Merge pull request #86850 from fgarofalo56/sqldb-pec

added deny public network access

Author: ktoliver

articles/azure-sql/database/media/private-endpoint/pec-deny-public-access.png

@@ -56,6 +56,20 @@ Once the network admin creates the Private Endpoint (PE), the SQL admin can mana
    which finally leads to the IP address for the private endpoint
    ![Screenshot of Private IP][9]
 
+> [!IMPORTANT]
+> When you add a private endpoint connection, public routing to your Azure SQL logical server isn't blocked by default. In the **Firewall and virtual networks** pane, the setting **Deny public network access** is not selected by default. To disable public network access, ensure that you select **Deny public network access**.
+
+## Disable public access to your Azure SQL logical server
+
+For this scenario, assume you want to disable all public access to your Azure SQL logical server and allow connections only from your virtual network.
+
+First, ensure that your private endpoint connections are enabled and configured. Then, to disable public access to your logical server:
+
+1. Go to the **Firewalls and virtual network** pane of your Azure SQL logical server.    
+1. Select the **Deny public network access** checkbox.
+
+![Screenshot that shows selecting the Deny public network access option.](./media/private-endpoint/pec-deny-public-access.png)
+
 ## Test connectivity to SQL Database from an Azure VM in same virtual network
 For this scenario, assume you've created an Azure Virtual Machine (VM) running a recent version of Windows in the same virtual network as the private endpoint.