I am new to this private endpoint (PE) stuffs here is my setup:
- VNet with 3 subnet (public, backend, frontend)
- Application deployed to Azure Web App (React), this webapp also has a PE in the frontend subnet
- Web App (API), PE in backend, public turned off
- Azure Function App run as scheduled job to update record in the DB, PE in the backend
- Azure SQL DB has PE in the backend, public turned off
So the total of 2 Web App (React, API) & 1 Function App, API & FA are the only one needs to communicate with the DB to get the data. React Web App is the only one exposing to the public with PE so this allows to call API. The issue is the API/FA cannot talk to the DB which kept getting "Reason: An instance-specific error occurred while establishing a connection to SQL Server. Connection was denied since Deny Public Network Access is set to Yes"
I thought since they are both having PE in the backend subnet as the DB, there shouldn't be a problem between the 2 but it's not working. When I go the API advance tool debug command and do a nslookup of the db FQDN, it seems to be using the public IP of the DB instead of the PE. How can I go about allowing the API & FA to fully talk to the DB. I see that if I add a VNet integration to the API seems to solve the problem but I would need to create a subnet for each of the resource that uses the DB. This seems to be a west of subnet because once it is assigned, it cannot be used for anything else. Am I missing something here?
This is just my sample but in reality, we have 5 Function Apps and 1 API needing to connecting to the DB. The reality is we were given a set of VN for on-premise (32 addresses) so it doesn't seems to be efficient to create a subnet just to configure for the integration. Thanks.
Added both resources to the same subnet as DB and expect the Web App API & FA to be able to access the DB.
As per the Private Endpoints for App Service apps document,
Virtual network integration is used only to make outbound calls from your app into your virtual network. Using virtual network integration enables your app to access:
Refer: https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration
Outbound Traffic Flow from App Services to Azure services such as SQL and Storage:
This flow uses virtual network integration for the App Service, specifically to route traffic to private endpoints through the virtual network. Azure SQL Database will have public endpoints disabled. Azure service firewalls are used only to allow traffic from other authorized Azure services. And a private DNS zone is implemented for each service. The private DNS zone contains an A record that maps between the service's fully qualified domain name and the private endpoint private IP address. The zones are linked to the virtual network. Private DNS zone groups ensure that private link DNS records are automatically created and updated.
Consider the following points when implementing virtual network integration and private endpoints.
Use the Azure services DNS zone configuration guidance for naming private DNS zones.
Configure service firewalls to ensure the SQL Database, and other Azure services can only be connected to privately.
Deny public network access to Azure SQL.
Refer: https://learn.microsoft.com/en-us/azure/azure-sql/database/private-endpoint-overview?view=azuresql#use-cases-of-private-link-for-azure-sql-database
https://learn.microsoft.com/en-us/azure/architecture/web-apps/app-service/architectures/baseline-zone-redundant#flow-from-app-services-to-azure-services
Additional Information:
The virtual network integration feature cannot use the same subnet as private endpoint, this is a limitation of the virtual network integration feature.
The subnet where you plug the private endpoint can have other resources in it, you don't need a dedicated empty subnet. You can also deploy the private endpoint in a different region than your app.
So, to connect to private endpoint enabled SQL from your Azure app service, you would need to enable virtual network integration in Azure App Service.