how to access restrict for private endpoint
A private endpoint of Azure SQLDB is created, and it can be accessed with Private IP via Express Route from on-premises.
Since the NSG of the subnet does not act on the endpoint, the private endopoint can be accessed from anywhere on-premises.
Is there any way to restrict the connection source IP address for Private endpoint on Azure side?
Please also remove the "InterfaceEndpoint" /32 route that is added to every route table in a VNet (and every route table in a peered VNet) for each private endpoint that is created. If you want to route your traffic through a NVA then you are forced to overwrite the system route with user route. Not only is this a maintenance burden, but combined with the 400 route limit on route tables you are forced to ration what traffic you want to route through the NVA.
Guilherme Santos commented
Seriously, Microsoft... This is basic stuff. How can you release a "private" networking solution that doesn't enable your customers to define networking restrictions? It's baffling TBH.
Shane Carlson commented
I would also like to see inbound NSG or something like how Service Endpoint can control access by source now. We have a micro-segmentation security policy and I don't have away to extend that as of now.
Now, We cannnot restrict the communications to Private Endpoint with inbound NSG rules.
Private endpoint enables connectivity between the consumers from the same VNet, regionally peered VNets, globally peered VNets and on premises using VPN or Express Route and services powered by Private Link.
Therefore, if there is a network that does not restrict outbound rules, it will be possible to access Private Endpoint....from on-premises etc...