This blog post was co-authored by Anitha Adusumilli, Principal Program Manager, Azure Networking.
We are excited to announce the general availability of Virtual Network (VNet) Service Endpoints for Azure SQL Database in all Azure regions. This ability allows you to isolate connectivity to your logical server from only a given subnet or set of subnets within your virtual network. The traffic to Azure SQL Database from your VNet will always stay within the Azure backbone network. This direct route will be preferred over any specific routes that take Internet traffic through virtual appliances or on-premises.
There is no additional billing for virtual network access through service endpoints. Current pricing model for Azure SQL DB applies as is.
VNet service endpoints for SQL Data Warehouse (DW) continues to be in public preview, for all Azure regions.
Firewall rules and VNet Service Endpoints can be used together
Turning on VNet Service Endpoints does not override Firewall rules that you have provisioned on your SQL Server or Database. Both continue to be applicable.
VNet Service Endpoints don’t extend to on-premises. To allow access from on-premises, Firewall rules can be used to limit connectivity only to your public (NAT) IPs.
To enable VNet protection, first enable service endpoints for SQL in the VNet.
On the SQL Server, you can allow access to multiple subnets belonging to one or more VNets. It is also possible for you to configure Firewall rules in conjunction to your VNet rules.
Turning on service endpoints for servers with pre-existing firewall rules
When you connect to your server with service endpoints turned on, the source IP of SQL connections will switch to the private IP space of your VNet. If at present, your server or database firewall rules allow specific Azure public IPs, then the connectivity will break until you allow the given VNet/subnet by specifying it in the VNet firewall rules. To ensure connectivity, you can preemptively specify VNet firewall rules before turning on service endpoints by using IgnoreMissingServiceEndpoint flag.
Support for ASE
As part of GA, we now support service endpoints for App Service Environment (ASE) subnets deployed into your VNets.
To get started, refer to the documentation Virtual Network Service Endpoints and VNet Service Endpoints and rules for Azure SQL Database.
For feature details and scenarios please watch the Microsoft Ignite session, Network security for applications in Azure.