Virtual Network architecture 4 - SQL Database Private Endpoit

koheikawata

Kohei Kawata

Posted on August 29, 2022

Virtual Network architecture 4 - SQL Database Private Endpoit

Summary

This article is Part.4 of virtual network architecture series. I explain the details of the private endpoint with Azure SQL Database in api-management-vnet.

TOC

Private Endpoint configuration

  • Private Endpoint: Deploy the private endpoint and connect it to SQL Database and its subnet in PrivateEndpoint.bicep.
SqlServerId:existingSql.id
VirtualNetwork2SubnetIdSql:existingVnet2.properties.subnets[2].id

resource PrivateEndpointSql 'Microsoft.Network/privateEndpoints@2021-03-01' = {
  properties: {
    privateLinkServiceConnections: [
      {
        properties: {
          privateLinkServiceId: SqlServerId
          groupIds: [
            'sqlServer'
          ]
        }
      }
    ]
    subnet: {
      id: VirtualNetwork2SubnetIdSql
      properties: {
        privateEndpointNetworkPolicies: 'Enabled'
      }
    }
  }
}
Enter fullscreen mode Exit fullscreen mode
  • Private DNS: Deploy Private DNS with the DNS name privatelink.database.windows.net in PrivateDns2.bicep.
var pdns_name_sql = 'privatelink${environment().suffixes.sqlServerHostname}'

resource PrivateDnsSql 'Microsoft.Network/privateDnsZones@2020-06-01' = {
  name: pdns_name_sql
  location: 'global'
}
Enter fullscreen mode Exit fullscreen mode
  • Virtual network link: Link the deployed Private DNS to the virtual network where the SQL Server subnet exists in PrivateDns2.bicep.
VirtualNetwork2Id:existingVnet2.id

resource VnetLinkSql 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = {
  name: '${PrivateDnsSql.name}/${PrivateDnsSql.name}-link'
  location: 'global'
  properties: {
    registrationEnabled: false
    virtualNetwork: {
      id: VirtualNetwork2Id
    }
  }
}
Enter fullscreen mode Exit fullscreen mode
  • Private DNS A record: Create a DNS A record and set the IP address from the deployed private endpoint in PrivateDns2.bicep.
output PrivateEndpointSqlIpAddress string = PrivateEndpointSql.properties.customDnsConfigs[0].ipAddresses[0]

resource PrivateDnsASql 'Microsoft.Network/privateDnsZones/A@2020-06-01' = {
  name: '${PrivateDnsSql.name}/${SqlServerName}'
  properties: {
    ttl: 3600
    aRecords: [
      {
        ipv4Address: PrivateEndpointSqlIpAddress
      }
    ]
  }
}
Enter fullscreen mode Exit fullscreen mode

Access to SQL Database

App Service and Functions need to access the SQL Database to insert and extract the data records. Both can access through V-net integration and Private Endpoint. In SqlDatabase2.bicep, public network access is disabled so no one can access through the public IP.

resource SqlServer 'Microsoft.Sql/servers@2021-02-01-preview' = {
  properties: {
    publicNetworkAccess: 'Disabled'
  }
}
Enter fullscreen mode Exit fullscreen mode

Image description

SQL project update

The biggest problem is when you want to update SQL projects including data schema on the Azure SQL Database. In this sample template, you cannot update the SQL project because a Linux based self-hosted agent does not support build and deployment of SQL Database projects. On the other hand, a Windows based self-hosted agent in the docker container on Azure Container Instance cannot be deployed on the virtual network as I mentioned in the previous article Virtual Network architecture 2 - Deployment pipelines. Possible workaround is to create a Windows based self-hosted agent on a Virtual Machine, to change IP filtering rules when in code deployment, or to wait for the Windows docker container supporting the virtual network deployment.

💖 💪 🙅 🚩
koheikawata
Kohei Kawata

Posted on August 29, 2022

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related