With the November 2022 feature wave Azure SQL Managed Instance introduces a range of security and networking improvements under the hood. We are removing the public management endpoint, narrowing the scope of inbound and outbound rules imposed on its subnets, and even giving the consumption of IP address space a trim. These new features proactively close off potential future exfiltration paths, facilitate security audits, and make it easier to understand which Azure services SQL Managed Instance connects to.
There is no need to enable these features; they are available for all Managed Instances enrolled in the November 2022 feature wave. Even if you do not act, these benefits are still coming your way: eventually all SQL Managed Instances will become enrolled in the wave.
No Public Management Endpoint
Before the November 2022 feature wave, Managed Instances exposed a network endpoint to receive management operations, like resizing the instance or changing service tiers. This management endpoint was a public IP address secured with a firewall and two-way authentication. With the November 2022 Feature Wave, we are removing this public management point altogether.
The removal of public management endpoint further reduces the attack surface and makes auditing the security of SQL Managed Instances much simpler.
More Precise NSG Rules
Subnets delegated to SQL Managed Instance will have the "allow" outbound rule to Azure Cloud, port 443, removed from their Network Security Group (NSG) rulesets. This rule will be replaced with a number of narrower outbound rules allowing connections to a precisely defined set of Azure services. This is counterweighted with the removal of a number of now obsolete "allow" inbound rules, bringing the new total of mandated NSG rules from 7 to 6.
| |
Before
|
November 2022
Feature Wave
|
|
NSG rules
|
7
|
6
|
|
Allow outbound to AzureCloud:443
|
Required
|
Not required
|
Fewer Mandatory Routes
We are reducing the number of mandated entries in the route table from 13 to 5. Among others, routes and NSG rules to CorpNetPublic and CorpNetSaw are no longer required.
| |
Before
|
November 2022
Feature Wave
|
|
Routes
|
13
|
5
|
|
Allow inbound from CorpNet
|
Required
|
Not required
|
Fewer IP Addresses
As a bonus, we are reducing the number of required IP addresses in a delegated subnet by 1 for each new SQL Managed Instance deployed therein: from 14 to 13 in the General Purpose service tier and from 16 to 15 in the Business Critical service tier. (Note that with multiple SQL Managed Instances in a subnet, the overall requisition of IP addresses may be smaller than a simple multiple.)
Further Reading
To learn more about how Azure SQL Managed Instance works under the hood and what options you have to connect to it, have a look at its connectivity architecture.
Read more about the November 2022 feature wave to learn how to opt in without waiting for the wave to land on your instances! With this feature wave, you will get a leg up on modernizing your SQL Managed Instances and making them compatible with our upcoming features, like the ability to start and stop and to replicate databases from on-premises directly to Azure!
