Set up privatelink to Azure SQL Database
Your Azure administrator needs to complete several steps—you may not have the required permissions yourself.
Azure Private Link creates a secure, private connection between services running in Azure. This document describes the steps to set this up between Azure SQL Database and Atlan across two Azure subscriptions.
Unlike SQL Server on a Virtual Machine (IaaS), Azure SQL Database is a fully managed PaaS service. Azure natively supports Private Endpoint creation directly on the Azure SQL logical server—eliminating the need for a load balancer or Private Link Service in your subscription.
The Private Endpoint must be created in the same Azure region as your Azure SQL logical server. Cross-region Private Link isn't supported for Azure SQL Database.
Prerequisites
Your side (Producer—Subscription A)
You must already have the following:
- An active Azure SQL logical server (for example,
your-server.database.windows.net) in a supported Azure region. - An Azure subscription with Contributor or Owner role permissions for the relevant resource group.
- The full Resource ID of your Azure SQL logical server (retrievable from Azure Portal → SQL Servers → [Your SQL Server] → Properties → Resource ID).
- Network policy for private endpoints disabled on the target subnet, if applicable.
You need to share your Azure SQL Resource ID with Atlan during this process. If you don't already have it, retrieve it before proceeding.
Atlan's side (consumer—Subscription B)
Atlan needs the following from you before proceeding:
- The full Azure SQL logical server Resource ID.
- Optionally, the fully qualified domain name (FQDN) of your Azure SQL server (for example,
your-server.database.windows.net) for DNS verification purposes.
Retrieve and share Azure SQL Resource ID
The first step is to retrieve your Azure SQL logical server's Resource ID and share it securely with the Atlan Support team.
To retrieve the Resource ID:
- Log in to the Azure Portal.
- Navigate to SQL Servers → [Your SQL Server] → Properties.
- Copy the full Resource ID. It follows this format:
/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Sql/servers/<server-name>
- Contact Atlan support and share the Resource ID securely.
Once Atlan receives the Resource ID, the team creates a Private Endpoint in the Atlan subscription targeting your Azure SQL logical server. The connection remains in a Pending state until you approve it in the next step.
Approve private endpoint connection
After Atlan creates the Private Endpoint, a pending connection request appears in your Azure portal. You must explicitly approve this request before DNS resolution and connectivity can function.
To approve the connection:
- In the Azure Portal, navigate to SQL Servers → [Your SQL Server].
- In the left-hand menu, select Security → Private endpoint connections.
- Locate the pending connection request from Atlan (identifiable by the private endpoint name or the requesting subscription ID).
- Select the request and click Approve.
- Optionally, enter an approval message (for example,
Approved for Atlan data catalog access) and click Yes to confirm. - Confirm that the connection status updates to Approved.
After approval, Azure propagates the status to Atlan's Private Endpoint within a few minutes. The endpoint NIC receives a private IP from Atlan's subnet, and DNS resolution begins resolving your SQL FQDN to this private IP.
Verify connectivity
After the connection is approved, both teams validate that DNS resolution and network connectivity are functioning correctly.
Atlan performs the DNS and connectivity checks from within its own VNet. You don't need to take action for this step unless issues arise.
Disable public access (recommended)
To make sure that all access flows exclusively through the private endpoint, disable public network access on your Azure SQL server:
- In the Azure Portal, navigate to SQL Servers → [Your SQL Server] → Security → Networking → Public access.
- Set Public network access to Disable.
- Click Save.
Disabling public access ensures that only traffic routed through the approved Private Endpoint can reach your Azure SQL database. This is the recommended security posture for production environments.
Troubleshooting
| Issue | Likely cause | Resolution |
|---|---|---|
| Private Endpoint stuck in Pending state | You haven't yet approved the connection | Navigate to SQL Servers → [Your SQL Server] → Security → Private endpoint connections and approve the request |
| DNS resolves to a public IP instead of a private IP | Private DNS Zone not linked to Atlan's VNet, or DNS zone not created | Atlan must verify that the privatelink.database.windows.net DNS zone exists and is linked to Atlan's VNet |
| Connection timeout on port 1433 | NSG or subnet policy blocking inbound traffic, or DNS still resolving to a public endpoint | Check NSG rules on Atlan's subnet; verify DNS resolution returns a private RFC-1918 IP |
Resource not found when creating Private Endpoint | Incorrect Resource ID, or SQL server deleted or moved | Re-confirm the Resource ID with Atlan; verify the SQL server exists in the expected region and subscription |
| Connection approved but application can't connect | Application connection string uses a public FQDN bypassing DNS, or SQL firewall rule missing | Make sure the application uses the standard FQDN (not an IP); confirm the Azure SQL firewall doesn't have a blanket deny-all rule overriding private access |
😅 The connection is now established. You can now use Azure Private Link to crawl Microsoft SQL Server in Atlan! 🎉