0

Hope you are doing well. I have a use case that I am trying to set up, but no success.

Let me explain it.

I have a premium web app integrated with azure vnet and connecting SQL azure using service endpoints (I have created a vnet rule for the SQL server by enabling the service endpoints). that works fine. no issue with that.

But there is a requirement that I need to connect a different SQL Azure database that resides in a different Azure tenant and subscription. and their SQL database is not publicly accessible. they are fine to whitelist the public IP that I am connecting to. I told the IP addresses of my azure web app, but it seems this doesn't use public IP when connecting remote SQL server when vnet integration and service endpoints are enabled. it tries to connect the database using private IP and service endpoints.

I have tried to create a private endpoint for remote SQL server within the network the web app resides, but it seems it does not work either (still trying.)

I am not sure the problem is clear but I need help if you have any idea.

Thanks.

alex
  • 51
  • 4
  • 10

2 Answers2

0

As your web app is integrated with VNET (VNET1), your web app will be able to connect to the resources that are connected to the VNET and the other peered VNETs

If you want to connect to Azure SQL which is placed in a VNET in different subscription and tenant (VNET2), you need to peer both the VNETs (VNET1 & VNET2)

To peer the virtual networks in different subscriptions and tenants, you can refer the below document: Create a VNet peering - different subscriptions | Microsoft Docs

RamaraoAdapa
  • 2,837
  • 2
  • 5
  • 11
  • Hi RamaraoAdapa, Thanks for the answer but vnet peering is not an option for us. this is a customer database, and we can not tell them to create vnet and attach db to vent and peer to our vnet. it is not a solution for us. – alex Feb 09 '22 at 17:36
  • In that case, you need to remove the vnet integration of your web app and whitelist the web app ip address and outbound addresses in your customer vnet – RamaraoAdapa Feb 10 '22 at 07:32
  • I believe this can be done with private endpoints. according the below document, azure service endpoints and private endpoints should work together. https://learn.microsoft.com/en-us/azure/architecture/example-scenario/private-web-app/private-web-app – alex Feb 10 '22 at 08:48
  • If both Azure web app and SQL db are hosted in the same vnet or peered networks, then you can use private endpoints – RamaraoAdapa Feb 10 '22 at 10:09
0

I think I was able to make this work by using the below reference.

https://learn.microsoft.com/en-us/azure/architecture/example-scenario/private-web-app/private-web-app

The problem was when you add a new private endpoint by using resource ID, it does not register its private DNS zone. that was the missing piece.

Thanks for the help.

alex
  • 51
  • 4
  • 10
  • You are able to achieve it without connecting you VNET with your customer VNET? – RamaraoAdapa Feb 15 '22 at 17:45
  • This [post](https://stackoverflow.com/a/73759580/7950592) has detailed information on the required steps you would need for your scenario. I think you are mixing up private endpoints with vnet integration because according to the OP you are setting up an outbound connection to another tenant. – Cloudkollektiv Sep 22 '22 at 09:19