This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 56.00000000000001%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC2%3C/text%3E%3C/svg%3E)
We have a SQL Managed Instance that is configured behind a vNet.
We attempted to deploy dacpacs via DevOps, using Azure hosted agents. The deployment fails, which looks like is due to the MI having the public endpoint disabled. Even though public endpoint is disabled, we tried to add the DevOps service tag to our NSG, which should allow the traffic through, but it still fails.
When we enable the public endpoint (port 3342), the dacpac deployments work.
What is the ideal configuration to have private dacpac deployments so they're private and not using the public endpoint? Is hosting our own DevOps agent on the same vNet as the Managed Instance the only option?
Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 4%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Following up to see if the above suggestion was helpful. If this answers your query, do click Accept Answer and Up-Vote for the same. And, if you have any further query do let us know.
Hey,
Based on my understanding you would have to set up your own agent within the Vnet of managed instance is the only option similar to below post :
https://datasharkx.wordpress.com/2021/05/28/automated-deployment-of-sql-server-database-through-azure-devops/
Thank you. What is the DevOps service tag for then? I would think it should allow traffic to the SQL MI even behind a vNet.
Thanks for posting this question in Microsoft Q&A platform
I am checking on your ask internally and will get back to you with an update.
Thanks for your patience.
Thanks for your patience.
Unless something changed, the Microsoft-hosted agent does not have VNet integration capabilities and for that reason they cannot connect to SQL MI via the private endpoint. Users can deploy their own agent (self-host) in an Azure VM and have that VM to MI communication happen via the VNet private endpoint. Azure Pipelines Agents - Azure Pipelines | Microsoft Learn
Regarding Azure Devops, we have a dedicated support channel for DevOps issues. I would request you to post your query in this DevOps channel so that someone from the dedicated DevOps team can assist you on the Devops part of it.
Thanks for your support and understanding.
Hope this will help. Please let us know if any further queries.
------------------------------
or upvote 
button whenever the information provided helps you.