Lesson Learned #434:Adjusting NSG Port Ranges:Azure SQL Manage Instance Tier Migration from GP to BC
Published Sep 24 2023 03:56 AM 1,654 Views

We encountered an interesting case with our customer who faced connectivity issues immediately after migrating from the General Purpose to Business Critical tier in Azure SQL Managed Instance. We would like to share the lessons learned from this experience and how we resolved the issue.


The Challenge: Facing Error 10060 Post-Migration


Our customer began to encounter Error 10060 after scaling up to the Business Critical tier. Upon investigation, we realized that the "Proxy" connection type was working, but the "Redirect" type was causing issues.


Network Traces and NSG Rules

In the General Purpose tier, our customer had set their Network Security Group (NSG) rules to only allow traffic through port 11000, in addition to the standard port 1433. This configuration was based on network traces, which indicated that only port 11000 was necessary for the "Redirect" connection type. This makes sense in the context of General Purpose tier, which employs a single Virtual Machine to handle the database.


The Culprit: Multiple Nodes in Business Critical

In Business Critical, the environment operates on an Always On architecture with multiple machines. Consequently, the port requirements are different: the port range expands from a single port to a range between 11000-11999.


The Solution: Updating NSG Rules and Connection Type

The customer resolved the issue by performing two key actions:


Updating NSG Rules: The NSG was updated to allow the new port range of 11000-11999.



az network nsg rule update \
  --name MyNsgRule \
  --nsg-name MyNsg \
  --resource-group MyResourceGroup \
  --destination-port-ranges 11000-11999



Changing Connection Type: The connection type was switched from "Proxy" to "Redirect," which then worked seamlessly with the new NSG settings.



Migrating from General Purpose to Business Critical in Azure SQL Managed Instance offers performance benefits but also introduces complexities like varying port range requirements. Being aware of these nuances can help avoid hitches like Error 10060. In our case, simply updating the NSG rules and switching the connection type resolved the issue, allowing the customer to take full advantage of the Business Critical tier. By sharing this lesson learned, we hope to assist others in ensuring a smooth and successful migration experience.



Understanding these intricacies can save both time and resources, making your migration experience as seamless as possible.


Version history
Last update:
‎Sep 24 2023 03:56 AM
Updated by: