Note
As of early August 2023, support for private endpoints for Azure SQL Managed Instance is generally available (GA).
Read the GA announcement at Private endpoints GA for Azure SQL Managed Instance (microsoft.com).
In this article we'll explain private endpoints, a new feature of Azure SQL Managed Instance currently in Public Preview. Private endpoints rely on Azure Private Link technology to establish secure connectivity between your Azure SQL Managed Instanhtce and another virtual network.
If you'd prefer to watch a video instead of reading, we've got you covered:
A common network design pattern (and sane security practice) is to slice up your network space into zones with controlled access. For example, your databases would reside in one network zone; your applications producing or consuming this data in another; and, if your network needs to talk to the "outside world" (i.e. Internet), you'd have a zone for that, as well.
But then, how do our applications query our SQL database if we have fenced them off? Traditionally, we would do this by configuring custom routes and firewalls, setting up network peering, a public IP address, or a VPN gateway. All these methods have their place, but they have one thing in common: they configure how your networks behave, not how your services talk to each other.
Enter private endpoints. A private endpoint brings a service into your virtual network – in the immediate vicinity of its consumer applications. It appears as a humble local service listening for traffic on a local IP address and port. When an application connects, private endpoint tunnels this traffic underneath any and all virtual network fences and brings it straight to the remote service. As far as consumer applications are concerned, they are talking to a locally deployed service in the same security zone!
Naturally, we cannot just create an endpoint to anywhere in Azure. Anyone trying to drop a private endpoint to our SQL in their virtual network must of course first know that it exists, and then ask us – the SQL administrator – to let them do so. We review this as a request to connect from a virtual network to a particular SQL Managed Instance along with a written message, so we think about who and what rather than where and how. Plus, it is a more flexible method to connect services than configuring traffic filtering or defining custom routes.
Consider revisiting your existing network topology with private endpoints in mind – especially if your network zoning is threatening to exhaust your IP address space. With private endpoints, you can keep your Azure SQL Managed Instance in a virtual network entirely unto itself and only make it available where and when needed with a single static IP address right next to the apps consuming it.
If you need to make your Azure SQL Managed Instance available to different Azure tenants, private endpoints can also help you with that. You just need to share your managed instance's resource ID and the other party can issue a request to deploy a private endpoint to it. Or, even better – create a virtual network for them, populate it with private endpoints, and share via peering or VPN.
We explain these scenarios and more in Azure Private Link and private endpoints.
Creating a private endpoint is pretty simple:
And then to use this private endpoint, you would just direct your application to the managed instance's domain name. It automagically resolves to the private endpoint and your application is none the wiser :)
Keep in mind that private endpoints are in Public Preview for Azure SQL Managed Instance at the time of writing (late March 2023).
Private endpoints are just one benefit of infrastructure at scale you get when you run your workloads in the cloud. Be on the lookout for more news about Azure SQL Managed Instance's security and connectivity. We have some pretty exciting stuff lined up!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.