Hello, I've configured a private endpoint to a SQL server and can access the SQL server using SSMS in a VM that's in the same vnet (SSMS in VM1). I also configured a peering connection between the vnet where the SQL private end point and the VM are in to another vnet. I'm trying to access the SQL server using the SSMS from the VM2 that's in the peered vnet but I get an error that the SQL How do I configure the peered vnet (VM1 SSMS) to connect to the private endpoint? Thank you in advance!

Hi Abraham, You need to create a virtual network link from the private dns zone to the peered virtual network so that when the VM does DNS lookup for your Azure SQL Server it will receive the IP address of the private endpoint instead of the public address. To create virtual network link, browse to the Private DNS Zone that was created for your private endpoint -- Virtual links blade. Click Add, enter a name for the link, select the peered virtual network, click Create. It may take a minute or so for it to finish creating the link, so wait for the success notification. Once it has been created, using command prompt, do nslookup of the FQDN (yourservername.database.windows.net) from the VM and make sure it is returning the private IP address instead of public. nslookup yourservername.database.windows.net Resolution virtual network https://video2.skills-academy.com/en-us/azure/dns/private-dns-virtual-network-links#resolution-virtual-network Please click Accept Answer and upvote if the above was helpful. Thanks. -TP

SQL Private Endpoint can't be reached from VM in peered VNet

Accepted answer

TP 97,756 Reputation points

2024-09-05T00:37:11.0833333+00:00
Hi Abraham,

You need to create a virtual network link from the private dns zone to the peered virtual network so that when the VM does DNS lookup for your Azure SQL Server it will receive the IP address of the private endpoint instead of the public address.

To create virtual network link, browse to the Private DNS Zone that was created for your private endpoint -- Virtual links blade. Click Add, enter a name for the link, select the peered virtual network, click Create.

It may take a minute or so for it to finish creating the link, so wait for the success notification. Once it has been created, using command prompt, do nslookup of the FQDN (yourservername.database.windows.net) from the VM and make sure it is returning the private IP address instead of public.

nslookup yourservername.database.windows.net

Resolution virtual network

https://video2.skills-academy.com/en-us/azure/dns/private-dns-virtual-network-links#resolution-virtual-network

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP
Please sign in to rate this answer.
Alto, Abraham 60 Reputation points

2024-09-05T18:30:29.56+00:00

This worked, thank you TP!

Alto, Abraham 60 Reputation points

2024-09-05T19:44:44.88+00:00

Hello TP,

Although your response did help me connect to the SQL server Private Endpoint from VM2, I came across another issue since VM2 is a jumpbox in an Azure Virtual Desktop Workspace. I thought I would be able to apply your fix across all private DNS zones...

I use VM2 to RDP to several VMs with SQL server that have Private Endpoints configured. I successfully configured 1, but when I tried configuring a Virtual Network Link in on another private DNS zone in a different region, I got the following error:

I'm using a unique name in the Link Name text box. Is it that the VM2 VNet can only connect to 1 private DNS zone?

TP 97,756 Reputation points

2024-09-05T22:51:31.4866667+00:00

You can only link once for each service in each VNet. The reason for this limitation is it wouldn't know which DNS zone to perform the lookup against since they would all be the same (privatelink.database.windows.net). I bet MS has an item in their backlog to come up with a way to solve this whereby it would "merge" all of the different A records automatically, but for now we have to workaround the limitation.

What you can do is add an A record to the private DNS zone for each additional unique Azure SQL Database server that you will be connecting to via private endpoint.

Please keep in mind that if the private endpoints are set to dynamic IP there is possibility an address could change in the future, and if this occurs the corresponding DNS A record would need to updated.

If something isn't clear please let me know.

Alto, Abraham 60 Reputation points

2024-09-06T20:48:33.32+00:00

Thanks for the information, TP.

Does this mean I have to then configure an A record in each Private DNS zone for each Private Endpoint assigned to the SQL servers? I am a little confused because there's an A record already in each Private DNS zone.

I'm guessing I would configure an A record in the "Recordsets" blade in the Private DNS zone page?

TP 97,756 Reputation points

2024-09-06T22:56:19.48+00:00

In the privatelink.database.windows.net zone that is linked to the VNet that the VM is located in you need to create the A records under Recordsets blade. This is the zone that will perform the DNS lookups for the VM and give it the correct private IP for each Azure SQL Database Server.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

SQL Private Endpoint can't be reached from VM in peered VNet

0 additional answers

Your answer