@Kanishka Dobhal | Redington Thank you for posting your question. If the source and/or destination has a private link it is not supported, docs are being updated. Please let us know if you have further query
Regards
Oury
SQL DB PAAS - CREATE DATABASE as COPY OF between subscriptions when source SQL Server is privatelinked
We’re experiencing a problem when attempting the CREATE DATABASE as COPY OF between two subscriptions activity as per the documented advice here: https://learn.microsoft.com/en-us/azure/azure-sql/database/database-copy?tabs=azure-powershell#copy-to-a-different-subscription
This is intended to be between two servers that are privatelink enabled.
This works fine but only when the source and destination server is not privatelinked.
When we add a privatelink endpoints into the mix of both source database and destination database, we encounter an “insufficient permissions” error. We have cross referenced the documentation, of note the following four topics are insightful but do not detail our scenario in specific:
https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-architecture
https://learn.microsoft.com/en-us/azure/azure-sql/database/private-endpoint-overview
https://learn.microsoft.com/en-us/azure/azure-sql/database/network-access-controls-overview
https://learn.microsoft.com/en-us/azure/azure-sql/database/vnet-service-endpoint-rule-overview
I suspect it is due to DNS resolution issues on the destination server not being able to resolve a network address for the privatelinked SQL source server. It is not clear where traffic is egressing from on the destination server in order to conduct a server to server copy, and bizarrely, the copy documentation states the following:
Both servers' firewalls must be configured to allow inbound connection from the IP of the client issuing the T-SQL CREATE DATABASE ... AS COPY OF command.
This is a bit misleading as the CREATE DATABASE command is sent to the destination server where it is executed, so really connectivity between the two SQL Server instances is required.
We need to confirm that the scenario is valid and achievable ahead of spending too much additional time in debugging why privatelink should make it fail.
-
Oury Ba-MSFT 16,081 Reputation points Microsoft Employee
2021-06-15T15:57:41.737+00:00