How to connect your Linux Web Application to a SQL database via Private Endpoint

SQL Database

As we are concentrating more on security aspects, one of the key considerations is to restrict public access to the database. By keeping the above-mentioned point in mind, how can I connect my Web App to a database privately?  

This scenario is possible in Azure with the help of Private Endpoint. But there are few key prerequisites or limitations which comes along with setup. Let me list them here.  

  • VNET which you integrate with Web App, and the Web App must be in the same region.  
  • Web App must be Linux based deployment. 
  • App Service SKU needs to be Premium.  


  • All resources VNET, Private Endpoint, Cosmos DB, App Service are deployed in the same region Canada East.

  • VNET integration needs to be configured between App Service and the Virtual Network where the Private Endpoint are deployed.  
VNet Integration
  • During the creation of Private Endpoint, Private DNS Zone named “” gets created. You can find A record with the name of your Cosmos DP pointing to a Private IP address of Private Endpoint. Based on the number of replications you select; corresponding Private Endpoints gets created. 

Also Read: How To Get SQL Certification In 2023?
  • If you have RBAC to both Private endpoint and the Cosmos DB, connection from Private Endpoint to the Cosmos DB gets approved automatically. 

    Private Endpoint 
  • In order to get this setup working, you need to forward DNS queries to Azure DNS by configuring “WEBSITE_DNS_SERVER” in App setting.

  • You should also force all the traffic from the Web App to the Virtual Network to get this setup working. To do that configure “WEBSITE_VNET_ROUTE_ALL = 1” in App Setting.  

With this setup, lets test and check how it works.  

  1. In order to test, navigate to the Advance tool of the Web App. This will land you to a new window where you can select Bash console.  
  2. Use tcpping tool to check layer 4 connectivity to the Cosmos DB 
Kudu Remote Execution Console
  1. In order to prove that the traffic is going via Private Endpoint, navigate to the Cosmos DB and select Firewall and virtual Networks. You can see there is no public access as we have enabled Private Endpoint. 
    Microtek - Firewall and virtual network 

Also Read: Azure Synapse SQL – Serverless Sql Pool

Hope this blog is useful to secure your Infrastructure by leveraging Azure Private Endpoints. 

Visit our site for more useful blogs.

If you still have any doubt, watch How to connect your Linux Web Application to a SQL database via Private Endpoint video on our YouTube channel.

You might also like

Leave a Reply

Your email address will not be published. Required fields are marked *