewall rule must be added. This requires a lot of management for the it department. This should be adapted to a more secure solution.

There are several ways to ensure a secure connection to an Azure SQL Database. One of them is by using private links.

What is a Private Link?

Azure Private Link enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a Private Endpoint in your virtual network. Traffic between your virtual network and the service traverses over the Microsoft backbone network, eliminating exposure from the public Internet. You can also create your own Private Link Service in your virtual network and deliver it privately to your customers.

Benefits of Private Links:

• Privately access services on the Azure platform: Connect your virtual network to services in Azure without a public IP address at the source or destination. Service providers can render their services in their own virtual network and consumers can access those services in their local virtual network. The Private Link platform will handle the connectivity between the consumer and services over the Azure backbone network.
• On-premises and peered networks: Access services running in Azure from on-premises over ExpressRoute private peering, VPN tunnels, and peered virtual networks using private endpoints. There’s no need to configure ExpressRoute Microsoft peering or traverse the internet to reach the service. Private Link provides a secure way to migrate workloads to Azure.
• Protection against data leakage: A private endpoint is mapped to an instance of a PaaS resource instead of the entire service. Consumers can only connect to the specific resource. Access to any other resource in the service is blocked. This mechanism provides protection against data leakage risks.
• Global reach: Connect privately to services running in other regions. The consumer’s virtual network could be in region A and it can connect to services behind Private Link in region B.
• Extend to your own services: Enable the same experience and functionality to render your service privately to consumers in Azure. By placing your service behind a standard Azure Load Balancer, you can enable it for Private Link. The consumer can then connect directly to your service using a private endpoint in their own virtual network. You can manage the connection requests using an approval call flow. Azure Private Link works for consumers and services belonging to different Azure Active Directory tenants.

The picture below shows how you can connect to a database with a private link in a secure way in stead of connecting to the database via the internet.

How to configure a Private Link

Configuring a Private Link is pretty straight forward, just follow these steps:

1. Sign in to Azure Portal
2. Find your Azure SQL Database
3. Select on the overview page: Show firewall settings

1. The setting to Deny public network access is default grayed out.

1. Click Create Private Endpoint

1. On the Basics page, select a resource group or create a new resource group. Provide a name and select the correct region.

1. On the Resource page, select the Resource type Microsoft.Sql/servers, select the SQL database as a resource.

1. On the configuration page select the correct Subnet
2. Provide Tags and Create the private link

After the Private Link has been created, it’s time to configure the private link so users aren’t able to connect via public network access.

1. Go to the Azure SQL Database
2. On the overview page, select show firewall settings
3. Now that the Private link has been created, the slider for Deny public network access is no longer grayed out.

1. Set the slider to Yes and click Save.

At this point it’s no longer possible to connect from a public network to access the database. For on-premises there needs to be a DNS record available before on-premises users can connect.

Set a DNS Record

The easiest way is to create a new Forward Lookup Zone in the on-premises DNS. But in order to register a new DNS A-record the ip-address of the SQL database is needed. To get the ip-address of the database follow these steps:

1. Log on to the Azure Portal
2. Find the Azure resource: privatelink.database.windows.net
3. The (private) ip-address is displayed on the overview page

Now it’s time to create the new Forward Lookup Zone in the on-premises DNS server. Set the name of the Forward Lookup Zone to database.windows.net. Create a new DNS A-record by providing the name of the database and the private ip-address.

Now everything is in place to connect via the private link to the database.