Azure-docs: Limitations does not account for no NSG/Firewall available for internal access
There are no details on how to restrict access on the internal network.
How do i restrict access from other subnets? NSG's are apparently not supported. The only suggestion i read was to block set Outbound NSG rules on all other subnets to Deny access. This is not possible is a large dispersed network with Express Route and other Public and Private Cloud Providers in the mix.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: eb6328aa-a54f-4936-1c35-ecf5c265d92d
- Version Independent ID: 345bd3d2-4b53-a032-c13b-7e35f97cf2fa
- Content: Private Link - Azure SQL Database and SQL Data Warehouse
- Content Source: articles/sql-database/sql-database-private-endpoint-overview.md
- Service: sql-database
- GitHub Login: @rohitnayakmsft
- Microsoft Alias: rohitna
dr-ivan
All 5 comments
@dr-ivan Thank you for providing this feedback. Are you looking to confirm this limitation or functionality or are you looking for clarity with regard to the documentation? We appreciate all the feedback as it helps us improve the documentation.
Mike-Ubezzi-MSFT
on 8 Apr 2020
@Mike-Ubezzi-MSFT There is a limitation where you cant apply NSG's to Private Endpoints. This is missing under limitations an should be added. It is noted here however its not clear on how to apply mitigation.
We need clarity that when using Private Endpoints, how do we prevent all internal IP addresses (except the ones we explicitly allow) to be able to connect to the SQL server. A diagram would be great and it needs to cover off restricting access from other Subnets, Other VNets and down ExpressRoute/VPN connections.
Further to this, on the left menu there are pages just above this one regarding 'vNet Firewall Rules/vNet endpoints' that should clearly define that Private Endpoints do not work with vNet Firewall rules and Service Endpoints. Gets quite confusing as to how to enable this configuration.
dr-ivan
on 9 Apr 2020
@dr-ivan Great feedback for the content team who will evaluate and make updates as appropriate.
Mike-Ubezzi-MSFT
on 9 Apr 2020
@Mike-Ubezzi-MSFT I suggest we reassign this to content team on Networking side; since they will need to publish this guidance at a uniform level to all PaaS services. I can then do the follow up for Sql Db specific docs
rohitnayakmsft
on 6 May 2020
This needs to be redirected to networking team #please-close
rohitnayakmsft
on 2 Nov 2020
Related issues
behnam89
·
3Comments
spottedmahn
·
3Comments
spottedmahn
·
3Comments
Ponant
·
3Comments
AronT-TLV
·
3Comments
Most helpful comment
@Mike-Ubezzi-MSFT There is a limitation where you cant apply NSG's to Private Endpoints. This is missing under limitations an should be added. It is noted here however its not clear on how to apply mitigation.
We need clarity that when using Private Endpoints, how do we prevent all internal IP addresses (except the ones we explicitly allow) to be able to connect to the SQL server. A diagram would be great and it needs to cover off restricting access from other Subnets, Other VNets and down ExpressRoute/VPN connections.
Further to this, on the left menu there are pages just above this one regarding 'vNet Firewall Rules/vNet endpoints' that should clearly define that Private Endpoints do not work with vNet Firewall rules and Service Endpoints. Gets quite confusing as to how to enable this configuration.