cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Private endpoints for Azure SQL Managed Instance
By
ZoranRilak
Published Mar 29 2023 05:18 AM 12.2K Views
ZoranRilak
Microsoft
‎Mar 29 2023 05:18 AM

Private endpoints for Azure SQL Managed Instance

‎Mar 29 2023 05:18 AM

Note

As of early August 2023, support for private endpoints for Azure SQL Managed Instance is generally available (GA).

Read the GA announcement at Private endpoints GA for Azure SQL Managed Instance (microsoft.com).

 

In this article we'll explain private endpoints, a new feature of Azure SQL Managed Instance currently in Public Preview. Private endpoints rely on Azure Private Link technology to establish secure connectivity between your Azure SQL Managed Instanhtce and another virtual network.

 

If you'd prefer to watch a video instead of reading, we've got you covered:

 

How we usually secure and interconnect services

 

A common network design pattern (and sane security practice) is to slice up your network space into zones with controlled access. For example, your databases would reside in one network zone; your applications producing or consuming this data in another; and, if your network needs to talk to the "outside world" (i.e. Internet), you'd have a zone for that, as well.

 

But then, how do our applications query our SQL database if we have fenced them off? Traditionally, we would do this by configuring custom routes and firewalls, setting up network peering, a public IP address, or a VPN gateway. All these methods have their place, but they have one thing in common: they configure how your networks behave, not how your services talk to each other.

 

Private endpoints shake things up

 

Enter private endpoints. A private endpoint brings a service into your virtual network – in the immediate vicinity of its consumer applications. It appears as a humble local service listening for traffic on a local IP address and port. When an application connects, private endpoint tunnels this traffic underneath any and all virtual network fences and brings it straight to the remote service. As far as consumer applications are concerned, they are talking to a locally deployed service in the same security zone!

 

A private endpoint brings a remote service into a virtual network.A private endpoint brings a remote service into a virtual network.

 

 

Naturally, we cannot just create an endpoint to anywhere in Azure. Anyone trying to drop a private endpoint to our SQL in their virtual network must of course first know that it exists, and then ask us – the SQL administrator – to let them do so. We review this as a request to connect from a virtual network to a particular SQL Managed Instance along with a written message, so we think about who and what rather than where and how. Plus, it is a more flexible method to connect services than configuring traffic filtering or defining custom routes.

 

Why use private endpoints with Azure SQL Managed Instance

 

Consider revisiting your existing network topology with private endpoints in mind – especially if your network zoning is threatening to exhaust your IP address space. With private endpoints, you can keep your Azure SQL Managed Instance in a virtual network entirely unto itself and only make it available where and when needed with a single static IP address right next to the apps consuming it.

 

Scenarios where private endpoints to Azure SQL Managed Instance are of particular use include: hub and spokes topology, ISVs, instance isolation, and conservation of IP address space.Scenarios where private endpoints to Azure SQL Managed Instance are of particular use include: hub and spokes topology, ISVs, instance isolation, and conservation of IP address space.

 

If you need to make your Azure SQL Managed Instance available to different Azure tenants, private endpoints can also help you with that. You just need to share your managed instance's resource ID and the other party can issue a request to deploy a private endpoint to it. Or, even better – create a virtual network for them, populate it with private endpoints, and share via peering or VPN.

 

We explain these scenarios and more in Azure Private Link and private endpoints.

 

How to use private endpoints with Azure SQL Managed Instance

 

Creating a private endpoint is pretty simple:

  1. Go to Private Link Center, or visit your managed instance's Private endpoint connections blade.
  2. Hit Create and fill in:
    • Basics with the name of your private endpoint and its region;
    • Resource with the managed instance you're connecting;
    • Virtual network with the network you're deploying this private endpoint into;
    • DNS integration should be turned on if available – if not, see here how to do it by hand;
  3. In Review + create, hit Create and give it a couple of seconds.

And then to use this private endpoint, you would just direct your application to the managed instance's domain name. It automagically resolves to the private endpoint and your application is none the wiser :)

 

What's next?

 

Keep in mind that private endpoints are in Public Preview for Azure SQL Managed Instance at the time of writing (late March 2023).

 

Private endpoints are just one benefit of infrastructure at scale you get when you run your workloads in the cloud. Be on the lookout for more news about Azure SQL Managed Instance's security and connectivity. We have some pretty exciting stuff lined up!

 

0 Likes
Like
5 Comments
Co-Authors
Version history
Last update:
‎Aug 10 2023 06:25 AM
Updated by:
Labels