General availability of VNet Service Endpoints for Azure SQL Data Warehouse

This blog post was co-authored by Anitha Adusumilli, Principal Program Manager, Azure Networking.

We’re excited to share the general availability of Virtual Network (VNet) Service Endpoints for Azure SQL Data Warehouse in all Azure regions. Azure SQL Data Warehouse is a fast, flexible, and secure cloud data warehouse tuned for running complex queries fast and across petabytes of data.

VNet Service Endpoints enable you to isolate connectivity to your logical server from a given subnet or set of subnets within your virtual network. The traffic to Azure SQL Data Warehouse from your VNet will always stay within the Azure backbone network. This direct route will be preferred over any specific routes that take Internet traffic through virtual appliances or on-premises. There is no additional billing for virtual network access through service endpoints. Current pricing model for Azure SQL Data Warehouse applies as is.

With this release, we also enabled PolyBase connectivity to Azure Data Lake Storage Gen2 (ADLS) via Azure Blob File System (ABFS) driver. Azure Data Lake Storage Gen2 brings all the qualities that are required for the full lifecycle of analytics data to Azure Storage. It is the result of converging the capabilities of our two existing storage services, Azure Blob Storage, and Azure Data Lake Storage Gen1. Features from Azure Data Lake Storage Gen1, such as file system semantics, file-level security, and scale are combined with low-cost, tiered storage, and high availability/disaster recovery capabilities from Azure Blob Storage.VNETDiagram

Using Firewall rules and VNet Service Endpoints together

Turning on VNet Service Endpoints does not override Firewall rules that you have provisioned on your logical SQL Server or Azure SQL Data Warehouse. Both continue to be applicable.

VNet Service Endpoints don’t extend to on-premises. To allow access from on-premises, Firewall rules can be used to limit connectivity only to your public (NAT) IPs.

To enable VNet protection, first enable service endpoints for SQL in the VNet as follows:

VNet Service Endpoints

On the logical SQL Server, you can allow access to multiple subnets belonging to one or more VNets. It is also possible for you to configure Firewall rules in conjunction to your VNet rules.

SQL VNet

PolyBase connectivity to Azure storage account secured to VNet

With this release, we also enabled Polybase connectivity to Azure storage account secured to VNet. Please follow steps described in this guide for enabling PolyBase import and export scenarios with Azure storage account secured to VNet.

PolyBase connectivity to Azure storage account example

Turning on service endpoints for servers with pre-existing firewall rules

When you connect to your server with service endpoints turned on, the source IP of SQL connections will switch to the private IP space of your VNet. If at present, your server or database firewall rules allow specific Azure public IPs, then the connectivity will break until you allow the given VNet/subnet by specifying it in the VNet firewall rules. To ensure connectivity, you can preemptively specify VNet firewall rules before turning on service endpoints by using IgnoreMissingVNetServiceEndpoint flag.

Next steps

Source: Azure Blog
Source Link: General availability of VNet Service Endpoints for Azure SQL Data Warehouse