Azure-docs: Gap in custom rule handling explanation
The tooltip in the portal states setting the Deny Public Network Access to "Yes" allows connections via private endpoint AND disables any existing firewall rules. Then provides a link to this page, however there is no mention here of how custom rules are handled, previously my understanding was that the Allow public access button effectively put an Any Any Allow at the bottom of the custom rules, and a deny would similarly put in a Any Any Deny at the bottom of the custom rules allowing those to still be effective on the public endpoint.
This setup would allow flexibility in connecting to the resource in question. (SQL this time) Without this for a 3rd party to call the DB we would have to NAT them in over a firewall or similar gateway. Which is fine I am just looking for the guidance on how custom rules are dispositioned.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 23b783bd-c5bc-8c0c-eb78-eebdfbb03679
- Version Independent ID: 65d9e215-542b-66ef-4797-e5781930cfea
- Content: Connectivity settings for Azure SQL Database and Data Warehouse - Azure SQL Database and SQL Data Warehouse
- Content Source: articles/sql-database/sql-database-connectivity-settings.md
- Service: sql-database
- GitHub Login: @rohitnayakmsft
- Microsoft Alias: rohitna
jdemaree
All 11 comments
@jdemaree We are checking this and we will get back to you.
NavtejSaini-MSFT
on 2 May 2020
@rohitnayakmsft Can you please check this and provide guidance here.
NavtejSaini-MSFT
on 5 May 2020
@jdemaree BY setting Deny Public Network Access to Yes, the code path for firewall rules evaluation ( including the 0.0.0.0 rule) is blocked and only approved connections via private endpoint are allowed. We are not adding any additional rules to Deny 0.0.0.0 rather we are ignoring any traffic that previously woudl have been allowed by these rules. Does that help answer your question?
rohitnayakmsft
on 6 May 2020
please-close
rohitnayakmsft
on 6 May 2020
I think the question for me is about Allow and Deny on the Public
Connection and how it relates to using Private Endpoint.
If Public Access is allowed and you have a Private endpoint is routing to
the public endpoint still possible?
On Wed, May 6, 2020 at 12:50 PM Rohit Nayak notifications@github.com
wrote:
@jdemaree https://github.com/jdemaree BY setting Deny Public Network
Access to Yes, the code path for firewall rules evaluation ( including the
0.0.0.0 rule) is blocked and only approved connections via private endpoint
are allowed. We are not adding any additional rules to Deny 0.0.0.0 rather
we are ignoring any traffic that previously woudl have been allowed by
these rules. Does that help answer your question?—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/MicrosoftDocs/azure-docs/issues/53853#issuecomment-624795449,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ALWPXX7RVHCWWT6CW6KAX33RQGPPBANCNFSM4MXJCDXQ
.
jdemaree
on 6 May 2020
@rohitnayakmsft Can you please check this further.
NavtejSaini-MSFT
on 7 May 2020
@jdmaree If you set Deny Public Network Access to Yes, only logins via private endpoint are allowed. If you set it to No ( default) then you have both public access ( via firewalls) and private endpoints. You would use the latter in situation where you want both modes of access and want to ensure that private endpoint works fine before you switch off all access via public endpoint.
rohitnayakmsft
on 7 May 2020
Thanks
On Thu, May 7, 2020, 11:17 AM Rohit Nayak notifications@github.com wrote:
@jdmaree If you set Deny Public Network Access to Yes, only logins via
private endpoint are allowed. If you set it to No ( default) then you have
both public access ( via firewalls) and private endpoints. You would use
the latter in situation where you want both modes of access and want to
ensure that private endpoint works fine before you switch off all access
via public endpoint.—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/MicrosoftDocs/azure-docs/issues/53853#issuecomment-625354447,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ALWPXX6OKEU4ZGXN35PRTJDRQLNKLANCNFSM4MXJCDXQ
.
jdemaree
on 7 May 2020
@rohitnayakmsft - when you say, "If you set it to No ( default) then you have both public access ( via firewalls)" what firewalls are you referencing?
Thx
jrwalzer
on 28 May 2020
Sorry at the local resource firewall level.
We identified that even if you apply a private link the public link remains
open and usable unless you specifically disable it with the toggle.
On Thu, May 28, 2020 at 9:28 AM jrwalzer notifications@github.com wrote:
@rohitnayakmsft https://github.com/rohitnayakmsft - when you say, "If
you set it to No ( default) then you have both public access ( via
firewalls)" what firewalls are you referencing?Thx
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/MicrosoftDocs/azure-docs/issues/53853#issuecomment-635384511,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ALWPXX4GM5Q7DPVKWAOCELLRTZYKFANCNFSM4MXJCDXQ
.
jdemaree
on 28 May 2020
@jdemaree - TYVM for the reply and info
jrwalzer
on 28 May 2020
Related issues
monteledwards
·
3Comments
Favna
·
3Comments
jharbieh
·
3Comments
varma31
·
3Comments
JeffLoo-ong
·
3Comments