Private Link for Azure SQL Database
Azure Private Link provides a private endpoint in your virtual network for Azure SQL Database, enabling secure, private connectivity without exposure to the public internet.
Key Benefits
- Data exfiltration protection
- Reduced surface area for attacks
- Seamless integration with existing network policies
- Compliance with regulatory requirements
Supported Scenarios
| Scenario | Supported |
|---|---|
| Single database | Yes |
| Elastic pool | Yes |
| Managed instance | Yes |
| Cross‑subscription | Yes |
Creating a Private Endpoint
- Open the Azure portal and navigate to your SQL server.
- Select Private endpoint connections → Add.
- Choose the target VNet and subnet.
- Configure DNS integration (Azure DNS or custom DNS).
- Review and create the endpoint.
After creation, a private IP address is allocated within the chosen subnet. Use this address to connect to the database.
Sample Connection String
Server=tcp:myserver.private.sql.azuresynapse.net,1433; Database=mydb; User ID=myuser@myserver; Password=******; Encrypt=True; TrustServerCertificate=False; Connection Timeout=30;
DNS Configuration
When using Private Link, Azure automatically creates a private DNS zone privatelink.database.windows.net. Link this zone to your virtual network, or add a custom A record pointing to the private endpoint IP.
PowerShell Example
Connect-AzAccount $rg = "MyResourceGroup" $vnet = "MyVNet" $dnsZone = "privatelink.database.windows.net" New-AzPrivateDnsZoneLink -ResourceGroupName $rg ` -ZoneName $dnsZone ` -VirtualNetworkId (Get-AzVirtualNetwork -Name $vnet -ResourceGroupName $rg).Id ` -RegistrationEnabled $true
Monitoring & Troubleshooting
Use Azure Monitor metrics and logs to verify connectivity and health.
- Metric:
PrivateEndpointConnections - Log:
NetworkSecurityGroupFlowEvent
For common issues, see the Troubleshooting guide.