Azure SQL Server VNet integration fails as soon as private endpoint is created
Looks like VNet integration for Azure SQL Server breaks as soon as the VNet is connected to a private DNS service and that SQL Server has a private endpoint in a different VNet.
The problem starts appearing under following conditions:
- App Service and SQL Server connect via VNet integration
- SQL Server is exposed via private endpoint in some other Vnet
- A private DNS is deployed on the VNet to provide connection to another SQL Server
Consider the following deployment:
Here two copies of the app are deployed in separate regions. They are able to connect to SQL Servers in their regions via VNet integration. Also app-service-2 is able to connect to sql-server-1 (cross-region) via private endpoint. That connection requires private DNS deployment to vnet-2. At this point it all works fine.
Now let's add another private endpoint to allow app-service-1 connection to sql-server-2:
What I observe at this point is that both SQL Servers become unresolvable by DNS in their corresponding VNets. They are still available via private endpoints cross-region, as well as via internet. Only inside a VNet that has some private DNS configured SQL Servers become unresolvable other than with their private DNS.
I have not found any mentions of that behavior in the documentation. Also the portal shows SQL Server as available via VNet integration, despite the situation being opposite.
- Is that some bug in Azure or am I missing something important here?
- Can I make SQL Servers available to apps in the same region, other than via another private endpoint?
Edit:
Here are some more scenarios of DNS resolution failures and successes:
- DNS resolution for SQL Server with a private endpoint still works from the internet.
- DNS resolution for SQL Server with a private endpoint still works from a VNet that doesn't have Private DNS deployed (same as on the first picture)
- DNS resolution for SQL Server with a private endpoint fails from a VNet that has Private DNS attached, regardless of private endpoints in that VNet.
DNS resolution for SQL Server without a private endpoint works fine from everywhere.
I tried to reproduce the same in my environment I got the results successfully like below:
Created two app services with different regions East us and East us2 like below:
App service 1:
App service 2:
Created a virtual network with different address space and separate regions like below:
Virtual network 1:
Virtual network 2:
Now, created SQL database & SQL server with East us and East us2 like below:
In SQL server -> networking -> private endpoint -> created private endpoint as the same region if App service and SQL are in Eastus created private endpoint with East and same App service and SQL are in East us2 create a private endpoint with EastUS2 like below:
I agree with Thomas Ensure that sql server is in geo-replication and try to peer vnet like below:
Now, when I try to check in the console to connect my app service with SQL server it connected successfully like the below:
App service 1 connected with both the SQL server with different regions like below:
App service 2 also connected with both the SQL server with different regions like below:
Additionally, On Remote desktop I try to validate the connection using nslookup it executed and I try to connect with SSMS it connected successfully like below:
- ADF Out of memory exception
- Azure DevOps pipeline is throwing a "##[error]Project file(s) matching the specified pattern were not found". when publishing my app?
- Microsoft Entra ID: Receiving Old Token Version Despite Setting accessTokenAcceptedVersion to 2
- Rule Syntax for Azure user.memberof
- (unknown) Precondition failed when trying to create MS Graph Subscription
- Azure Function App Service Bus Trigger: Process 1 message at a time
- Azure HTTP Trigger - How to extract query parameter value from input binding- cosmosDB
- Python app deployment to Azure web app from pipeline not including requirement packages
- Force Azure Function using Service Bus Queues to only process one mesage at a time
- Azure Web Role with Transient Fault Handling Block exception: The path is too long after being fully qualified
- Azure Bicep - How to create diagnostic settings for NetworkInterface of private endpoint
- Is there a way to get static ip address for Azure Data Factory
- azure key vault - lag on secret changes
- How to create connection to create - queue item - HTTP Trigger - local - Azurite - Azure Queue Storage
- Getting error "404 The specified blob does not exist" when downlading blob using Uri
- How scopes are added to token in Azure Entra ID?
- Why does my Azure Cosmos DB SQL API Container Refuse Multiple Items With Same Partition Key Value?
- Postgres on Azure kubernetes volume permission error
- Azure: Subscribing to an external MQTT Broker
- azure.storage.blob._shared.authentication.AzureSigningError: Incorrect padding - Argo workflow
- Bash variable in JMESPath query expression
- Azure Devops pipeline failing due to AZ.Accounts Module update by MSFT
- Is it possible to use email name other than "DoNotReply" in Azure Email Communication Services?
- AADSTS65001: The user or administrator has not consented to use the application with ID '<application ID>
- Access Package Endpoint doesn't seem to be working
- install docker bash script doesn't work when used as Custom Data for Azure VM
- Docker image is not updating on Azure container registry via gitlab
- Terraform - How to find Azure Kubernetes AKS vnet ID for network peering
- Using Azure DataLakeServiceClient to download a file got forbidden response after few minutes success
- Verify that Bicep can return values from Azure Key vault