Share via

Unable to register Private Endpoint for Elastic Job Agent targeting SQL DB in another tenant over a peered network.

Daniel-4204 105 Reputation points
2025-06-27T03:26:51.0266667+00:00

Question:

Does Azure Elastic Job Agent support connecting to a SQL Database via a Private Endpoint when the endpoint is hosted in another tenant (across a peered VNet)?

I’m running into a networking issue with an Elastic Job Agent and SQL Database across tenants.

The Elastic Job Agent is in Tenant 1, VNet 1

That VNet is peered to a VNet in Tenant 2, which hosts the Azure SQL Database

The SQL Database has a Private Endpoint, and a Private DNS Zone in Tenant 1 resolves the *.database.windows.net domain correctly to the private IP

Azure Batch and WebApp APIs in Tenant 1 are connecting via this private IP with no issues

However, Elastic Job Agent connections appear as public IPs in SQL audit logs.

We do have the “Allow Azure services to connect” setting enabled on the SQL Server for an unrelated ETL pipeline, but we want Elastic Jobs to connect over the private link.

I found Microsoft documentation mentioning Private Endpoint support for Elastic Job Agents. When I try to register one, I get this error:

“The client has permission to perform action ‘Microsoft.Sql/servers/write’… however, the current tenant is not authorized to access linked subscription…”

I am Owner and Network Contributor in both tenants and subscriptions.

Azure SQL Edge
Azure SQL Edge
An Azure service that provides a small-footprint, edge-optimized data engine with built-in artificial intelligence. Previously known as Azure SQL Database Edge.
0 comments
Answer accepted by question author
  1. Deepanshu katara 17,970 Reputation points MVP Moderator
    2025-06-27T05:48:11.95+00:00

    Hello , Welcome to MS Q&A

    Based on the latest documentation and community discussions, here's a breakdown of the situation you're facing with Azure Elastic Job Agent and Private Endpoint connectivity across tenants:

    The error you're seeing maybe Elastic Job Agent does not fully support Private Endpoint connections across tenants, even if the VNets are peered and DNS resolution is correctly configured

    It can help here

    • Azure Batch and WebApps in Tenant 1 can connect to the SQL Database in Tenant 2 via Private Endpoint because they support cross-tenant VNet peering and DNS resolution.
    • Elastic Job Agent, however, still defaults to public IP routing unless explicitly configured with a service-managed private link, which is only supported within the same tenant and subscription 3.

    Workarounds & Recommendations

    Move the Elastic Job Agent to Tenant 2:

    • Deploy the Job Agent in the same tenant and VNet as the SQL Database.
      • This avoids cross-tenant restrictions and allows full use of Private Endpoint routing.
      Use Azure Automation or Azure Functions: 
      - These services can be configured to run jobs and support Private Endpoint access across tenants more flexibly.

**Enable “Allow Azure Services” Temporarily**:

   - While not ideal, enabling this setting allows Elastic Jobs to connect via public IP. You can restrict access using firewall rules or service tags.
    1. Raise a Microsoft Support Ticket:
    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.