Azure Service Endpoints
In this blog post I will explain what Azure Service Endpoints are and how to implement them.
Until recently, if you were running a SQL database on Azure Platform as a Service (PaaS) the database was always exposed to the internet.
You had the option to lock this down to certain IP addresses by using Azure SQL Firewall rules but if you had infrastructure running in Azure vNets there was no way lock down access to your Azure SQL database from your vNets only.
Many people would flick the switch for "Allow Access to Azure Services", not knowing that this enables access to your database from all Azure tenants, not just your particular Azure tenants.
For a long time people have been requesting a way to lock down Azure SQL databases to customer specific vNets.
Back at Ignite conference in September Microsoft announced Azure SQL Database and Data Warehouse VNET Service Endpoints which fixes all of this. To start with, vNet Service Endpoints was only in public preview in the West Central US, West US2, and East US1. It's now available in all regions.
Service Endpoints are configured by selecting Firewall Rules / Virtual Networks on a SQL Server resource
You can then select the subscription where your vNet is located, the vNet and the subnet that you want to grant access to.
The Azure SQL Server does not need to be in the same subscription as your vNet but a service endpoint will only apply to Azure service traffic within a virtual network's region.
Once the rule is in place you should now be able to connect to your Azure SQL database from a server within the vNet
Bear in mind that these Service Endpoint rules do not yet appear when you run Get-AzureRmSqlServerFirewallRule
Service Endpoints are configure in much the same way on storage accounts.
I think Service Endpoints is a very welcome feature that some people have been wanting for a long time.
Beware that these features are still preview which means they are not recommended for production use and using them in production could result in outages.