Create and manage Azure Database for MySQL VNet service endpoints and VNet rules by using the Azure portal

Virtual Network (VNet) services endpoints and rules extend the private address space of a Virtual Network to your Azure Database for MySQL server. For an overview of Azure Database for MySQL VNet service endpoints, including limitations, see Azure Database for MySQL Server VNet service endpoints. VNet service endpoints are available in all supported regions for Azure Database for MySQL.


Support for VNet service endpoints is only for General Purpose and Memory Optimized servers.

Create a VNet rule and enable service endpoints in the Azure portal

  1. On the MySQL server page, under the Settings heading, click Connection Security to open the Connection Security pane for Azure Database for MySQL. Next, click on + Adding existing virtual network. If you do not have an existing VNet you can click + Create new virtual network to create one. See Quickstart: Create a virtual network using the Azure portal

    Azure portal - click Connection security

  2. Enter a VNet rule name, select the subscription, Virtual network and Subnet name and then click Enable. This automatically enables VNet service endpoints on the subnet using the Microsoft.SQL service tag.

    Azure portal - configure VNet

    The account must have the necessary permissions to create a virtual network and service endpoint.

    Service endpoints can be configured on virtual networks independently, by a user with write access to the virtual network.

    To secure Azure service resources to a VNet, the user must have permission to "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/" for the subnets being added. This permission is included in the built-in service administrator roles, by default and can be modified by creating custom roles.

    Learn more about built-in roles and assigning specific permissions to custom roles.

    VNets and Azure service resources can be in the same or different subscriptions. If the VNet and Azure service resources are in different subscriptions, the resources should be under the same Active Directory (AD) tenant.


    It is highly recommended to read this article about service endpoint configurations and considerations before configuring service endpoints. Virtual Network service endpoint: A Virtual Network service endpoint is a subnet whose property values include one or more formal Azure service type names. VNet services endpoints use the service type name Microsoft.Sql, which refers to the Azure service named SQL Database. This service tag also applies to the Azure SQL Database, Azure Database for PostgreSQL and MySQL services. It is important to note when applying the Microsoft.Sql service tag to a VNet service endpoint it configures service endpoint traffic for all Azure Database services, including Azure SQL Database, Azure Database for PostgreSQL and Azure Database for MySQL servers on the subnet.

  3. Once enabled, click OK and you will see that VNet service endpoints are enabled along with a VNet rule.

    VNet service endpoints enabled and VNet rule created

Next steps