Standing up Azure SQL Managed Instance & Connect to Storage Account

This is a quick article, related to connecting an Azure SQL Managed Instance to an Azure Storage Account.

When creating an Azure SQL Managed Instance, you have the options of creating a public endpoint and/or configuring the connection type of the private endpoint (as shown below). The default connection type for private endpoint is Proxy, however, Microsoft recommends using the Redirect method.

Using Redirect will create a Network Security Group (NSG) with various security rules. In the outbound rules, I have found, at most, 2 rules need to be added, which are highlighted in the screenshot below. One rule is to allow any connection from SQL Managed Instance subnet (172.x.x.x/27 as an example) to the subnet with the primary NIC of the storage account (172.x.x.0/24). The other rule is to allow traffic from the MI subnet to the ‘Storage.EastUS’ service.

Partial listing of outbound network security group rules in Azure for a SQL Managed Instance.

More investigation needs to be completed to tighten down these outbound rules, so they target specific ports, and ideally specific IP addresses. This will evolve…


Leave a Reply





%d bloggers like this: