How to Resolve the Private Link Service Connection Group Id Is Incorrect Error

Issue

You receive the following error message:

Call to Microsoft.Sql/servers failed. Error message: Private Link Service Connection Group Id is incorrect for Azure SQL DB

Environment

• All database connectors
• Connection method: Private networking

Understanding the problem

When you create a private endpoint, you specify a target sub-resource (also known as a group ID). This tells Azure which specific part of the target service your private endpoint should connect to. For Azure SQL database, there's a specific, case-sensitive group ID that needs to be used. If you use anything else, or if there's a typo, you'll get this error.

Resolution

When creating or configuring the private endpoint for Azure SQL Database, set the Group ID to sqlServer.

Using the Azure Portal

1. Go to your Azure SQL Database logical server in the Azure portal.
2. In the left-hand menu, go to Security > Networking.
3. Go to the Private access tab.
4. Click + Create a private endpoint (or if you're modifying an existing one, go into its configuration).
5. On the Resource tab of the Create a private endpoint blade:
   • Connection method: Select Connect to an Azure resource in my directory.
   • Subscription: Choose the subscription where your SQL Database server is located.
   • Resource type: This should automatically be Microsoft.Sql/servers.
   • Resource: Select your specific Azure SQL Database logical server from the dropdown.
   • Target sub-resource: From the dropdown, select sqlServer.
6. Proceed through the rest of the Private Endpoint creation steps (Virtual Network, DNS integration, Tags, Review + create).

Using Azure CLI

When using the az network private-endpoint create command, ensure you use --group-ids "sqlServer".

az network private-endpoint create \
  --name my-sql-db-private-endpoint \
  --resource-group MyResourceGroup \
  --vnet-name MyVNet \
  --subnet MySubnet \
  --connection-name MySqlDbPrivateConnection \
  --private-connection-resource-id "/subscriptions/<your-subscription-id>/resourceGroups/<your-sql-resource-group>/providers/Microsoft.Sql/servers/<your-sql-server-name>" \
  --group-ids "sqlServer" \ # <--- THIS IS THE CORRECT GROUP ID
  --location <your-region> \
  --private-dns-zone "privatelink.database.windows.net" # This is the standard DNS zone for SQL DB

Using Azure PowerShel:

When using the New-AzPrivateEndpoint cmdlet, ensure you set the -GroupIds parameter correctly. For example:

# First, get your SQL Server and Subnet objects
$sqlServer = Get-AzSqlServer -ResourceGroupName "MyResourceGroup" -ServerName "my-sql-server-name"
$subnet = Get-AzVirtualNetworkSubnetConfig -Name "MySubnet" -VirtualNetworkName "MyVNet" -ResourceGroupName "MyResourceGroup"
# Create the Private Endpoint
New-AzPrivateEndpoint -Name "my-sql-db-private-endpoint" `
    -ResourceGroupName "MyResourceGroup" `
    -Location (Get-AzResourceGroup -Name "MyResourceGroup").Location `
    -Subnet $subnet `
    -PrivateLinkServiceConnection @{
        Name = "MySqlDbPrivateConnection";
        PrivateLinkServiceId = $sqlServer.Id;
        GroupIds = "sqlServer" # <--- THIS IS THE CORRECT GROUP ID
    } `
    -AsJob # Or remove -AsJob if you want to wait for completion