Azure SQL DB server disabled public access but still working.

Question

I have an Azure SQL server where we disabled public access, but I’m still able to connect via telnet. Additionally, we observed that when performing an nslookup on the server's FQDN, it resolves to the public IP. We do have an entry in the private endpoint DNS, but it’s still resolving to the public IP

Answer 1

Hi,

What you are seeing is normal and expected.

Azure SQL Database is a multi-tenant Platform-as-a-Service (PaaS) and as a result you are not connecting to a public IP address for a dedicated instance of SQL Server. Instead it is shared by many different customers, some of which allow access via public Internet.

When you telnet from external network you are making an initial, unauthenticated TCP connection to shared Gateway. At this point in the connection process the service doesn't have enough information to decide if the connection should be allowed or not based on SQL firewall settings.

If you attempt a full SQL connection using an appropriate client, the connection should fail as soon as the service has enough information to know that it should be blocked due to your SQL firewall settings.

In regards to nslookup, if performing this externally, it is normal for it to resolve to public IP address. When performing lookup from VNet where Private Endpoint is, it should resolve to private IP of endpoint.

Please see article below for details on Azure SQL Database connectivity architecture.

Azure SQL Database and Azure Synapse Analytics connectivity architecture

https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-architecture?view=azuresql#connectivity-architecture

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP

Answer 2

Hi Riju Kumar,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

In addition to the response provided by @TP, I would like to add the following information.

As we understand that, you are experiencing an issue where your Azure SQL server's public access is disabled, yet you are still able to connect via telnet, and the server's FQDN resolves to the public IP despite having a private endpoint DNS entry.

We would like to inform you that, the issue might be related to the Azure SQL Public Gateway. When you disable public network access, it only restricts direct access to the SQL server itself, but the public gateway remains accessible. This gateway is required for various Azure services and is designed to be open for everyone, which is why telnet connections can still reach it. Please refer to this document https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-architecture?view=azuresql#connectivity-architecture

Additionally, the DNS resolution to the public IP can occur because the Azure SQL server's FQDN is designed to resolve to the public IP by default. Even with a private endpoint DNS entry, the public IP resolution can still happen unless the private DNS zone is correctly configured, and the network settings are properly aligned.

To address this issue, you can ensure that your private DNS zone is correctly configured and that your network settings are properly aligned to prioritize the private endpoint. Additionally, you might want to review the firewall rules and network security groups to ensure that they are correctly set up to restrict unwanted access.

Here are the links of some parallel threads that might help you :

https://learn.microsoft.com/en-us/answers/questions/1334742/azure-sql-server-ports-still-open-when-public-netw

https://learn.microsoft.com/en-us/answers/questions/2074298/issue-with-unrestricted-telnet-access-to-azure-sql

https://techcommunity.microsoft.com/blog/azuredbsupport/lesson-learned-285-why-can-i-still-telnet-to-port-1433/3716469

I hope, This response will address your query and helped you to overcome on your challenges.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.