cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Public endpoint for SQL Database Managed Instance is available as of today
By
Danimir Ljepava
Published Apr 11 2019 09:36 AM 13.6K Views
Danimir Ljepava
Microsoft
‎Apr 11 2019 09:36 AM

Public endpoint for SQL Database Managed Instance is available as of today

‎Apr 11 2019 09:36 AM
(originally published on ‎April 11, 2019)
 
Public endpoint for Azure SQL Database Managed Instance provides the ability to connect to Azure SQL Database Managed Instance from the Internet without using a VPN and is for data communication only. Public endpoint for data can simultaneously coexist with the private endpoint. With global availability as of today, this feature will help support many new integration scenarios. For security reasons, the implementation allows for Separation of Duties (SoD) between a database administrator and a network administrator when enabling the public endpoint.
 
The public endpoint for managed instance can today be enabled/disabled via PowerShell script. The support for Azure portal will be coming within the next two weeks or so, as soon as all updates are rolled out. Update (May 7, 2019): Configuration of public endpoint for Managed Instance is now also available via Azure portal, see Configure public endpoint in Azure SQL Database managed instance.
 
Security requirements and separation of duties
 
To enable public endpoint for managed instance, two steps are required, and for separation of duties two separate roles with the following database and network permissions need to perform these steps:
 
  • Database administrator who has RBAC permissions in scope Microsoft.Sql/managedInstances/* needs to run a PowerShell script to enable public endpoint for managed instance. However, the public endpoint will not be accessible from the Internet until the second step by network administrator is performed.
  • Network administrator who has RBAC permissions in scope Microsoft.Network/ * needs to open the port 3342 used by the public endpoint on NSG and provide UDR route to avoid asymmetric routing.
 
Enable public endpoint for data

 

To enable public endpoint for data, please follow these steps:

 

1. Database administrator with appropriate permissions needs to execute the below provided Power Shell script. Please replace {subscription-id} with your subscription, replace {rg-name} with the resource group to which managed instance was deployed, and replace {mi-name} with the name of your managed instance.

 

Install-Module -Name Az
Import-Module Az.Accounts
Import-Module Az.Sql 
Connect-AzAccount
Select-AzSubscription -SubscriptionId {subscription-id}
$mi = Get-AzSqlInstance -ResourceGroupName {rg-name} -Name {mi-name} 
$mi = $mi | Set-AzSqlInstance -PublicDataEndpointEnabled $true -force

 

2. Network administrator with appropriate permissions needs to setup an NSG to open the port 3342 for the inbound traffic. You can follow this guide.

 

Please note the port 3342 is used for public endpoint TDS connections to managed instance. This port cannot be customized. 

 

The above steps complete the process of enabling public endpoint for managed instance.

 

Use public endpoint from clients

 

To access managed instance from clients through the Internet, your application(s) need to use the hostname of the following format (the ".public" is added after the managed instance name, including the port):

 

<mi-name>.public.<dns-zone>.database.windows.net,3342

 

See the example of connecting with SSMS through the public endpoint to managed instance in the image below.

 

D38K-2rU0AYUR0m.png

Disable public endpoint

 

In case you need to disable the public endpoint, database administrator needs to execute the following Power Shell command:

 

Set-AzSqlInstance -PublicDataEndpointEnabled $false -force
 

In addition, network administrator needs to remove the NSG rule for the inbound port 3342.

 

Product road map
 

Within the next period as soon as all updates are rolled out, it will also be possible to enable/disable public endpoint from the Azure portal (within Managed Instance resource, Virtual network). In addition, the option to enable/disable public endpoint will also show at the time of creating a new Managed Instance.

 
Public endpoint feature for managed instance is now a production ready service. Documentation and further announcements will follow. Update (May 7, 2019): Public documentation is now available, see Configure public endpoint in Azure SQL Database managed instance.

Azure SQL Database Managed Instance Product Group
4 Comments
Sumit Kute
Microsoft
‎Jul 27 2019 07:11 AM
‎Jul 27 2019 07:11 AM

Please mention ,3342 format so that user can understand and does not have to figure out with this blog

0 Likes
Like
Danimir Ljepava
Microsoft
‎Jul 30 2019 06:00 AM
‎Jul 30 2019 06:00 AM

@Sumit Kute  Thank you on your feedback. Please let me know where exactly did you mean to mention ,3342? As this is mentioned in this blog post, I presume you perhaps might be asking about it in the portal, or some other place? Can you please clarify. Thank you.

0 Likes
Like
Sumit Kute
Microsoft
‎Jul 31 2019 06:01 AM
‎Jul 31 2019 06:01 AM

Yes. Sorry missed it, I mean in Azure Docs.

0 Likes
Like
Danimir Ljepava
Microsoft
‎Jul 31 2019 06:25 AM
‎Jul 31 2019 06:25 AM

@Sumit Kute. Thanks. Public documentation in Azure docs does specify port 3342 needs to be used for the connection.

0 Likes
Like
Version history
Last update:
‎Jul 23 2019 11:53 AM
Updated by: