A Deep Dive into Private Link and Endpoints

Zero Trust for Azure SQL

Imagine your production database is fully exposed to the internet. Even with firewall rules in place, a single misconfiguration or a leaked IP address could put your entire data estate at risk. The goal for any security-conscious organization is Zero Trust: never expose what doesn’t need to be exposed.

In this guide, based on the SC-5002 curriculum, we’ll explore how to make your Azure SQL Server completely private using Private Link and Private Endpoints.

---

Why Firewalls Aren't Enough

By default, Azure SQL is a public service. While you can restrict access using firewall rules, the service still has a public endpoint. It is discoverable, and it remains part of your external attack surface.

Zero Trust mandates that we bring the database into our private network, making it invisible to the outside world.

---

What is a Private Endpoint?

Think of a Private Endpoint as a virtual network interface (NIC) for your Azure SQL Server that lives inside your Virtual Network (VNet).

• It assigns a private IP address from your subnet to the SQL service.

• All traffic travels over the Azure backbone network, never touching the public internet.

• Your applications still use the same connection string (myserver.database.windows.net), but the magic happens in the DNS.

---

The 50/50 Rule: Networking and DNS

A common mistake among engineers is focusing only on the network. In reality:

• 50% of the solution is Networking: Creating the NIC and assigning the IP.

• 50% of the solution is DNS: Ensuring the application resolves the server name to that private IP.

How the DNS Magic Works

When you configure a Private Endpoint, Azure uses a Private DNS Zone (usually privatelink.database.windows.net).

1. Your app looks up myserver.database.windows.net.

2. A CNAME record redirects the query to myserver.privatelink.database.windows.net.

3. The Private DNS Zone resolves this to the private IP (e.g., 10.0.0.5).

---

Step-by-Step Implementation

1. Create the Private Endpoint

In the Azure Portal, navigate to your SQL Server’s Networking tab.

• Select Private Access and click + Private Endpoint.

• Select your Subscription, Resource Group, and a name for the NIC.

• Pick the Virtual Network and Subnet where your application or management server resides.

2. Configure DNS Integration

During the setup, ensure "Integrate with private DNS zone" is set to Yes. This allows Azure to automatically manage the A-records for your private IP.

3. Disable Public Access

This is the most critical step for Zero Trust. Once your private endpoint is tested:

• Go to the Public Access tab in Networking.

• Select Disable.

• Now, no one—even with the correct credentials—can reach the database from the internet.

---

Verifying the Connection

To ensure everything is working "under the hood," you can log into a VM within the same VNet and run an nslookup command:

Bash

nslookup myserver.database.windows.net

What to look for:

• The result should show a CNAME of myserver.privatelink.database.windows.net.

• The resolved IP should be the private IP you assigned (e.g., 10.0.0.5), not a public one.

To master this for the SC-5002 Applied Skills exam, remember these three pillars:

1. Network Isolation: Use Private Endpoints to give PaaS services a private identity.

2. DNS Configuration: Always verify the Private DNS Zone link to the VNet.

3. Posture Hardening: Always disable public access after the private link is established.

By moving your Azure SQL Server behind a private endpoint, you're not just checking a compliance box—you're implementing a foundation of enterprise-grade security.