We moved our Azure app into a VNet, and now we cannot connect to 3rd-party SQL Azure databases that have their own (unrelated) private endpoints

by

We run a SaaS which puts data in other people’s SQL Azure databases. These databases are 3rd-party and out of our control – we asked only that they whitelist our IP addresses.

Recently, we added our app to a VNet and obtained a fixed IP for ourselves. We asked our customers to whitelist the new IP address. For most, there was no problem.

However, some customers have their database within their own VNet and use private endpoints to grant access to their other systems. We have found that our app is incapable of connecting to these databases until they remove their private endpoint. Here, I am accessing the console from my Azure App and connecting to a 3rd-party database – both with and then without a private-endpoint:

enter image description here

You can see the first one resolves to just the “privatelink” alias, but the second returns more info including an IP address.

SQL Redirection

At first I thought it was the SQL Redirect connection policy, so I added an NGS and outgoing rule to my own VNet, as per the various articles online that discuss SQL Redirection:

enter image description here

This has not made a difference.

Firewall

I already had our customers whitelist our new IP address. It is worth noting though that in my own tests (with a compliant client) even if I open up the firewall to ALL IP addresses briefly, we still do not gain access. Nor do we gain access if we check the “Allow Azure Services” box. I believe this indicates that we simply cannot resolve the name in the first place, so aren’t even getting to the firewall yet (?)

To summarize

  • our system worked fine until we had our own VNet
  • once we changed to a VNet, those customers who had standalone SQL Azure databases continued to work fine (once they added our new IP address)
  • but those customers whose databases had their own (unrelated) private endpoint are NOT working

What I need

This is a SaaS, so I cannot manually wire up private endpoints to each and every client database at our end. I need either:

  • a single change I can make to my own VNet, to enable this connectivity (preferred); or
  • an instruction I can provide to my customers that would enable them to grant access to our new VNet

Thanks

Leave a Comment