![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 19%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
448 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 69%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
Hi @Seekell, Roger,
Thanks for the question and using MS Q&A platform.
To safeguard against regional outages for SQL Server authentication via Azure Entra ID when using Azure Arc, it is essential to ensure that your Private DNS configuration supports failover and high availability across multiple regions.
Steps:
- Set Up Private Endpoints for Azure AD Authentication
To get your SQL Server to use Azure AD for authentication, we’ll be using Private Link. This allows private connectivity to Azure AD without going over the public internet.
Create Private Endpoints: Set up Private Endpoints for Azure AD in all the regions where your SQL Servers are running (or where you plan to run them). This ensures that each region has its own private IP for Azure AD (*Make sure the Private Endpoint is for Azure AD authentication (e.g., *.database.windows.net).
Link to Azure Arc: Your on-prem SQL Servers need to be registered with Azure Arc and configured to use these Private Endpoints for authentication.
- Configure Private DNS Zone
Now, we need Azure Private DNS to resolve the private IPs for Azure services like Azure AD.
Create a Private DNS Zone: In the Azure portal, create a Private DNS Zone for the Azure AD authentication service (e.g., *.database.windows.net).
This zone will manage which Private Endpoint IPs get resolved in each region.
Link the DNS Zone to VNets: Once the DNS zone is created, link it to each VNet in each region where your SQL Servers and Private Endpoints are set up. This makes sure that DNS queries from SQL Servers, whether they're in Azure or on-prem, are resolved to the right Private Endpoint IP.
Add DNS Records: For each region, add DNS records in the Private DNS Zone that point *.database.windows.net to the Private Endpoint IP addresses in that region.
- Ensure DNS Resolution for Failover Between Regions
To handle regional failures, we need to make sure that if one region goes down, traffic is automatically routed to another working region.
Use Azure Traffic Manager: Traffic Manager is a DNS-based load balancer that helps route traffic to different endpoints based on region health or priority.
DNS Failover: Now, link the Traffic Manager profile to your Private DNS Zone. Instead of DNS records pointing to specific Private Endpoint IPs, they’ll point to the Traffic Manager profile. This lets DNS failover happen automatically between regions if something goes wrong.
If one region fails, Traffic Manager updates DNS records to route traffic to the backup region, so SQL Server authentication can keep working.
References:
1)https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#databases
2)https://learn.microsoft.com/en-us/azure/azure-arc/servers/private-link-security.
Hope this helps. Do let us know if you any further queries. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know..