Connect from Azure Web App to Azure SQL Database in another region using Private Link

Posted in Azure

If you have an Azure web app that is in one Azure region but you want to connect to a SQL database in another Azure region privately and you do not want to enable public access to the Azure SQL server then one way this can be achieved is by using a Private Link.

This can be useful if you want to have a region with another instance of your web app setup and ready that can be used in a failover scenario.

Assuming that you have already setup the following:

  • Azure SQL server in primary region.
  • Vnet in primary region.
  • Azure SQL in primary region firewall locked down to not allow public access (i.e. only access via your Vnet).
  • Azure Web App in secondary region.
  • Vnet in secondary region.

You now need to create a Private Link where you will select the secondary region in the subscription settings but select the primary SQL server in the resource settings and then select the secondary VNet in the configuration settings (screenshots below).

Full details of this setup can be found in the following Microsoft documentation but the part that can be a little bit confusing is point 3a in the "Deploy this scenario" section where you actually create the private link in the secondary region which I have explained below: https://docs.microsoft.com/en-us/azure/architecture/example-scenario/sql-failover/app-service-private-sql-multi-region

 

Step 1

Create a new private endpoint and select your secondary resource group (the one for the region that doesn't contain the SQL server you are trying to connect to). It is best practice to have resources from different regions in their own resource group (according to Microsoft, see extract from Microsoft documentation below).

Give the private endpoint a name bearing in mind that this endpoint will actually show up in the SQL server on the primary region so it is good to differentiate it from the private endpoint you probably already have there that any local (i.e. local region) web apps connect through.

Select the region that contains your Web App you are trying to connect from (i.e. secondary region).

 

Step 2

Select the "Resource type" as "Microsoft.Sql/Servers" and then select the SQL server in the primary region (i.e. the Sql server you are trying to connect to from the secondary region).

 

Step 3

Select the "Virtual network (Vnet)" in your secondary region (i.e. the region containing the web app you will be connecting from).

Select the "PrivateLinkSubnet" in the secondary region.

Leave all the other settings as default like in the screenshot below.

You can now create this endpoint, what you will find is that this new endpoint will show up under "Private endpoint connections" on the SQL server in the primary region, it will also show up in the Vnet in your secondary region (i.e. the one with your web app) under "Connected devices" with an IP address from your secondary region Vnet IP range, the instructions on the Microsoft documentation linked above mentions in step 3c under "Deploy this scenario" about adding an A record into the DNS but this appears to have already been done so it should now work and you can connect to the SQL database in your primary region from a web app in the secondary region.