question

pallab avatar image
0 Votes"
pallab asked AnuragSharma-MSFT commented

Private Link for SQL FO Group

I have an Azure Web App connecting to SQL FO Group at the moment using the Read/Write Listener of the SQL FO group connection string. I would like to use Private Link with Private Endpoint for the SQL DBs. So my Web App has to be enabled for Regional VNET integration if i am not wrong. I would like to know whether i need to create two private endpoints per Server or not for my Web App to work correctly if there is a failover of the SQL Database from primary to secondary.

I am following this url :
https://docs.microsoft.com/en-us/azure/architecture/example-scenario/sql-failover/app-service-private-sql-multi-region#alternatives

I am using Terraform for provisioning infrastructure.
So i would like to know if i have to specify one SQL Private Link for the two private endpoints or not

 resource "azurerm_private_endpoint" "sql-primary-endpoint" {
   name                = module.names-pvt-endpoint.location.private_endpoint.name_unique
   location            = var.resource_group_location 
   resource_group_name = var.resource_group_name
   subnet_id           = data.azurerm_resources.sub-net.id 
    
   private_service_connection {
     name                           = "sql-primary-connection"
     private_connection_resource_id = azurerm_private_link_service.sql-pvt-link.id
     is_manual_connection           = false
   }
 }
    
 resource "azurerm_private_endpoint" "sql-secondary-endpoint" {
   name                = module.names-pvt-endpoint-secondary.location.private_endpoint.name_unique
   location            = "eastus2" 
   resource_group_name = var.resource_group_name
   subnet_id           = data.azurerm_resources.sub-net.id 
    
   private_service_connection {
     name                           = "sql-secondary-connection"
     private_connection_resource_id = azurerm_private_link_service.sql-pvt-link.id
     is_manual_connection           = false
   }
 }
azure-sql-databaseazure-dev-tool-integrations
· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @pallab, welcome to Microsoft Q&A forum. We are checking this and will get back at the earliest.

0 Votes 0 ·
pallab avatar image pallab AnuragSharma-MSFT ·

@AnuragSharma-MSFT Hi Anurag, thanks for that. I would appreciate if you can let me know quickly as i have to deploy this before going live. I have an additional question in relation to SQL FO Group over a private link

I was looking at the URI : https://docs.microsoft.com/en-us/azure/azure-sql/database/auto-failover-group-configure?tabs=azure-portal#use-private-link

If you see the section "Use Private Link" there point # 5 mentions that : "Once the private link is established, you can create the failover group following the steps outlined previously in this article."
So i would like to know is this mandatory or i can create the Private Link after i have configured my SQL FO Group.
At the moment my SQL FO Group is already there and i am right now planning to configure the Private Link. So will my use case work or not or i have to break my FO group and do it again.
Looking forward to hearing from you with some pointers on this.

0 Votes 0 ·

Hi @pallab, I have sought help of product group on this issue and escalated it to them already and will respond back at the earliest once I receive the response back.

0 Votes 0 ·
Show more comments

1 Answer

AnuragSharma-MSFT avatar image
0 Votes"
AnuragSharma-MSFT answered AnuragSharma-MSFT commented

Thanks for your patience. Another reply we received from PG "Configuring Private Endpoint for Azure SQL Database doesn’t require any connection string changes, so there shouldn’t be any issues from the POV of connecting to the FOG R/W or read only listener. Of course, you will need to make sure that the apps have access to the VNet where the Private Endpoint is deployed."

Please let us know if this answers your query.

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Ok thanks for that. I was able to successfully configure my SQL FO Group Private Link and my apps can talk to it also. So you can mark this as answer.Thanks

0 Votes 0 ·

Hi @pallab, really glad it worked out for you. As you raised the thread only you could mark it as answer. Could you please do that as it could help others having similar queries?

0 Votes 0 ·
pallab avatar image pallab AnuragSharma-MSFT ·

@AnuragSharma-MSFT Hi Anurag, just got one more question before i close this thread. Can you please check with the product team whether i need to enable firewall rules for my on prem folks who want to connect via VPN to the SQL DB Server? At the moment , public access to the Primary and Secondary SQL Server is disabled. Only rule that i have set now is the VNET rule and allowing my App Subnet only to talk to SQL Subnet.
So do i need to add another firewall rule for my on prem CIDRs? I thought if you have enabled private endpoint your on prem should be connecting directly via Express Route to the SQL Server, but that's not the case it seems. Could you please clarify this. Thanks

0 Votes 0 ·
Show more comments