We Have an Azure SQL Server which is going to accept connections from four VMs also in Azure. My question is, Which one is better?

  • Using encrypted connections protected by certificates and Azure SQL listening on a public port?

  • Using non-encrypted connections (for better performance) on a private virtual network?

Or maybe both? I read in the documentation that using encrypted connections will affect the performance, is this something to take into account?

  • 123
  • 1
  • 7

2 Answers2


If you're using SQL all on Azure VMs I.e. not Azure SQL Database as a Service, then I would suggest going for all connections across a private network - to the Database tier at least.

As another measure of security, then yes look out to using SQL Always Encrypted, but it does mean that each client which connects to the SQL Server, does need the SSL certificate chain to be installed into their local certificate store. That equals more admin overhead initially. If you go with RSA 2048 bit length as the minimum for key encryption, then this shouldn't prove a bottleneck at the client side when decrypting the key. But obviously the larger the RSA bit length is, the longer it can potentially take for the client to decrypt this.

  • 96
  • 3
  • Actually we are using Azure SQL Database as a Service, sorry, I should have used another wording for my question. I infer from your answer that I can't use the SQL service inside a private network, am I right? – morgano Mar 05 '17 at 23:24
  • The only way to get a private connection to Azure SQL PaaS is to use Express Route, – Sam Cogan Mar 06 '17 at 22:35

Using ExpressRoute is definitely the way to go, but there is a fair amount of setup overhead involved with ensuring that the ISPs involved support ExpressRoute and then enable the ExpressRoute circuit. But definitely worth considering if you want all connections into Azure SQL DB to go across a private route.

If you weren't so bothered about that, then go with SQL Always Encrypted between client and Azure SQL DB

  • 96
  • 3