What should Azure SQL Server endpoint be connected to?

Steven Karp 0 Reputation points
2023-02-08T21:50:33.2266667+00:00

I wish to connect to our Azure virtual network and related services using Bastion, which is on it's own subnet.

Should I place the Endpoint for a Service on the Bastion subnet or the virutal network subnet?

This is my first time using Bastion so I'm unclear if endpoints should be on a different subnet within the Virtual Network or the Bastion subnet

For instance, I have a Blob Storage endpoint and a Azure SQL endpoint...both sub nets are available for me to assign the endpoint to. But I'm unsure which is the correct or best practice.

Azure Bastion
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
268 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,575 questions
{count} votes

2 answers

Sort by: Most helpful
  1. GitaraniSharma-MSFT 49,666 Reputation points Microsoft Employee
    2023-02-09T12:01:11.52+00:00

    Hello @Steven Karp ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to you would like to connect to your Azure virtual network and related services such as Blob Storage and an Azure SQL using Bastion and want to know what are the best practices to achieve this.

    Azure Bastion is a service that lets you connect to a virtual machine using your browser and the Azure portal, or via the native SSH or RDP client already installed on your local computer. Azure Bastion is deployed to a virtual network and supports virtual network peering. Specifically, Azure Bastion manages RDP/SSH connectivity to VMs created in the local or peered virtual networks.

    Azure Bastion requires a dedicated subnet "AzureBastionSubnet". You must create this subnet in the same virtual network that you want to deploy Azure Bastion to. The subnet must have the following configuration:

    • Subnet name must be "AzureBastionSubnet".
    • Subnet size must be /26 or larger (/25, /24 etc.).
    • For host scaling, a /26 or larger subnet is recommended. Using a smaller subnet space limits the number of scale units. For more information, see the Host scaling section of this article.
    • The subnet must be in the same VNet and resource group as the bastion host.
    • The subnet cannot contain additional resources.

    Refer: https://learn.microsoft.com/en-us/azure/bastion/configuration-settings#subnet

    Now to connect to your services such as Blob Storage or Azure SQL using Bastion, you can make use of Azure Private Endpoint.

    A private endpoint is a network interface that uses a private IP address from your virtual network. This network interface connects you privately and securely to a service that's powered by Azure Private Link.

    Refer: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview

    To connect to your Blob Storage or Azure SQL using Bastion, you should follow the below steps:

    • Deploy bastion in your Vnet with its own dedicated AzureBastionSubnet. Nothing else can be deployed in this subnet.
    • Create a virtual machine in a separate subnet (VM subnet in the same Vnet).
    • Create an Azure Storage/Azure SQL server and private endpoint. The private endpoint should be created in your VM subnet.
    • Disable public access to Azure Storage/Azure SQL server account and use private access.
    • Test connectivity to the storage/SQL server private endpoint by connecting to the VM using Bastion and then accessing SQL server/storage account from this VM by installing Microsoft Azure Storage Explorer or SQL Server Management Studio in the VM.

    Below are the docs showing the step-by-step tutorial on how to Connect to an Azure Storage/SQL server account using an Azure Private Endpoint and Azure Bastion:

    Azure Storage account: https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal

    Azure SQL server: https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-sql-portal

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

  2. msrini-MSFT 9,286 Reputation points Microsoft Employee
    2023-02-10T19:59:24.8833333+00:00

    Hi,

    Azure Bastion is used to connect to a IaaS instance deployed in a VNET. If you have a SQL deployed as VM in the VNET, then you can connect to that VM via Bastion. But if you want to connect to a PaaS resource from the Bastion, it is not possible. You will need to use Bastion to get to one of the VMs and then you can connect storage endpoint from there using service endpoint or Private Endpoint.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.