How to find the outbound IPs for Azure SQL Managed Instance?

Mikael Syska 31 Reputation points

We are moving our old SQL Server to Azure SQL Managed Instance. We use linked servers, but for security we need to whitelist where the Managed Instance is connecting from(The outbound IP of the MI).

I can't find any information about what outbound IPs is used or if this is even possible. Other than the public Managed IP is shared and the hostname is used to connect to my Managed Instance. But this is the other way ...

The linked servers needs to be added to the Managed Instance and the other SQL servers is on-premise, hence the reason we need to whitelist the IPs the Managed Instance is connecting from.

Yes, this is legacy with the Linked Server, I also want them to remove them ... but that's a task for future ME to solve.

For App Service, I know about this:…

PS. A VPN is not an option connecting the vnet in Azure to on-premise network.

So I was hoping there was something similar to get the outbound ip for an Azure SQL MI. There most be some hidden information I'm missing....

A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
567 questions
SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
11,003 questions
{count} votes

2 answers

Sort by: Most helpful
  1. GeethaThatipatri-MSFT 21,486 Reputation points Microsoft Employee

    @Mikael Syska At present, SQL MI only supports default outbound access which cannot guarantee a known, static outbound IP address. This means that the incoming connection on the on-prem side will be seen as arriving from an arbitrary IP address in the Azure cloud range.

    We do have plans to introduce support for NAT gateways natively in SQL MI subnets much like what App Service does. Until then, you can use Azure Firewall and a NAT gateway in combination to achieve the same effect.

    This is discussed in some detail at Scenarios with private endpoints to Azure SQL Managed Instance, scenario #2

    I hope this information helps.



    0 comments No comments

  2. GeethaThatipatri-MSFT 21,486 Reputation points Microsoft Employee

    @Mikael Syska With default outbound access, Azure makes no guarantee that the source IP address will come from any particular range narrower than AzureCloud, nor that it will stay unchanged for any period of time:

    Unfortunately, default outbound access is the only supported outbound mechanism for SQL MI, at least until support for NAT gateways rolls out.

     Have you considered Azure Firewall Basic? It is less expensive than Standard, also supports outbound sNAT, and if multiple SQL MIs are in its virtual network, will handle outbound traffic for all of those.



    0 comments No comments