My company already using the Azure Express route circuit to allow secure and quicker data access across the WAN. I am trying to secure access to my SQL database in Azure from my user laptop across the globe. Turn off the Public Endpoint for all SQL database server. Enable the Private Endpoint for each SQL database server. Create the privatelink.database.windows.net Forward Lookup Zones in the Internal DNS server. Is there any better way of doing this or the above steps are the best practices ?

@EnterpriseArchitect Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well. Your exact requirement is documented here The steps you have specified are correct except for one step. The only change you must make note is that, You should use " database.windows.net " instead of " privatelink.database.windows.net " Forward Lookup Zone Kindly let us know if this helps or you need further assistance on this issue. P.S: In case you are planning to use P2S and not ExpressRoute, please do let me know as that would require some additional configurations Thanks, Kapil Please don’t forget to close the thread by clicking " Accept the answer " wherever the information provided helps you, as this can be beneficial to other community members.

Securing access to the Azure SQL Server Database via SSMS using Privatelink ?

Accepted answer

KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee

2023-06-14T06:48:22.9566667+00:00
@EnterpriseArchitect

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

Your exact requirement is documented here

The steps you have specified are correct except for one step.

The only change you must make note is that,

You should use "database.windows.net" instead of "privatelink.database.windows.net" Forward Lookup Zone

Kindly let us know if this helps or you need further assistance on this issue.

P.S: In case you are planning to use P2S and not ExpressRoute, please do let me know as that would require some additional configurations

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.

1 person found this answer helpful.
EnterpriseArchitect 5,036 Reputation points

2023-06-14T09:56:54.4566667+00:00

,
Thank you for the update, yes, that is what I wanted to achieve.
May I know if I must perform the "database.windows.net" conditional forward lookup zone into the public IP: 168.63.129.16 https://video2.skills-academy.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16

KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee

2023-06-14T10:43:07.71+00:00

@EnterpriseArchitect

Wrt,

May I know if I must perform the "database.windows.net" conditional forward lookup zone into the public IP: 168.63.129.16

No

You must have a VM acting as DNS server in Azure

And you must forward the requests from your OnPrem to this VM

And you must configure this VM to do a forwarding to 168.63.129.16 IP.

In the diagram, you can see a server in Azure with IP 10.5.0.254

The reason for this is that 168.63.129.16 will accept only requests originating from a VM in Azure.

It is not a publicly Routable IP.

And it will not accept requests that are directly coming from OnPrem servers.

Hope this helps.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

EnterpriseArchitect 5,036 Reputation points

2023-06-14T11:38:58.45+00:00

Thank you for the explanation @KapilAnanth-MSFT ,

OK, I have already deployed one AD Domain Controller on Azure as Windows Server 2019 VM like the below:

Do I just set up the DNS conditional forwarders from the Azure VM above to the public IP 168.63.129.16 IP?

This Azure VM PRDAZDC21 is already joined to the OnPremise AD DS and accessible via internal IP with the Express Route.

KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee

2023-06-14T12:22:38.0533333+00:00

@KapilAnanth-MSFT

This Azure VM PRDAZDC21 is already joined to the OnPremise AD DS and accessible via internal IP with the Express Route.

Great.

Then you must be able to use this IP for DNS resolution.

Do I just set up the DNS conditional forwarders from the Azure VM above to the public IP 168.63.129.16 IP?

Yes.

Just forward the requests for "database.windows.net" to 168.63.129.16

P.S : I wouldn't call the IP 168.63.129.16 as a public IP (despite some documents may say so) as this in not routable via Internet.

Note:

From this VM, do a

nslookup <yourservicename.database.windows.net> 168.63.129.16

And see if this is resolving properly.

If so, that means this is working correctly and forwarding requests to 168.63.129.16 from this VM would be a success.

Cheers,

Kapil
Sign in to comment