Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
The Microsoft SQL Server connector is in Public Preview.
Azure SQL Database provides firewall settings to control network access from external systems, including Lakeflow Connect. The ingestion gateway for the SQL Server connector deploys inside classic compute and the context of the Virtual Network (VNet) associated with an Azure Databricks workspace.
The following steps outline how to configure your Azure SQL Database firewall to allow access from Azure Databricks classic compute using either service endpoints or private endpoints within a classic VNet injection setup.
Deploy Azure Databricks with VNet injection
Make sure that your Azure Databricks workspace is deployed within your own VNet. This setup allows for enhanced network security and control. For more information, see Deploy Azure Databricks in your Azure virtual network (VNet injection)
Option 1: Configure access using service endpoints
Service endpoints allow you to extend your VNet's identity to Azure services over a direct connection. To set up service endpoints for Azure SQL Database:
- Enable service endpoints on the subnet: In the Azure portal, navigate to your VNet and select the subnet where your Databricks instances are deployed. Enable the
Microsoft.Sql serviceendpoint for this subnet. - Add a virtual network rule to Azure SQL Server: After enabling the service endpoint, add a virtual network rule to your Azure SQL Server to allow traffic from the subnet. You can do this in the Azure portal under the SQL Server's networking settings. For more information, see Use virtual network service endpoints and rules for servers in Azure SQL Database in the Azure documentation.
Option 2: Configure access using private endpoints
Private endpoints provide a secure, private connection to Azure services by assigning them a private IP address within your VNet. To set up a private endpoint for Azure SQL Database, do the following:
- Create a private endpoint: In the Azure portal, navigate to your Azure SQL Server's networking settings and create a new private endpoint. Select the VNet and subnet where your Databricks instances are deployed.
- Configure DNS Settings: Ensure that your DNS settings are configured to resolve the Azure SQL Server's hostname to the private IP address assigned to the private endpoint. This may involve setting up a private DNS zone and linking it to your VNet. For more information, see Azure Private Link for Azure SQL Database and Azure Synapse Analytics in the Azure documentation.
Verify connectivity from Azure Databricks to Azure SQL Database
To confirm that your Azure Databricks workspace can successfully connect to your Azure SQL Database, you can perform network connectivity tests using tools like ping and nc (netcat).
For example, you can run the following command in a Databricks notebook to check TCP connectivity to the SQL database's port with Netcat (default: 1433).
%sh
nc -zv <your-sql-server-name>.database.windows.net 1433
If the nc command reports a successful connection, it confirms that your Databricks cluster can reach the Azure SQL Database endpoint over the network. If it fails, review your network security group (NSG) rules, firewall settings, or service endpoint configurations to ensure that traffic is allowed between your Databricks workspace and Azure SQL Database.