The title says it all... Since the beginning of my cloud journey, having the possibility to connect to SQL PaaS with a private IP is a highly wanted feature. Since a few days, this has been made possible by introducing a new service, called Private Link Center. Which is in preview while writing this blog post.

When opening the service for the first time, we see some explanation regarding the actual service.

At the bottom of this page, we can choose out of 3 different options.

Our goal here is to connect to a SQL database using private communication only. So we will first need to create a private connection/endpoint to our SQL server (PaaS).

On the second page, we actually need to already choose the type of resource and the resource itself. I created a demo SQL server as preparation, so we will pick that one.

The last step is choosing the right virtual network and subnet. As you will notice in the screenshot, I already prepared a subnet called 'privateendpoints'.

Regarding DNS you have 2 options:

- Create an Azure Private DNS Zone (privatelink.database.windows.net)

- Use your own IaaS hosted DNS servers

In this example we will use the Azure Private DNS Zone, this is the easiest way to demo the functionality. In a corporate environment, I would rather advise using your own IaaS hosted DNS servers for added control. Of course, everything depends on your requirements.

When our deployment is finished up, we see an Azure DNS zone running privatelink.database.windows.net configured with one A record regarding our SQL Server.

When browsing our SQL Server, I noticed that a new section under 'Security' appeared called 'Private Endpoint Connections'.

A connection was created while deploying the service:

When actually testing the service from my demo VM:

- We are able to resolve the DNS A record to a private IP ✓

- We are able to open a connection to the private IP on port 1433 ✓

This feature will be much appreciated by our fellow security and firewall colleagues! Way to go Microsoft, hooray!