az network private-endpoint list --resource-group <resource-group> --output tableAzure SQL private endpoint
A database capability or setting in Azure SQL Database that helps teams store, query, scale, secure, and recover application data with clearer ownership, safety, and operational context.
Source: Microsoft Learn - Azure Private Link for Azure SQL Database Reviewed 2026-05-30
- Exam trap
- Disabling public network access before proving DNS resolution and connectivity from every production client network.
- Production check
- Run a name-resolution test from the application subnet and confirm the SQL name returns the private endpoint address.
Article details and learning context
- Aliases
- Azure SQL private endpoint, azure-sql-private-endpoint, azure-sql-database, azure-sql-logical-server, private-endpoint, private-dns-zone, vnet-peering, managed-identity, app-service-vnet-integration, azure-sql-firewall-rule, service-endpoint
- Difficulty
- intermediate
- CLI mappings
- 5
- Last verified
- 2026-05-30
- Article depth
- field-manual-complete
Understand the concept
In plain English
An Azure SQL private endpoint gives applications a private network path to Azure SQL Database instead of relying on the public SQL endpoint. The database service is still managed by Azure, but clients resolve the server name to a private IP address inside an approved virtual network. In plain terms, it lets teams keep database traffic inside known network boundaries, remove broad firewall openings, and prove that only selected networks can reach production data. The hard parts are usually DNS, approval state, and which clients actually use the private route.
Why it matters
Azure SQL private endpoints matter because many database incidents are really exposure, routing, or DNS incidents. A server can have strong passwords and encryption, yet still accept traffic from places the organization never intended. Private endpoints help teams move from open firewall exceptions to explicit network placement, which is easier to review during audits and incident response. They also make migration designs cleaner when applications run in App Service, AKS, virtual machines, or data integration runtimes that already sit inside controlled VNets. Misconfigured private endpoints can break every connection just as quickly, so the value comes from pairing private access with clear DNS ownership, approval workflow, and rollback steps.
Official wording and source
Microsoft Learn explains that an Azure SQL private endpoint uses Azure Private Link to give a logical SQL server a private IP address in a virtual network subnet. Clients reach the database over private networking while Azure SQL stays managed; DNS and private endpoint approval control how traffic resolves.
Technical context
Technically, this term sits at the boundary between Azure SQL Database, Azure Private Link, virtual networking, and DNS. A private endpoint creates a network interface in a subnet and connects it to the SQL server private link resource using the SQL server group ID. Client name resolution usually depends on the privatelink.database.windows.net private DNS zone or equivalent custom DNS forwarding. It affects control-plane settings such as endpoint approval and public network access, while data-plane connections still authenticate through SQL identities, Microsoft Entra, or application credentials.
Exam context
What to know
operator-ready
Compare with
Where it is used
Where you see it
- In the SQL server Networking blade, private endpoint connections show approval state, target subresource, public network access posture, and whether database access depends on Private Link.
- In Azure CLI output, private endpoint and private DNS commands expose the endpoint NIC, connection state, subnet, zone records, linked virtual networks, and subscription evidence for deployment reviews.
- During connection troubleshooting, nslookup or dig from an app subnet should resolve the SQL server name to the private endpoint address, not the public endpoint.
Common situations
- Move production database access behind Private Link before disabling public network access on a SQL logical server.
- Migrate App Service, AKS, VM, or integration-runtime clients to a private database path without changing the SQL server name.
- Prove to auditors that regulated SQL workloads are reachable only from approved VNets and private DNS paths.
- Troubleshoot connection failures where SQL is healthy but endpoint approval, DNS zone links, or resolver forwarding is wrong.
- Standardize hub-and-spoke database connectivity so new application teams do not create ad hoc firewall exceptions.
Illustrative Azure scenarios
These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.
Scenario 01 Insurance claims platform removes public SQL exposure Scenario, objectives, solution, measured impact, and takeaway.
A specialty insurance processor ran claims APIs on App Service and allowed Azure SQL Database through several public firewall exceptions. A vendor IP change broke claim submission during a storm event and exposed how fragile the access model had become.
- Remove public SQL firewall dependencies for production APIs.
- Keep claim submission latency under 500 milliseconds at peak.
- Provide auditors with proof of private database reachability.
- Preserve rollback access during the first release window.
The platform team created an Azure SQL private endpoint in the application spoke VNet and linked the privatelink.database.windows.net private DNS zone to the App Service integration network. They approved the private endpoint connection on the SQL logical server, tested name resolution from the App Service subnet, and kept public network access enabled only during a two-hour validation window. Azure CLI exported the endpoint state, DNS records, VNet links, and SQL public network access setting into the change record. Application Insights confirmed that the same API connection strings continued to work because the server name now resolved privately. After successful tests, the team disabled public network access and removed the old vendor firewall rules.
- Public SQL firewall exceptions dropped from eleven to zero.
- Peak claim API p95 latency stayed at 312 milliseconds after the routing change.
- Audit evidence collection fell from two days to forty minutes.
- A later vendor IP rotation caused no database outage or emergency firewall request.
Azure SQL private endpoints are most valuable when they replace fragile public firewall rules with a tested, DNS-backed private access path.
Scenario 02 University lab isolates research database access Scenario, objectives, solution, measured impact, and takeaway.
A university genomics lab stored controlled research metadata in Azure SQL Database, but analysts connected from lab workstations, batch VMs, and notebooks using inconsistent network paths.
- Route approved research workloads through a private endpoint.
- Separate analyst workstation access from automated compute access.
- Reduce connection failures caused by split DNS behavior.
- Document a repeatable onboarding pattern for new research projects.
The cloud team placed the Azure SQL private endpoint in a dedicated research services subnet and connected lab networks through the existing hub resolver. They configured conditional forwarding so the SQL server name resolved to the private IP from batch VMs and secured notebooks, while analyst workstations used a bastion-supported path for administrative work. The team used Azure CLI to compare private DNS links, endpoint approval state, and public network access before moving each project. A scripted smoke test ran from every approved compute subnet and recorded SQL login success, name resolution, and round-trip timing. Public access stayed limited to a temporary exception until project owners signed off on the private path.
- Failed analyst connection tickets dropped by 64 percent in the first month.
- All automated genome jobs used the private IP path after migration.
- New project onboarding time fell from five days to one day.
- The lab passed its data-access review without adding workstation firewall rules.
Private endpoint design succeeds only when DNS behavior is tested from the real client networks that use the database.
Scenario 03 Factory telemetry service survives network audit Scenario, objectives, solution, measured impact, and takeaway.
A manufacturer collected machine telemetry in regional APIs and wrote summarized results to Azure SQL Database. A corporate audit required proof that plant networks could not bypass the approved private connectivity path.
- Constrain SQL access to approved plant and cloud networks.
- Keep telemetry ingestion available during DNS cutover.
- Support regional failover testing without changing application code.
- Create reusable evidence for plant-by-plant audits.
Engineers added private endpoints for the SQL server in two regional spokes and standardized private DNS links through the hub network. They verified that plant VPN routes reached only the approved subnets and that telemetry APIs resolved the unchanged SQL server name to the closest private endpoint. The team used Azure CLI to export private endpoint resource IDs, connection states, private DNS records, route table associations, and public network access settings. A failover drill temporarily moved application traffic to the secondary region while operators watched SQL connection success and DNS cache behavior. After the drill, the security team approved disabling all remaining public access exceptions.
- Plant SQL access findings were reduced from seven high-risk exceptions to zero.
- Telemetry ingestion stayed above 99.95 percent during DNS cutover.
- Failover validation completed in fifty-two minutes instead of the planned four hours.
- Audit evidence was reused for twelve plants without rewriting the control narrative.
For distributed operations, Azure SQL private endpoints turn database access into a repeatable network control that auditors and operators can both verify.
Azure CLI
As an Azure engineer, I use Azure CLI for SQL private endpoints because the portal hides too much context across blades. One outage can involve a SQL server, a private endpoint NIC, a private DNS zone, VNet links, public network access, and pending connection approval. CLI commands let me pull that evidence into one terminal transcript, compare environments, and prove whether the problem is DNS, endpoint state, firewall posture, or identity. The CLI is also safer for production reviews because read-only queries can be scripted before any change, and the exact commands become a repeatable runbook for future deployments under pressure.
Useful for
- List SQL-related private endpoint connections and confirm whether each connection is approved, pending, rejected, or disconnected before a deployment window.
- Show the SQL server public network access setting and compare it with the approved private endpoint design for the environment.
- Export private DNS zone records and VNet links to prove which networks resolve the SQL server through Private Link.
- Create or update a private endpoint from a reviewed script so subnet, group ID, DNS integration, and tags stay consistent.
- Compare dev, test, and production endpoint names, subnets, approval states, and DNS zones to detect drift before a migration.
Before you run a command
- Confirm the tenant, subscription, resource group, SQL server name, VNet, subnet, and DNS resource group because the objects often live in different teams' scopes.
- Check permissions for Microsoft.Sql, Microsoft.Network, private endpoint approval, DNS zone changes, and any custom role used by deployment automation.
- Use read-only commands first; creating endpoints, changing public network access, or modifying DNS can break every application using the server name.
- Verify the region, subnet capacity, private DNS zone naming, and whether custom DNS forwarding is required before running create or update commands.
- Decide the output format in advance, usually JSON for evidence and table output for quick triage during incident calls.
What the output tells you
- Connection state tells whether the SQL resource owner has approved the endpoint and whether clients should be able to use the private path.
- Subnet, NIC, and private IP fields identify where the endpoint actually landed, which is essential when multiple spokes or environments exist.
- Private DNS records show whether the SQL server name resolves to the private endpoint address for linked networks.
- Public network access output tells whether the server still permits public reachability while the private path is being validated.
- Resource IDs and group IDs confirm that the endpoint targets the intended SQL logical server and not another database resource.
Mapped commands
Azure SQL private endpoint CLI commands
direct-or-adjacentaz network private-endpoint show --name <endpoint-name> --resource-group <resource-group> --output jsonaz network private-endpoint-connection list --id <sql-server-resource-id> --output tableaz sql server show --name <sql-server-name> --resource-group <resource-group> --query publicNetworkAccessaz network private-dns record-set a list --zone-name privatelink.database.windows.net --resource-group <dns-resource-group> --output tableArchitecture context
Architecturally, an Azure SQL private endpoint is not just a checkbox on the database. It is a contract between the application network, the DNS design, and the data platform boundary. In a hub-and-spoke estate, I want the endpoint placed in the right spoke or shared services subnet, DNS resolution tested from every client network, and public access reduced only after the private path is proven. App Service VNet integration, AKS egress, private agents, Azure Data Factory, and jump hosts all need to resolve the same SQL name consistently. For resilient designs, the endpoint also has to align with failover groups, region pairing, and operational access during recovery.
- Security
- Security impact is direct because the endpoint changes who can reach the SQL server over the network. It does not replace SQL authentication, Microsoft Entra access, encryption, auditing, or least-privilege database roles, but it narrows the network path attackers can use. Review who can create private endpoints, approve private endpoint connections, change DNS zone links, or re-enable public network access. Use Azure Policy to audit public exposure, private endpoint presence, and private DNS configuration where possible. Treat DNS as security-relevant configuration, because a wrong record can send clients back to public resolution or to an endpoint in the wrong boundary.
- Cost
- The private endpoint has direct cost through Private Link resources and data processing, and indirect cost through the supporting DNS, networking, and operations model. It may also reduce cost by avoiding overbuilt jump-host patterns, broad VPN dependencies, or duplicated database tiers created only for isolation. FinOps reviews should track private endpoints per environment, unused endpoints after migrations, and data transfer patterns across regions or peered networks. The expensive mistake is treating every database as needing a separate, unmanaged private endpoint without shared standards. Standardized naming, lifecycle cleanup, and tagged ownership keep security architecture from turning into hidden networking spend over time.
- Reliability
- Reliability depends on DNS correctness, endpoint provisioning state, subnet capacity, and the client path to the private IP. A healthy SQL database can look down if the private DNS zone is not linked, the custom resolver is misconfigured, or a private endpoint connection remains pending. Production designs should test resolution from each workload network, document public-access rollback choices, and include private endpoint checks in failover drills. If a SQL failover group or regional recovery plan exists, verify how clients resolve the listener after failover. The blast radius is high because one bad DNS change can affect every application using the server name.
- Performance
- Performance impact is usually about routing predictability rather than faster SQL execution. A private endpoint can reduce internet exposure, but query speed still depends on schema, compute tier, connection pooling, and application behavior. Latency can improve when clients and endpoints are regionally close, or worsen when DNS sends traffic through a hub, firewall, resolver, or distant network path unnecessarily. Measure from the application subnet, not only from an administrator laptop. For high-throughput systems, confirm connection policy, regional placement, DNS resolver latency, and any inspection devices on the path. Private access should make traffic safer without creating a hidden network bottleneck.
- Operations
- Operators inspect SQL private endpoints during migrations, security reviews, failed deployments, and connection incidents. Useful runbooks record the SQL server resource ID, private endpoint name, subnet, network interface, connection state, private DNS zone, VNet links, and public network access setting. During troubleshooting, check name resolution from the client, not just the portal status. Then compare endpoint approval, DNS records, route tables, NSGs, and SQL audit logs. Change management should capture before-and-after CLI output, because private networking problems often cross database, network, platform, and application teams. Ownership must be explicit, documented, and tested or nobody will maintain the DNS path.
Common mistakes
- Disabling public network access before proving DNS resolution and connectivity from every production client network.
- Creating the endpoint in the wrong spoke subnet, then troubleshooting SQL authentication when the real failure is routing or DNS.
- Forgetting that private endpoint approval and private DNS zone links are separate pieces of the design.
- Using a local administrator laptop to test connectivity instead of testing from the actual app subnet or build agent.
- Allowing broad contributor access to create private endpoints without central review of names, DNS, tags, and network boundaries.