What do I need to connect to SQL Server using Private Endpoint

I want to secure access to my data in Azure. The data should be accessible by 1 web app, that is available publicly.

So, in the app properties of the webapp I have a connections string to SQL Server, referencing it by its public url (MY_SERVER.database.windows.net) On the server itself I have Allow Azure services access.

In order to implement security I tried to:

1. create a VNet
2. split it into 2 subnets ("sql" and "app")
3. create a Service Endpoint for sql subnet
4. limit access to SQL Server to only from the sql subnet of the VNet and disable the "Allow all Azure services" option
5. create a Private Endpoint for the webapp that needs to have access to data in the "app" subnet

Unfortunaly, that did not work and from logs I saw that the webapp could not bypass firewall rules of the SQL server - using webapp public IP.

So - is it required to have a private DNS Zone for "privatelink.database.windows.net"? I would very much avoid the DN S zone due to its cost...

You don't need a private endpoint on the App Service. Private endpoints there are for inbound connections only, if you wanted to connect to the App Service from within the VNET. What you need is VNET integration. You need to delegate a subnet for App Service and set up the integration: https://learn.microsoft.com/en-us/azure/app-service/configure-vnet-integration-enable

You could create a private endpoint for the SQL though. Then you can disable public access entirely and only connections through the private endpoint will be allowed. You will need a private DNS zone in this case at least. Not sure if you need one with service endpoints.