1

Seems like an easy question but since SQL MI already requires a subnet delegated to it, Why Would you use a private endpoint? You already have a private IP address which will keep traffic contained to the Azure backbone? In my case we have a DB used for analytics and we are migrating it to SQL MI since x-db queries and linked servers are used. Seems like a waste of a subnet to create one only to host the private IP and NIC. Something I'm missing here? An answer would be greatly appreciated.

mac
  • 307
  • 2
  • 17
  • hope [this](https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/public-endpoint-overview?view=azuresql) and [this](https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/public-endpoint-configure?view=azuresql) can help you – Jayendran May 15 '22 at 06:47
  • I think SQL MI gets a private endpoint by default. Can you reference an article that explains explicit creation of private endpoint for SQL MI? Doco can be quite confusing as seen by some of the comments and answers here. So far none of them address a private endpoint for SQL MI. – Nick.Mc May 16 '22 at 10:55
  • Reading this.... https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/connectivity-architecture-overview?view=azuresql ... I just don't think there is actually any option to give SQL MI an additional private IP because you already have one, as you've already stated – Nick.Mc May 16 '22 at 10:58
  • Thanks for your replies. Looked at it a bit closer and the Private Endpoint option is under Preview so I guess we can table it for now as we only use GA features. Still the question remains as the feature will be available in the future. In our case, and for this app only, SQL MI is for internal use only and we have outside access disabled. – mac May 16 '22 at 23:21
  • Can you post a link to the feature? I agree.... we effectively already have a private endpoint so what's the purpose? – Nick.Mc May 17 '22 at 22:38
  • Here is a link to the documentation on private link and sql mi. [link](https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/connection-types-overview?view=azuresql) _italic_ **bold** Interestingly enough, the PE use is related to the Connection Type option taken when configuring SQL MI. – mac May 20 '22 at 17:44
  • In my case, SQL MI is injected into our workload VNET containing our web application VMs. But DBAs want to be able to manage the database from their desktops. The corporate security rules require that any connections to Azure go through an Azure Bastion. The private endpoint needs to be created in that bastion to the SQL MI instance. Without it, we have to create another VM in the workload VNET whose only purpose is to IP forward to SQL MI, and then we can use PE in the bastion -> PLS of the VM -> SQL MI. There's a whole unnecessary layer in there that we can get rid of by using PE. – Chris Jan 30 '23 at 18:51

1 Answers1

0

A private endpoint is not required to run SQL MI but can be used to accelerate access. The feature is still under review. Here is a link to the documentation on private link and sql mi. link italic bold
The PE use is related to the Connection Type option taken when configuring SQL MI.

mac
  • 307
  • 2
  • 17
  • That doc mentions "a private endpoint", but only in relation to "public endpoint". This is the list of services that have a specific additional service called "private endpoint" that may be addded. https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#private-link-resource SQL MI isn't in here because a private IP is already built in – Nick.Mc May 21 '22 at 04:25