Network Security: Firewalls, Private Links, and Endpoints
Configure server and database-level firewall rules, private endpoints, and service endpoints to control network access to Azure SQL resources.
Network security for Azure SQL
Think of network security like layers of fences around a building.
Firewall rules are the outer fence β they check your IP address at the gate. Only IPs on the approved list get through.
Service endpoints are like a private underground tunnel from your office (VNet) to the building β traffic stays on Microsoftβs network, never touching the public internet.
Private endpoints go further β they put a private door to the building inside your office. The database gets a private IP address in your VNet. No public access at all.
Firewall rules
Azure SQL Database uses a two-level firewall:
Server-level firewall rules
- Apply to ALL databases on the logical server
- Configured via Azure Portal, PowerShell, CLI, or T-SQL
- Allow specific IP addresses or ranges
-- Create a server-level firewall rule (T-SQL)
EXECUTE sp_set_firewall_rule
@name = 'AllowOfficeIP',
@start_ip_address = '203.0.113.10',
@end_ip_address = '203.0.113.10';Database-level firewall rules
- Apply to a SPECIFIC database only
- Configured via T-SQL only (not Azure Portal)
- More granular β different databases can have different access
-- Create a database-level firewall rule
EXECUTE sp_set_database_firewall_rule
@name = 'AllowAppServer',
@start_ip_address = '10.0.1.50',
@end_ip_address = '10.0.1.50';The βAllow Azure servicesβ setting
- When enabled, any Azure service (from any subscription, any tenant) can reach your SQL server
- Security risk β this is very broad. Priya disables this at ScaleWave and uses private endpoints instead.
| Aspect | Server-level | Database-level |
|---|---|---|
| Scope | All databases on the server | Single database only |
| Configuration | Portal, PowerShell, CLI, T-SQL | T-SQL only |
| Stored in | master database | Individual database |
| Portable | No (tied to server) | Yes (travels with database) |
| Best for | General access control | Per-database isolation |
Managed Instance firewall
MI lives inside a VNet, so it doesnβt use the same IP-based firewall model:
- Access is controlled by Network Security Groups (NSGs) on the MI subnet
- Public endpoint can be enabled (disabled by default) with NSG rules
- Private endpoint is the recommended access method
Virtual network service endpoints
Service endpoints extend your VNet identity to Azure SQL:
- Enable the
Microsoft.Sqlservice endpoint on a VNet subnet - Create a VNet rule on the SQL server allowing that subnet
- Traffic from the subnet to Azure SQL stays on the Azure backbone β no public internet
-- Allow a VNet subnet (T-SQL)
EXECUTE sp_set_vnet_firewall_rule
@name = 'AllowAppSubnet',
@virtual_network_subnet_id = '/subscriptions/.../subnets/app-subnet';Limitations:
- Traffic source IP is still a public IP (the VNet IP, not a private IP)
- Only works with Azure resources in the same region
- The SQL serverβs public endpoint is still active
Private endpoints (Private Link)
Private Link is the gold standard for Azure SQL network security:
- Create a private endpoint in your VNet
- The SQL resource gets a private IP address from your VNet subnet
- Disable public access β only connections through the private endpoint are allowed
- All traffic stays entirely within your VNet β never touches the public internet
| Benefit | Details |
|---|---|
| No public exposure | The SQL serverβs public endpoint can be completely disabled |
| Private IP | Clients connect using a private IP (e.g., 10.0.2.5) |
| Cross-region | Works across regions and even across tenants |
| DNS integration | Private DNS zone maps the server FQDN to the private IP |
Amaraβs setup at Harbour Health:
- Create private endpoint for the SQL server in the hospital VNet
- Create a private DNS zone (
privatelink.database.windows.net) - Link DNS zone to the VNet
- Disable public network access on the SQL server
- Applications connect using the same FQDN β DNS resolves to the private IP
Private Link DNS resolution
When you create a private endpoint, the FQDN resolution changes:
Before private endpoint:
harbourhealth.database.windows.net β public IP (e.g., 40.78.225.32)
After private endpoint + private DNS:
harbourhealth.database.windows.net β harbourhealth.privatelink.database.windows.net β private IP (e.g., 10.0.2.5)
Applications donβt need to change connection strings β DNS handles the routing transparently.
Comparison: service endpoints vs private endpoints
| Feature | Service Endpoints | Private Endpoints |
|---|---|---|
| IP address type | Public IP (Azure backbone routing) | Private IP in your VNet |
| Public endpoint | Still active | Can be disabled |
| Cross-region | Same region only | Any region |
| Cross-tenant | No | Yes |
| DNS changes | None needed | Private DNS zone required |
| Cost | Free | Per-hour + data processing charges |
| Setup complexity | Simple (enable + rule) | Moderate (endpoint + DNS + disable public) |
| Security level | Good | Best |
Exam tip: private endpoint is the recommended answer
When the exam asks about the most secure network configuration for Azure SQL:
- Private endpoint + disable public access = most secure
- Service endpoint = good but public endpoint stays active
- Firewall rules only = least secure (relies on IP addresses)
If cost or simplicity isnβt mentioned in the scenario, choose private endpoint.
Amara needs to ensure Harbour Health's Azure SQL Database is accessible only from the hospital's Azure VNet. No traffic should traverse the public internet. What should she configure?
Priya needs to allow a specific application server (IP: 10.0.1.50) to access only the 'CustomerDB' database but not other databases on the same logical server. What should she configure?
Next up: Data Classification and Auditing β classify sensitive data, configure audits, and implement change data tracking.