I have a requirement to configure both Private and Service endpoints on Azure SQL firewall.
Here is a quick simulated scenario
Scenario 1: Subnet1 of VNet 1 is configured with Azure SQL service endpoint and whitelisted in Azure SQL DB firewall (service endpoint). This allows VM1 to access the database without any issues.
Scenario 2: When I added a private endpoint from a different VNET (VNet2) to this Azure SQL DB to allow access from VM2 inside VNET 2, the existing connectivity between VM1 and DB is lost.
Is it because the addition of private endpoint to the SQL DB firewall allows all incoming connection to use only the Private DNS endpoint associated with the private endpoint by default?
If so, what's required to allow VM1 using Service Endpoint to still use the DB and enable the service to co-exist both private and service endpoints?
When you enable Private Endpoint for Azure SQL you're given a new DNS name to connect to, which should resolve to a private IP address.
You can get the DNS name and IP address from the network settings of the SQL database.
VM1 is either still trying to connect to the public IP address, which is now blocked because Private Endpoint is enabled, or it is trying to connect to the internal address - which is blocked by your firewall.
Since you created the PE in VNet 2, its interface is accessible by VM2, since it's in the same network.
VM1 needs a path to communicate with VNet 2. You should either have a VNet peering between VNet 1 and VNet 2, or you should have a Firewall VNet acting as a hub or bridge between the two which is connected to both.