Azure Pipeline Running SQL against a server with no public access

Question

We have a SQL instance in azure which until recently was publicly available with access restricted based on IP whitelisting. We have recently ticked the "Deny public access" checkbox and set up private endpoints for the server.

We also have build and release pipelines in azure devops which create a SQL entity framework migration file as part of the build and run it against SQL as part of the release using admin credentials, this means that we can apply migrations on the database without the app needing to have more than basic read/write access to the database.

The problem that we have encountered is that when the release gets to the point of needing to execute the SQL against the database it cannot connect, I assume because the build agent is outside of our vnet.

We are looking at creating our own build agent inside the vnet and using this for the build & release pipelines, we are confident that this will resolve the issue but would like other options if there are any?

Answer 1

Thank you 5NRF and Ryu S.. Posting your discussions as answer to help other community members.

You could try anyone of these possible solutions.

1. Create self-hosted agent on the SQL server VM which would be part of the VNet.
2. Create a self-hosted agent on an Azure VM which is connected same VNet
3. Create a self-hosted agent on your local machine. Using Express route, private peering or VPN tunneling to connect to the private endpoint.

run the build and pipelines on the self hosted agent by setting up the pool to your private agent pool which is hosts the self-hosted agent.

Reference: create self-hosted agent, Connecting from an on-premises environment over VPN,