Private endpoint scenarios for Azure SQL Managed Instance (2023)

last week weAnnouncePrivate endpoints for Azure SQL Managed Instance are generally available (GA). Today, we'll give you examples of private endpoints in real-world scenarios, starting with the basics and building to more complex endpoints in the second part of this miniseries.

In this post, we cover the following scenarios:

  1. Access SQL MI from another virtual network
  2. A safer way for public access
  3. Access SQL MI from your location
  4. Expose SQL MI to hosted Azure services

Please note that we only discuss scenarios where Azure SQL Managed Instance itself is offered via a private endpoint elsewhere. Instead, Azure SQL Managed Instance can access other resources through the private endpoints. Hopefully this is established practice and documented elsewhere, for example in English.Create secure on-demand backups on SQL Managed Instance

Well, let's dig a little deeper!

1. Access SQL MI from another virtual network

This isitA basic scenario for private endpoints, so it only makes sense to discuss this first.

Let's say your Azure SQL Managed Instance is in one virtual network and your application is in another virtual network. How do I make sure my application and Azure SQL Managed Instance communicate with each other? You may have this configuration if:

  • you want stronger network isolation between your data and our applications, or
  • Your application connects to Azure from on-premises via VPN or ExpressRoute, or
  • You have a multi-local installation where the application communicates with the SQL MI in a different locale, or
  • Your application is in a different Azure subscription or tenant, or
  • Your application is in a virtual network that you have no direct control over (see also Scenario 4 if an Azure service manages this network),

or a similar scenario.

Private endpoint scenarios for Azure SQL Managed Instance (1)Diagram showing Azure SQL Managed Instance in one virtual network and an application accessing it through a private endpoint in another virtual network.

In this case, we can make SQL MI available in other virtual networks by creating one or more SQL MI private endpoints. Doing this means we don't have to bother connecting networks together - no peering or VPN required! - so this is definitely the easiest and most secure option, setting up a one-way connection from our application's virtual network to the database server that needs it.

That said, you should also be aware that by choosing a private endpoint over a peering or VPN, you'll be making slight performance compromises. Private endpoints for Azure SQL Managed Instance are now usedproxy-verbindingstypeRegardless of the instance settings. However, if you don't plan on making thousands of connections per second through a dedicated endpoint, you'll appreciate the added security and ease of management.

2. Safer public access

A very useful property of a private endpoint is that it always has a static IP address, regardless of any changes to the managed instance (such as after a failover or service update). Even if you move a managed instance to a brand new subnet or virtual network, the private endpoint will keep its IP address!

Because we can rely on private endpoints with static IP addresses, we can configure Azure Firewall to route inbound traffic from the public endpoint to the private endpoint. This isn't much different from the Azure SQL Managed Instance public endpoint, but comes with additional security and filtering options that we wouldn't otherwise have.

Private endpoint scenarios for Azure SQL Managed Instance (2)Diagram showing applications outside of Azure accessing SQL Managed Instance through the public firewall endpoint. A firewall filters external traffic and directs it to a special endpoint locally on the network.

To use Azure Firewall before Azure SQL Managed Instance, deploy it in a virtual network with private endpoints for that Azure SQL Managed Instance (each on a different subnet). Give Azure Firewall a public IP address to listen on and add a NAT rule to translate incoming traffic from the public endpoint to the private endpoint. easy said:

  • name: your choice
  • Protocol: TCP
  • Resource type: IP address
  • Source: * (or more specific depending on your environment)
  • Destination Address: The public IP address you provided to Azure Firewall
  • Destination port: 1433 (or choose another)
  • Translated address: IP address of the Azure SQL Managed Instance private endpoint
  • Conversion port: 1433 (this has been fixed)

Your Azure SQL Managed Instance now has a static public IP address! Just remember the said setting.DNS records for to resolve that IP address and configure your application to connect using the domain name. Otherwise, your application may fail to establish a secure connection or may fail to connect at all (currently, Azure SQL Managed Instance requires incoming connections to include the instance name in the connection string).

3. Open SQL MI from your site

Unlike the first scenario, our application is now no longer hosted on Azure. This means we cannot create private endpoints in the direct address space. What we can do, however, is create a virtual network, host private endpoints on our Azure SQL Managed Instance (and other Azure resources that our application needs to access), and then connect the application to that network.

Private endpoint scenarios for Azure SQL Managed Instance (3)Diagram showing an on-premises application accessing Azure SQL Managed Instance through a VPN tunnel and a private endpoint.

We can connect our application to this virtual network in different ways, for example:

  • set upPoint-to-site VPN connectionbetween the local computer hosting our application and this virtual network, or
  • set upSite-to-Site VPN-verbindingbetween the local network and this virtual network, or
  • usefast route, of
  • Openpublic endpointLet your application connect via the internet (see Scenario 2 if you choose this route)

You may be wondering, why not just let the application connect to the same virtual network as Azure SQL Managed Instance? Why create an intermediate virtual network? The reason behind this is that it is better security practice not to mix security zones. Our applications can connect over the internet, so it's best to have an ad-hoc virtual network with stricter security and authentication measures than the rest of our infrastructure. This part of the network is often referred to as the "Demilitarized Zone" or DMZ. We can then create an Azure SQL Managed Instance private endpoint within the DMZ to expose minimal database server area and maintain the flexibility to revoke this connection path if necessary.

Think of this as a better public endpoint for SQL MI where you can take advantage of built-in threat intelligence, post additional rules, view metrics, set alerts, and other powerful Azure Firewall features.

4. Make SQL MI available for hosting Azure services

So far, we have only discussed the scenario of directly managing the virtual network where the private endpoint resides. However, some managed Azure services that don't expose their infrastructure may be told to create private endpoints for our resources within their hosting network. Such services typically provide an API and/or user interface that allows us to request the creation of a private endpoint for our Azure SQL Managed Instance (or other type of resource) and then approve it on our end. At the time of writing, such services include Azure Data Factory, Synapse, and Cognitive Search. This list is not final and will be expanded over time. Therefore, to be sure, consult the latest documentation.

Private endpoint scenarios for Azure SQL Managed Instance (4)The diagram shows how a managed service, such as Azure Data Factory, can communicate with Azure SQL Managed Instance by deploying a private endpoint in the service's own network environment.


This concludes the first part of this series on private endpoints in Azure SQL Managed Instance. For more information about private endpoints for Azure SQL Managed Instance, you can visit the following links:

Stay tuned, next time we'll post more private endpoint scenarios!


Top Articles
Latest Posts
Article information

Author: Dr. Pierre Goyette

Last Updated: 12/22/2023

Views: 5668

Rating: 5 / 5 (70 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Dr. Pierre Goyette

Birthday: 1998-01-29

Address: Apt. 611 3357 Yong Plain, West Audra, IL 70053

Phone: +5819954278378

Job: Construction Director

Hobby: Embroidery, Creative writing, Shopping, Driving, Stand-up comedy, Coffee roasting, Scrapbooking

Introduction: My name is Dr. Pierre Goyette, I am a enchanting, powerful, jolly, rich, graceful, colorful, zany person who loves writing and wants to share my knowledge and understanding with you.