![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 8%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Azure SQL Database
An Azure relational database service.
6,253 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 52%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Hi Albert Kent Banico,
Establishing a secure connection between Power Automate (cloud) and an Azure SQL Managed Instance configured with a private endpoint is crucial for maintaining security and compliance. Given your organization's preference for reducing dependency on VM-hosted on-premises data gateways, here are some recommended approaches and best practices for your scenario.
Utilize Private Link: Since you mentioned using a private endpoint, this is a strong option. Configuring a private endpoint for your Azure SQL Managed Instance allows secure and private connectivity over an Azure Private Link. This way, the traffic does not traverse the public internet, adding an extra layer of security.
DNS Configuration: Ensure that you've set up domain name resolution for your private endpoint correctly. You'll need to configure your DNS server or use a private DNS zone so that the SQL clients can resolve the private endpoint properly. The connection string should use the fully qualified domain name (FQDN) of the SQL Managed Instance.
Direct Connection from Power Automate: While you noted that you don’t have global administrative control over the Power Platform environment, under certain conditions, you can establish private endpoints directly from Power Automate, allowing it to connect to Azure services like SQL Managed Instance without routing through a VM. Refer to the documentation for creating a managed private endpoint in Data Factory, as Power Automate can leverage similar mechanisms.
Consider Integration with Azure Data Factory: If your organization currently uses Azure Data Factory, you might want to set up a managed private endpoint between Azure Data Factory and the SQL Managed Instance. This can facilitate secure connectivity while centralizing your data management without needing it to pass through a VM.
Security Practices: Always ensure that your managed instance is configured with proper network security groups (NSGs) and firewall rules to restrict access only to trusted IPs when using private endpoints. This will help maintain compliance and security.
Power Automate Cloud with VNet Integration:- VNet Integration: Utilize Power Automate's Virtual Network (VNet) integration feature, which allows cloud flows to securely access resources within a VNet. This integration is crucial for connecting to services like Azure SQL Managed Instance over a private endpoint.
Azure Firewall with NAT Rules:
- Network Address Translation (NAT): Deploy Azure Firewall in the same VNet as the private endpoint. Configure NAT rules to translate incoming traffic from a public IP to the private IP of the SQL Managed Instance. This setup provides a secure entry point while maintaining the benefits of private connectivity.
Alternative to On-Premises Data Gateway
This approach aligns with modern cloud-first strategies, offering scalability, security, and compliance.
Best Practices
- Network Security: Implement Network Security Groups (NSGs) to control inbound and outbound traffic to the private endpoint, ensuring that only authorized resources can access the SQL Managed Instance.
- Authentication: Use Azure Active Directory (Azure AD) authentication for secure and centralized identity management, avoiding the need for SQL authentication.
- Monitoring and Logging: Enable diagnostic logging and monitoring for Azure Firewall and SQL Managed Instance to track access patterns and detect potential security threats.
- Compliance: Ensure that the architecture complies with organizational and regulatory standards by conducting regular security assessments and audits.
Hope this helps. Do let us know if you any further queries.
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.