last week weAnnouncePrivate endpoints for Azure SQL Managed Instance are generally available (GA). Today, we'll give you examples of private endpoints in real-world scenarios, starting with the basics and building to more complex endpoints in the second part of this miniseries.
In this post, we cover the following scenarios:
- Access SQL MI from another virtual network
- A safer way for public access
- Access SQL MI from your location
- Expose SQL MI to hosted Azure services
Please note that we only discuss scenarios where Azure SQL Managed Instance itself is offered via a private endpoint elsewhere. Instead, Azure SQL Managed Instance can access other resources through the private endpoints. Hopefully this is established practice and documented elsewhere, for example in English.Create secure on-demand backups on SQL Managed Instance。
Well, let's dig a little deeper!
1. Access SQL MI from another virtual network
This isitA basic scenario for private endpoints, so it only makes sense to discuss this first.
Let's say your Azure SQL Managed Instance is in one virtual network and your application is in another virtual network. How do I make sure my application and Azure SQL Managed Instance communicate with each other? You may have this configuration if:
- you want stronger network isolation between your data and our applications, or
- Your application connects to Azure from on-premises via VPN or ExpressRoute, or
- You have a multi-local installation where the application communicates with the SQL MI in a different locale, or
- Your application is in a different Azure subscription or tenant, or
- Your application is in a virtual network that you have no direct control over (see also Scenario 4 if an Azure service manages this network),
or a similar scenario.
Diagram showing Azure SQL Managed Instance in one virtual network and an application accessing it through a private endpoint in another virtual network.
In this case, we can make SQL MI available in other virtual networks by creating one or more SQL MI private endpoints. Doing this means we don't have to bother connecting networks together - no peering or VPN required! - so this is definitely the easiest and most secure option, setting up a one-way connection from our application's virtual network to the database server that needs it.
That said, you should also be aware that by choosing a private endpoint over a peering or VPN, you'll be making slight performance compromises. Private endpoints for Azure SQL Managed Instance are now usedproxy-verbindingstypeRegardless of the instance settings. However, if you don't plan on making thousands of connections per second through a dedicated endpoint, you'll appreciate the added security and ease of management.
2. Safer public access
A very useful property of a private endpoint is that it always has a static IP address, regardless of any changes to the managed instance (such as after a failover or service update). Even if you move a managed instance to a brand new subnet or virtual network, the private endpoint will keep its IP address!
Because we can rely on private endpoints with static IP addresses, we can configure Azure Firewall to route inbound traffic from the public endpoint to the private endpoint. This isn't much different from the Azure SQL Managed Instance public endpoint, but comes with additional security and filtering options that we wouldn't otherwise have.
Diagram showing applications outside of Azure accessing SQL Managed Instance through the public firewall endpoint. A firewall filters external traffic and directs it to a special endpoint locally on the network.
To use Azure Firewall before Azure SQL Managed Instance, deploy it in a virtual network with private endpoints for that Azure SQL Managed Instance (each on a different subnet). Give Azure Firewall a public IP address to listen on and add a NAT rule to translate incoming traffic from the public endpoint to the private endpoint. easy said:
- name: your choice
- Protocol: TCP
- Resource type: IP address
- Source: * (or more specific depending on your environment)
- Destination Address: The public IP address you provided to Azure Firewall
- Destination port: 1433 (or choose another)
- Translated address: IP address of the Azure SQL Managed Instance private endpoint
- Conversion port: 1433 (this has been fixed)
Your Azure SQL Managed Instance now has a static public IP address! Just remember the said setting
3. Open SQL MI from your site
Unlike the first scenario, our application is now no longer hosted on Azure. This means we cannot create private endpoints in the direct address space. What we can do, however, is create a virtual network, host private endpoints on our Azure SQL Managed Instance (and other Azure resources that our application needs to access), and then connect the application to that network.
Diagram showing an on-premises application accessing Azure SQL Managed Instance through a VPN tunnel and a private endpoint.
We can connect our application to this virtual network in different ways, for example:
- set upPoint-to-site VPN connectionbetween the local computer hosting our application and this virtual network, or
- set upSite-to-Site VPN-verbindingbetween the local network and this virtual network, or
- usefast route, of
- Openpublic endpointLet your application connect via the internet (see Scenario 2 if you choose this route)
You may be wondering, why not just let the application connect to the same virtual network as Azure SQL Managed Instance? Why create an intermediate virtual network? The reason behind this is that it is better security practice not to mix security zones. Our applications can connect over the internet, so it's best to have an ad-hoc virtual network with stricter security and authentication measures than the rest of our infrastructure. This part of the network is often referred to as the "Demilitarized Zone" or DMZ. We can then create an Azure SQL Managed Instance private endpoint within the DMZ to expose minimal database server area and maintain the flexibility to revoke this connection path if necessary.
Think of this as a better public endpoint for SQL MI where you can take advantage of built-in threat intelligence, post additional rules, view metrics, set alerts, and other powerful Azure Firewall features.
4. Make SQL MI available for hosting Azure services
So far, we have only discussed the scenario of directly managing the virtual network where the private endpoint resides. However, some managed Azure services that don't expose their infrastructure may be told to create private endpoints for our resources within their hosting network. Such services typically provide an API and/or user interface that allows us to request the creation of a private endpoint for our Azure SQL Managed Instance (or other type of resource) and then approve it on our end. At the time of writing, such services include Azure Data Factory, Synapse, and Cognitive Search. This list is not final and will be expanded over time. Therefore, to be sure, consult the latest documentation.
The diagram shows how a managed service, such as Azure Data Factory, can communicate with Azure SQL Managed Instance by deploying a private endpoint in the service's own network environment.
This concludes the first part of this series on private endpoints in Azure SQL Managed Instance. For more information about private endpoints for Azure SQL Managed Instance, you can visit the following links:
- The original GA announcement post,Private endpoint GA for Azure SQL Managed Instance (microsoft.com)
- Five minute video on private links and private endpoints(There are many more leftThe SQL MI YouTube channel）
- The official documentation is located atAzure Private Link and private endpoints
- Our SQLBits 2023 reading,Deploy a secure network with Azure and Azure SQL Managed Instance
Stay tuned, next time we'll post more private endpoint scenarios!