MicrosoftDocs
diff --git a/‎articles/azure-sql/database/media/private-endpoint/pec-deny-public-access.png
98.4 KB b/‎articles/azure-sql/database/media/private-endpoint/pec-deny-public-access.png
98.4 KB
diff --git a/‎articles/azure-sql/database/private-endpoint-overview.md
Lines changed: 13 additions & 0 deletions b/‎articles/azure-sql/database/private-endpoint-overview.md
Lines changed: 13 additions & 0 deletions
@@ -56,6 +56,19 @@ Once the network admin creates the Private Endpoint (PE), the SQL admin can mana
    which finally leads to the IP address for the private endpoint
    ![Screenshot of Private IP][9]
 
+> [!IMPORTANT]
+> When adding a Private endpoint connection, public routing to your Azure SQL logical server is not blocked by default. The setting "Deny public network access" under the "Firewall and virtual networks" blade is left unchecked by default. To disable public network access ensure this is checked.
+
+## Disable public access to Azure SQL logical server
+For this scenario, assume you would like to disable all public access to your Azure SQL Logical server, and only allow connections from your virtual network.
+
+1. Ensure your Private endpoint connection(s) are enabled and configured.
+2. Disable public access
+    1. Navigate to the "Firewalls and virtual network" blade of your Azure SQL Logical Server    
+    2. Click the box to check mark "Deny public network access"
+    ![Screenshot of Deny public network access](./media/private-endpoint/pec-deny-public-access.png)
+
+
 ## Test connectivity to SQL Database from an Azure VM in same virtual network
 For this scenario, assume you've created an Azure Virtual Machine (VM) running a recent version of Windows in the same virtual network as the private endpoint.