Relaxed network requirements for Azure SQL Managed Instance
Published Nov 16 2022 07:49 AM 1,526 Views
Microsoft

With the November 2022 feature wave Azure SQL Managed Instance introduces a range of security and networking improvements under the hood. We are removing the public management endpoint, narrowing the scope of inbound and outbound rules imposed on its subnets, and even giving the consumption of IP address space a trim. These new features proactively close off potential future exfiltration paths, facilitate security audits, and make it easier to understand which Azure services SQL Managed Instance connects to.

 

There is no need to enable these features; they are available for all Managed Instances enrolled in the November 2022 feature wave. Even if you do not act, these benefits are still coming your way: eventually all SQL Managed Instances will become enrolled in the wave.

 

No Public Management Endpoint

Before the November 2022 feature wave, Managed Instances exposed a network endpoint to receive management operations, like resizing the instance or changing service tiers. This management endpoint was a public IP address secured with a firewall and two-way authentication. With the November 2022 Feature Wave, we are removing this public management point altogether.

 

The removal of public management endpoint further reduces the attack surface and makes auditing the security of SQL Managed Instances much simpler.

 

More Precise NSG Rules

Subnets delegated to SQL Managed Instance will have the "allow" outbound rule to Azure Cloud, port 443, removed from their Network Security Group (NSG) rulesets. This rule will be replaced  with a number of narrower outbound rules allowing connections to a precisely defined set of Azure services. This is counterweighted with the removal of a number of now obsolete "allow" inbound rules, bringing the new total of mandated NSG rules from 7 to 6.

 

 

Before

November 2022

Feature Wave

NSG rules

7

6

    Allow outbound to AzureCloud:443

Required

Not required

 

Fewer Mandatory Routes

We are reducing the number of mandated entries in the route table from 13 to 5. Among others, routes and NSG rules to CorpNetPublic and CorpNetSaw are no longer required.

 

 

Before

November 2022

Feature Wave

Routes

13

5

    Allow inbound from CorpNet

Required

Not required

 

Fewer IP Addresses

As a bonus, we are reducing the number of required IP addresses in a delegated subnet by 1 for each new SQL Managed Instance deployed therein: from 14 to 13 in the General Purpose service tier and from 16 to 15 in the Business Critical service tier. (Note that with multiple SQL Managed Instances in a subnet, the overall requisition of IP addresses may be smaller than a simple multiple.)

 

Further Reading

To learn more about how Azure SQL Managed Instance works under the hood and what options you have to connect to it, have a look at its connectivity architecture.

 

Read more about the November 2022 feature wave to learn how to opt in without waiting for the wave to land on your instances! With this feature wave, you will get a leg up on modernizing your SQL Managed Instances and making them compatible with our upcoming features, like the ability to start and stop and to replicate databases from on-premises directly to Azure!

 

 

Co-Authors
Version history
Last update:
‎Nov 16 2022 07:56 AM
Updated by: