Azure SQL Database Networking | Connection using Service Endpoint and Private Endpoint

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome to my new course Azor SQL database Connect using service endpoint and private endpoint Azor SQL database is always running on the latest stable version of SQL Server database engine and patched OS with 99.99% availability in this course we will discuss how to connect Azor SQL database using service endpoint and private endpoint what is service endpoint virtual Network service endpoint provides secure and direct connectivity to Azure Services over an optimized route over a Azure backbone Network endpoints allow you to secure your critical Azure service resources to only your virtual networks service endpoint enables private IP address in vnet to reach the endpoint of a Azure service without needing a public IP address to the vnet in the given image in the left hand side we have a virtual Network and a subnet and one VM is deployed inside that Subnet in the right hand side we have a Azure SQL database we can connect to SQL DB from virtual machine using service endpoint benefits of service endpoint improved security for your Azure service resources service endpoints enable securing of azure service resources to your virtual Network by extending vnet identity to the service optimal routing for Azure service traffic from your virtual Network endpoints always take service traffic directly from the your virtual Network to the service on the Microsoft Azure backboard Network simple to set up with less management overhead you no longer need reserved public IP addresses in your virtual Network to secure aure resources through IP IP firewall there are no Network address translation or Gateway device required to set up the service endpoint you can configure service endpoint through a single selection on a subnet there is no extra overhead to maintain the service endpoints let's start our first demo on connecting Azor SQL DB using service and points let's start our first video how to connect SQL Server database using service endpoint so before starting I would like to introduce the resources which I have in Azure Cloud you can see this is the SQL Server which I have provisioned it is having one database here name is my DB I have one VM and this VM is having public IV so that I can I can take remote of this VM and this VM also connected to the virtual Network which is vet gswp default the third thing which I have is virtual Network work the IP address is 10.0.0 sl16 and it is having one subnet name default and the IP address you can see 10.0.0.0 sl24 and if I show if I show you this property of this V subnet I do not have any service endpoint enabled here there are zero service endpoint enabled now let me take the remote of my VM so since I'm using Mac so in the Mac we have this Microsoft Remote Desktop application which I can use to connect let me open SS SMS SQL Server management Studio okay so SS SMS is open now let me try to connect the SQL Server so you can see I have I'm using fqdn of the SQL Server SQL Server gswp database. windows.net I have this SQL admin user there and let me try to put my password hit connect and now it is asking me to sign in so that it will add my public IP into the networking area of this SQL Server so before signing in let me show you to the SQL Server if I go here if I go to networking I am using the public network but there is nothing here I am not using any virtual Network here and I'm not using any firewall rule anything so let me try to sign in so that it will automatically add my public IP to the cql server okay so this is my public IP let me try to add it and I am connected to the aor SQL server and in the meantime let me try to show you the networking area once again Let me refresh it and if I go down here you can see my public IP has been added into the firewall rule so that it is allowing my traffic from this IP and that's why I'm able to connect it which is not the target of this demo let me remove this one and here you can see allow Azure services and resources to access the server let me try to tick this one and save it by ticking this one it is allowing all the trusted Azure SQL services to connect to my SQL server without adding IP address vet private earpo I just want to show you as a additional thing so you can use it if you want in future in your project that if you allow this aure services and resources to access the server you don't have to mention the IPS the vets and the private endpoint it will directly allow all the trusted remember trusted Azure SQL Services by the way Azure devops is not a trusted Azure SQL service so if you allow this here you cannot connect from Azor devops to this azzor SQL Server so since I have connected here here and I will show you into my VM let me disconnect and let me connect again and now you can see I'm able to connect again but this time the IP is not mentioned here there's no IP here if I refresh my page you can see there's no IP but since I'm allowing this service this it is I'm able to connect let me remove this also now we are going to create the service endpoint so our VM our VM is created inside vet as gswp default subnet let me try to add over here in the fire uh in the vnet network so you can name this rule anything I'm just putting the default subscription then which vnet I want to use I have only one vnet and which subnet I want to use I have only one subnet and now you see here it is saying the selected subnet does not have service endpoint enabled for microsoft. SQL I already showed you this that over here I don't have any service endpoint enabled so if I want choose to enable it I can enable it from here and then select okay and it will add it into my virtual Network rule and let's go here and cancel it and let's try to open it again go down and now you can see I have this service endpoint enabled automatically because I am trying to enable it here now I have added my vnet and the subnet over here and now I don't have my public IP here and I am not checking this allow Azor services to connect to the SQL Server so let's go again to our VM this is our VM where we are connecting let me disconnect and connect again I'm connected again why because now my VM which is deployed in a vnet and that vet is having service endpoint enabled I I should say subnet is having service endpoint enabled for SQL and it is allowed into the networking area in the networking area of our SQL Server so this is public access and now here you can see we have allow our subnet and now since we have allowed this subnet so the our SQL Server is visible for all the resources which are deployed over here in the the subnet so now if you create for example web application if you create for example functions you create anything over there they can reach to our SQL Server because we are allowing this exess from the subnet to the SQL Server now let's remove this and let's test that are we still able to connect or not so I have removed this ACC and there is no access is allowed in the networking area of SQL server and let's and I hope this should not allow me to connect to the SQL Server because we have no rule which can allow direct traffic from our VM to the SQL server and now you can see cannot open SQL Server requested by login client is not allowed to access the SQL Server okay so now what we are trying to do that for allowing SQL Server we need to add the service end point over here before starting next topic let me take a moment ask you for hit likes like button and subscribe to my channel if you like my courses let's start our next topic private endpoint connectivity to aor SQL database what is private endpoint a private endpoint is a network interface that uses a private IP address from your vnet this network interface connects you privately and securely to a service that's powered by Azure private link by enabling a private endpoint you are bringing the service into your virtual Network when you you use private endpoints traffic is secured to a private link resource the platform validates network connections allowing only those that reach the specific private link resource private endpoint support network policies Network policy enables support for Network Security Group also called nsgs user defined route tables and application security groups let's start our second demo on connecting Azure SQL database using private and end point let's start our second demo use private endpoint to connect to the SQL Server there are many times it has happened that you have to use private endpoint Whenever there is no public endpoint is allowed so for example in your organization the public access should be permanently disabled so if the public access is permanently disabled that means you cannot use service endpoint you cannot use direct Alli the IP address in the firewall rule you cannot use Azure services to connect to your SQL your SQL Server is totally protected from any public access let me make it save so that our SQL server is not allowing any public access not from any vnet not from by default from allowing services or by adding IP address directly so now we are disabling the public access but now if if I want to connect I have to create a private endpoint over here so let's create a private endpoint quickly I'm using my same subscription same Resource Group and the private endpoint name is SQL Server hyphen private endpoint in the same reason I'm creating right now then which resource it is for SQL server and since I have only one SQL Server so it is taking that one which is here and now virtual Network I'm having one virtual Network I'm selecting that one and the same default vnet default subnet I don't want any policy right now I am allowing dynamically allocated IP address that's fine now this is important part over here I'm going to create a integrated with private DNS John I'm checking as yes but it can be possible that in your organization you have your separate networking team and they are managing their own DNS zone so in that case if they are managing their own DNS Zone you should check it as a no and once it is created you have to add the cname record of your SQL Server into that centralized DNS Jone and once that cname record is created over there then then anyone from your organization which are connecting through the centralized Hub can redirect their DNS conf can resolve your SQL Server to the correct IP and connect to your SQL server but since I'm not using any centralized DNS zone so I'm using I'm create taking it yes and using this newly created private DNS zone so what is the name of private DNS Zone the name is private link database. windows.net so this is the DNS Jone which is going to be created in the same Resource Group and there will be a cname record will also get created so let's go to text and review and create it will take some time to get ready in the meantime I would like to show you one image which can tell how this networking is working okay in the meantime the our deployment is in progress I would like to show you that how this private endpoint works so in the right hand side we have our SQL database in the SQL database I have created this private endpoint inside one vnet this blue line is a vnet so I have created one private endpoint inside this vnet and this private endpoint is having a Nick card and that Nick card is assigned with this IP okay so now this IP is assigned to the private endpoint now whatever resource we have inside this vet will have direct access to this IP so it's very easy to connect to the SQL server using this IP or the or the SQL server name now if you have any other resource deployed in any other vet at any other reason or maybe in the same region in another bnet or maybe you have on premises environment and still want to connect to the SQL Server which is deployed in Azure but Public Access is disabled then how to connect it then you have to use this vnet Gateway if you're connecting from on premises environment or any other vnet you can use this vnet Gateway and with the help of this vnet Gateway you can connect your vnet point to site or side to S side to this vet Gateway and then your resources which are deployed in your vnet or in the on premises environment can connect to the private endpoint and resolve to the correct IP there's one more thing which I want to show you that if you have a vnet and you want to connect to the private endpoint you just paer this vnet with the central vnet over here where the private end point is there and once you pair it your P vnet automatically resolve to the correct IP of the SQL server and it can connect to the SQL server using this private endpoint so this is how this private endpoint works so now I see in the back that resources are ready so this private endpoint has been created if I go to DNS configuration you can see in the DNS configuration I got this IP 10.0.0 and this is the fqn which I want to connect which is normal fqdn and over here in the DNS Zone let me open the DNS Zone you can see there is a aame record I'm sorry that I have said uh C name record it is a aame record aame record has been created for my SQL server with the correct IP address so since this IP address belongs to the same vnet where my VM is present so I can directly connect to the SQL server using private endpoint so let me go here and try to connect now and you can see I am directly connecting to my SQL server and I can run my queries and I can run whatever I want on my databases we have reached to end of this course I would like to say thank you so much and wish you all the very best for your Cloud engineering career

Info

Channel: Getting Started With Prashant

Views: 642

Rating: undefined out of 5

Keywords: azure, cloud technology, managed instance, azure certification course, terraform import, Azure SQL Database Networking, Azure SQL Database Service Endpoint, Azure SQL Database Private Endpoint

Id: bT4aJUYWkTA

Channel Id: undefined

Length: 19min 28sec (1168 seconds)

Published: Mon Oct 30 2023