How to find the outbound IPs for Azure SQL Managed Instance?

Question

How to find the outbound IPs for Azure SQL Managed Instance?

Mikael Syska 31

We are moving our old SQL Server to Azure SQL Managed Instance. We use linked servers, but for security we need to whitelist where the Managed Instance is connecting from(The outbound IP of the MI).

I can't find any information about what outbound IPs is used or if this is even possible. Other than the public Managed IP is shared and the hostname is used to connect to my Managed Instance. But this is the other way ...

The linked servers needs to be added to the Managed Instance and the other SQL servers is on-premise, hence the reason we need to whitelist the IPs the Managed Instance is connecting from.

Yes, this is legacy with the Linked Server, I also want them to remove them ... but that's a task for future ME to solve.

For App Service, I know about this: https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips…

PS. A VPN is not an option connecting the vnet in Azure to on-premise network.

So I was hoping there was something similar to get the outbound ip for an Azure SQL MI. There most be some hidden information I'm missing....

GeethaThatipatri-MSFT 21,486 Reputation points Microsoft Employee

2023-09-11T19:08:09.8166667+00:00

Hi @Mikael Syska Thanks for posting your question in the Microsoft Q&A forum.

How are the on-prem network and the MI VNet connected, and how does the MI reach the on-prem SQL Server?

If there is no ExpressRoute / VPN / peering in the picture, then MI will use the default outbound access https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/default-outbound-access, which means that there won't be a known and stable source IP address for the on-prem network to see.

Regards

Geetha
GeethaThatipatri-MSFT 21,486 Reputation points Microsoft Employee

2023-09-12T13:31:52.51+00:00

@Mikael Syska I am checking to see if you got a chance to look into my above response. Please let me know if you have any further questions.

Regards

Geetha
Mikael Syska 31 Reputation points

2023-09-15T12:25:24.37+00:00

@GeethaThatipatri-MSFT

The on-prem and MI VNet is connected over the public internet, No VPN.

The issue we are looking into is "how are we going to connect the MI to the on-prem" in a EASY and Secure way ...

The Azure Firewall is even more expensive than the MI ...

I'm looking into the different options you wrote about. But since this is a small company I think the VPN will be too expensive. This is also a very small part of the project that is using "Linked Servers". So in the future they will be removed ... I'm actually not sure why this is made like this. But we are not allowed to change much when we move it ... but we can do it afterwards.

We might be whitelisting the Gateway IPs for out region as a start and change the default port. Ofcause, also with username/password ...
Mikael Syska 31 Reputation points

2023-09-15T18:29:57.09+00:00

@GeethaThatipatri-MSFT

Just a quick follow up.

Did a little test setup. The SQL MI is connecting from: 20.82.9.4 which is a MS owned IP.

Is this a 100% random IP or are there some ranges I can whitelist?
GeethaThatipatri-MSFT 21,486 Reputation points Microsoft Employee

2023-09-25T21:27:07.8733333+00:00

@Mikael Syska I am checking to see if you got a chance to look into the below responses. Please let me know if you have any further questions.

Regards

Geetha
Mikael Syska 31 Reputation points

2023-09-26T16:33:08.3733333+00:00

@GeethaThatipatri-MSFT

I have tried setting up the Azure Firewall without any luck at all.

It's not really clear what I need to setup to get it working... other than "Azure Firewall".

Azure SQL MI also does lots of magic during setup and "locks" stuff so you can change them.

The Azure Firewall "forced" me to create these two subnets for the Basic Azure Firewall.

Two public IPs and a default firewall policy was created.

So what am I missing here? This could be a solution if I could get it to work ...

I can't find any pointers or guides online ...

I'm trying to figure out how the "SQL MI" gets from 10.0.0.0/24 to the public IP ...

GeethaThatipatri-MSFT 21,486 Reputation points Microsoft Employee

2023-09-11T19:08:09.8166667+00:00

Hi @Mikael Syska Thanks for posting your question in the Microsoft Q&A forum.

How are the on-prem network and the MI VNet connected, and how does the MI reach the on-prem SQL Server?

If there is no ExpressRoute / VPN / peering in the picture, then MI will use the default outbound access https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/default-outbound-access, which means that there won't be a known and stable source IP address for the on-prem network to see.

Regards

Geetha
GeethaThatipatri-MSFT 21,486 Reputation points Microsoft Employee

2023-09-12T13:31:52.51+00:00

@Mikael Syska I am checking to see if you got a chance to look into my above response. Please let me know if you have any further questions.

Regards

Geetha
Mikael Syska 31 Reputation points

2023-09-15T12:25:24.37+00:00

@GeethaThatipatri-MSFT

The on-prem and MI VNet is connected over the public internet, No VPN.

The issue we are looking into is "how are we going to connect the MI to the on-prem" in a EASY and Secure way ...

The Azure Firewall is even more expensive than the MI ...

I'm looking into the different options you wrote about. But since this is a small company I think the VPN will be too expensive. This is also a very small part of the project that is using "Linked Servers". So in the future they will be removed ... I'm actually not sure why this is made like this. But we are not allowed to change much when we move it ... but we can do it afterwards.

We might be whitelisting the Gateway IPs for out region as a start and change the default port. Ofcause, also with username/password ...
Mikael Syska 31 Reputation points

2023-09-15T18:29:57.09+00:00

@GeethaThatipatri-MSFT

Just a quick follow up.

Did a little test setup. The SQL MI is connecting from: 20.82.9.4 which is a MS owned IP.

Is this a 100% random IP or are there some ranges I can whitelist?
GeethaThatipatri-MSFT 21,486 Reputation points Microsoft Employee

2023-09-25T21:27:07.8733333+00:00

@Mikael Syska I am checking to see if you got a chance to look into the below responses. Please let me know if you have any further questions.

Regards

Geetha
Mikael Syska 31 Reputation points

2023-09-26T16:33:08.3733333+00:00

@GeethaThatipatri-MSFT

I have tried setting up the Azure Firewall without any luck at all.

It's not really clear what I need to setup to get it working... other than "Azure Firewall".

Azure SQL MI also does lots of magic during setup and "locks" stuff so you can change them.

The Azure Firewall "forced" me to create these two subnets for the Basic Azure Firewall.

Two public IPs and a default firewall policy was created.

So what am I missing here? This could be a solution if I could get it to work ...

I can't find any pointers or guides online ...

I'm trying to figure out how the "SQL MI" gets from 10.0.0.0/24 to the public IP ...

Answer 1

@Mikael Syska At present, SQL MI only supports default outbound access which cannot guarantee a known, static outbound IP address. This means that the incoming connection on the on-prem side will be seen as arriving from an arbitrary IP address in the Azure cloud range.

We do have plans to introduce support for NAT gateways natively in SQL MI subnets much like what App Service does. Until then, you can use Azure Firewall and a NAT gateway in combination to achieve the same effect.

This is discussed in some detail at Scenarios with private endpoints to Azure SQL Managed Instance, scenario #2

I hope this information helps.

Regards

Geetha

Answer 2

@Mikael Syska With default outbound access, Azure makes no guarantee that the source IP address will come from any particular range narrower than AzureCloud, nor that it will stay unchanged for any period of time: https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/default-outbound-access#how-is-default-outbound-access-provided

Unfortunately, default outbound access is the only supported outbound mechanism for SQL MI, at least until support for NAT gateways rolls out.

Have you considered Azure Firewall Basic? It is less expensive than Standard, also supports outbound sNAT, and if multiple SQL MIs are in its virtual network, will handle outbound traffic for all of those.

Regards

Geetha

How to find the outbound IPs for Azure SQL Managed Instance?

2 answers

Activity