Using a different cloud? See AWS RDS in a Private VPC or GCP Cloud SQL in a Private VPC.
Blob Storage + Functions
Self-service setup with Terraform
Tunnel Agent
Lightweight agent in your VNet
Private Link
Private endpoint, no public internet
VNet Peering
Direct network link between VNets
VPN Gateway
Encrypted tunnel over the internet
ExpressRoute
Dedicated physical connection
Option 1: Export to Blob Storage via Azure Functions
RecommendedSelf-service
An Azure Function runs inside your VNet via VNet integration, queries your database, converts results to Parquet, and writes them to Blob Storage. BonData reads from Blob Storage via its native S3-compatible integration.
- No firewall changes - the function connects via your VNet
- Zero DB performance impact - queries run on your schedule
- Database credentials never leave your Azure subscription
- Fully self-service - no coordination with BonData needed
Deploy with Terraform
Create abondata-azure-export.tf file and fill in the variables at the top. This provisions the Storage Account, Function App, VNet integration, and timer trigger in one apply.
terraform apply, deploy the function code. Create these two files and deploy with Azure Functions Core Tools:
function_app.py:
requirements.txt:
Connect Blob Storage to BonData
Once data is flowing, connect BonData to the storage account:- In BonData, go to Integrations → Add Integration → Amazon S3
- Use the Azurite S3-compatible endpoint or generate a SAS token
- Alternatively, contact support@bondata.ai to set up a direct Azure Blob Storage connection
Azure Blob Storage supports S3-compatible access. You can also share a read-only SAS token scoped to the export container with BonData support for direct ingestion.
Option 2: BonData Tunnel Agent
A lightweight Docker container that runs inside your VNet and creates a secure outbound tunnel to BonData. Once running, BonData can query your database directly through the encrypted connection - no inbound firewall rules, no VPN, no public exposure.Get started with the Tunnel Agent
Contact our team to provision your tunnel token and walk through deployment for your environment.
Option 3: Azure Private Link
Azure Private Link creates a private endpoint in your VNet that routes traffic to BonData over the Microsoft backbone network, never crossing the public internet. Best for: Organizations with strict compliance requirements (HIPAA, SOC 2, FedRAMP) that prohibit any data traversal over the public internet, even when encrypted. Private Link provides the strongest network-level isolation available on Azure. How it works:- BonData exposes a Private Link Service in its Azure subscription
- You create a Private Endpoint in your VNet pointing to that service
- Your database traffic flows privately through the Microsoft backbone - no internet gateway, no public IPs
Set up Private Link
Contact our team to get BonData’s Private Link Service alias and configure the private endpoint for your subscription.
Option 4: VNet Peering
VNet Peering creates a direct network route between your VNet and BonData’s VNet, allowing private IP communication across subscriptions and tenants. Best for: Teams that want a simple, low-cost network link. VNet Peering on Azure supports high bandwidth, low latency, and works across subscriptions, tenants, and regions (global peering). How it works:- A peering connection is established between your VNet and BonData’s VNet
- Routes are automatically exchanged between the peered networks
- Your database’s network security group or firewall is updated to allow connections from BonData’s address space
VNet Peering requires non-overlapping address spaces. Global VNet Peering (cross-region) is supported but may incur data transfer charges.
Set up VNet Peering
Contact our team to exchange VNet details and coordinate the peering connection.
Option 5: Azure VPN Gateway
An Azure VPN Gateway creates an encrypted IPsec/IKE tunnel over the public internet between your network and BonData’s infrastructure. Best for: Organizations that already have VPN infrastructure, need to connect from on-premises networks, or require connectivity where VNet Peering isn’t possible due to overlapping address spaces. How it works:- A VPN Gateway is provisioned in your VNet’s gateway subnet
- An IPsec/IKE tunnel is established between your gateway and BonData’s endpoint
- All traffic is encrypted and routed through the tunnel
- Supports both policy-based and route-based configurations
Set up VPN Gateway
Contact our team to exchange gateway details and configure the VPN tunnel.
Option 6: Azure ExpressRoute
Azure ExpressRoute provides a dedicated private connection between your infrastructure and BonData through a connectivity provider, bypassing the public internet entirely. Best for: Enterprise environments with very high data volumes, strict latency requirements, or regulatory mandates for dedicated connectivity. ExpressRoute provides the most predictable throughput and lowest latency, with options for 50 Mbps to 100 Gbps circuits. How it works:- A circuit is provisioned through an ExpressRoute connectivity provider
- Private peering routes traffic between your network and BonData’s Azure VNet
- Traffic never touches the public internet - ideal for large-scale, continuous data sync
- ExpressRoute Global Reach can extend connectivity across regions
ExpressRoute typically takes 1-4 weeks to provision depending on the provider. ExpressRoute Direct is available for dedicated port-level access at 10 Gbps or 100 Gbps.
Set up ExpressRoute
Contact our team to discuss your throughput requirements and coordinate the connection.