One of the networking requirements for the Azure SQL Managed Instance is to have UDR 0.0.0.0/Next hop internet that enables access from the private subnet that belongs to Azure VNet and public internet.
Why is this required and what are the risks?
Asked
Active
Viewed 539 times
1 Answers
1
This rule was meant to simply override common BGP advertisements that could cause asymmetric routing and interfere with the management traffic.
In the case of BGP advertisement of more specific prefixes, this would not be enough to assure management traffic flow and you will need to define UDRs to override the advertised prefixes.
Note that 0.0.0.0/0 next hop type Internet rule don't routes all traffic to the Internet. The next hop is always another device – in this case Internet Gateway that is located inside Azure. It is called Internet Gateway as it handles routing to public Azure IP addresses. As these IP addresses mostly belong to Azure services collocated with Managed Instance the network traffic that always finds the shortest path stays inside the Azure.
Managed Instance needs public Internet access for certificate revocation verification and this is done over the public Internet. Certificate revocation information is made public so no secrets are sent or received that way. Certificate verification information is also signed, to prevent tempering.
You could set limited set of other UDRs besides 0.0.0.0 Next hop internet:
- UDRs with private IP ranges* as destination without next hop restrictions
- UDRs with public IP range as destination if the next hop type is Internet
*exception is Managed Instance subnet destination that must have next hop type Virtual network – otherwise the connections between the Managed Instances could be broken.
This constraint will be relaxed or removed in the future so always check the Azure SQL Managed Instance documentation for the update.
Jovan MSFT
- 13,232
- 4
- 40
- 55