Networking concepts for Azure SQL Database

Understanding how Azure SQL Database connects to the internet, Azure Virtual Networks, and on‑premises resources is essential for building secure, high‑performance applications.

Connectivity options

Public endpoint – Direct TCP traffic over the public internet using a fully qualified domain name (FQDN). Ideal for SaaS and external clients.
Private endpoint – Azure Private Link provides a private IP address from your virtual network, keeping traffic off the public internet.
Hybrid connectivity – Use Azure VPN Gateway or ExpressRoute for on‑premises connectivity with guaranteed bandwidth.

Public endpoint

The public endpoint resolves to a DNS name such as {servername}.database.windows.net. Azure automatically routes traffic to the nearest data center.

Firewall rules

By default, Azure SQL Database blocks all inbound traffic except from Azure services. You can allow specific IP ranges or enable Allow Azure services in the portal.

az sql server firewall-rule create \
    --resource-group MyResourceGroup \
    --server myserver \
    --name AllowMyIP \
    --start-ip-address 203.0.113.4 \
    --end-ip-address 203.0.113.4

Private endpoint (Private Link)

Private Endpoint assigns a NIC in your VNet with a private IP address that maps to the Azure SQL Database service.

Create a Private Link resource via the portal or CLI.
Approve the connection if the SQL server is in a different subscription.
Update connection strings to use the private IP or the private DNS zone.

Example CLI

az network private-endpoint create \
    --resource-group MyResourceGroup \
    --name myPrivateEndpoint \
    --vnet-name myVnet \
    --subnet mySubnet \
    --private-connection-resource-id $(az sql server show -g MyResourceGroup -n myserver --query id -o tsv) \
    --group-id sqlServer \
    --connection-name myConn

Hybrid connectivity

For a consistent, low‑latency link between on‑premises networks and Azure, use either:

Site‑to‑Site VPN – IPSec tunnels over the internet.
ExpressRoute – Dedicated private fiber with higher throughput and SLA.

Network security groups (NSG)

Apply NSG rules to the subnet hosting your Private Endpoint to restrict traffic further.

Best practices

Prefer Private Link for production workloads.
Enable Microsoft Defender for SQL to monitor network threats.
Use just‑in‑time (JIT) firewall rules for temporary access.
Monitor traffic with Azure Network Watcher and Log Analytics.