I want to secure access to my data in Azure. The data should be accessible by 1 web app, that is available publicly.
So, in the app properties of the webapp I have a connections string to SQL Server, referencing it by its public url (MY_SERVER.database.windows.net) On the server itself I have Allow Azure services access.
In order to implement security I tried to:
Unfortunaly, that did not work and from logs I saw that the webapp could not bypass firewall rules of the SQL server - using webapp public IP.
So - is it required to have a private DNS Zone for "privatelink.database.windows.net"? I would very much avoid the DN S zone due to its cost...
You don't need a private endpoint on the App Service. Private endpoints there are for inbound connections only, if you wanted to connect to the App Service from within the VNET. What you need is VNET integration. You need to delegate a subnet for App Service and set up the integration: https://learn.microsoft.com/en-us/azure/app-service/configure-vnet-integration-enable
You could create a private endpoint for the SQL though. Then you can disable public access entirely and only connections through the private endpoint will be allowed. You will need a private DNS zone in this case at least. Not sure if you need one with service endpoints.