This month, Microsoft announced the general availability of Virtual Network Service Endpoints for Azure SQL Database in all Azure regions.

What does this mean for our customers?

Previously, Azure customers were limited to accessing their PaaS SQL database instances via the public internet. Not only did this generate significant security concerns, but also meant that management overhead was tiresome, with each client needing to be added manually to the SQL server firewall for access.

These concerns have now been addressed with the general availability of VNet Service Endpoints for Azure SQL Database. Implementation of service endpoints allows for traffic from selected Virtual Networks and subnets to now traverse a secure traffic medium in the form of the Azure network backbone. By removing public Internet access to resources, and allowing only virtual network traffic, previous security and overhead concerns are now addressed. Further to this, using the Azure backbone also allows for more optimal routing of service traffic.

Although only a slight limitation, we did find that service endpoints cannot be used for traffic from on-premises to Azure services. This would have been particularly useful for customers who prefer to connect to the Azure SQL databases from their on-premises networks.

How much will this new feature cost me?

Nothing! There is no additional charge for using service endpoints.

How easy is this to implement? What happens to my existing firewall rules?

You can be up and running in a matter of minutes. Implementation is particularly straightforward with Microsoft providing detailed step-by-step instructions here and here.

Turning on the service endpoints will not override any existing firewall rules, and can be used concurrently. This is especially helpful in minimising disruption for customers moving away from manual firewall rules to service endpoints.

If you would like help implementing VNet Service Endpoints, please contact us here.