Import or export an Azure SQL Database using Private Link without allowing Azure services to access the server

Applies to: Azure SQL Database

Running Import or Export via Azure PowerShell or Azure portal requires you to set Allow Access to Azure Services to ON, otherwise Import/Export operation fails with an error. Often, users want to perform Import or Export using a private end point without allowing access to all Azure services.

Import Export Private Link is a Service Managed Private Endpoint created by Microsoft and that is exclusively used by the Import-Export, database and Azure Storage services for all communications. The private end point has to be manually approved by user in the Azure portal for both server and storage.

Screenshot of Import Export Private link architecture

To use Private Link with Import-Export, user database and Azure Storage blob container must be hosted on the same type of Azure Cloud. For example, either both in Azure Commercial or both on Azure Gov. Hosting across cloud types isn't supported.

This article explains how to import or export an Azure SQL Database using Private Link with Allow Azure Services is set to OFF on the Azure SQL server.

Note

Import Export using Private Link for Azure SQL Database is currently in preview

Important

Import or Export of a database from Azure SQL Managed Instance using PowerShell isn't currently supported.


Import-Export Private Link can be configured via Azure portal, PowerShell or using REST API.

  1. Go to server into which you would like to import database. Select Import database from toolbar in Overview page.
  2. In Import Database page, select Use Private Link option Screenshot that shows how to enable Import Private link
  3. Enter the storage account, server credentials, Database details and select OK.
  1. Go to the database that you would like to export. Select Export database from toolbar in Overview page
  2. In Export Database page, select Use Private Link option Screenshot that shows how to enable Export Private Link
  3. Enter the storage account, server sign-in credentials, Database details and select OK.

Approve Private End Points

  1. Go to Private Link Center
  2. Navigate to Private endpoints section
  3. Approve the private endpoints you created using Import/Export service
Approve Private End Point connection on Azure SQL Database
  1. Go to the server that hosts the database.
  2. Open the Private endpoint connections page in security section on the left.
  3. Select the private endpoint you want to approve.
  4. Select Approve to approve the connection.

Screenshot that shows how to approve Azure SQL Database Private Link

Approve Private End Point connection on Azure Storage
  1. Go to the storage account that hosts the blob container that holds BACPAC file.
  2. Open the Private endpoint connections page in security section on the left.
  3. Select the Import-Export private endpoints you want to approve.
  4. Select Approve to approve the connection.

Screenshot that shows how to approve Azure Storage Private Link in Azure Storage

After the Private End points are approved both in Azure SQL Server and Storage account, Import or Export jobs will be kicked off. Until then, the jobs will be on hold.

You can check the status of Import or Export jobs in Import-Export History page under Data Management section in Azure SQL Server page. Screenshot that shows how to check Import Export Jobs Status


Use the New-AzSqlDatabaseImport cmdlet to submit an import database request to Azure. Depending on database size, the import may take some time to complete. The DTU based provisioning model supports select database max size values for each tier. When importing a database use one of these supported values.

$importRequest = New-AzSqlDatabaseImport -ResourceGroupName "<resourceGroupName>" `
        -ServerName "<serverName>" -DatabaseName "<databaseName>" `
        -DatabaseMaxSizeBytes "<databaseSizeInBytes>" -StorageKeyType "StorageAccessKey" ` 
        -StorageKey $(Get-AzStorageAccountKey -ResourceGroupName $resourceGroupName `
                        -StorageAccountName "<storageAccountName>").Value[0] 
        -StorageUri "https://myStorageAccount.blob.core.windows.net/importsample/sample.bacpac" `
        -Edition "Standard" -ServiceObjectiveName "P6" ` -UseNetworkIsolation $true `
        -StorageAccountResourceIdForPrivateLink "/subscriptions/<subscriptionId>/resourcegroups/<resource_group_name>/providers/Microsoft.Storage/storageAccounts/<storage_account_name>" `
 	    -SqlServerResourceIdForPrivateLink "/subscriptions/<subscriptionId>/resourceGroups/<resource_group_name>/providers/Microsoft.Sql/servers/<server_name>" `
        -AdministratorLogin "<userID>" `
        -AdministratorLoginPassword $(ConvertTo-SecureString -String "<password>" -AsPlainText -Force)

Use the New-AzSqlDatabaseExport cmdlet to submit an export database request to the Azure SQL Database service. Depending on the size of your database, the export operation may take some time to complete.

$importRequest = New-AzSqlDatabaseExport -ResourceGroupName "<resourceGroupName>" `
        -ServerName "<serverName>" -DatabaseName "<databaseName>" `
        -DatabaseMaxSizeBytes "<databaseSizeInBytes>" -StorageKeyType "StorageAccessKey" ` 
        -StorageKey $(Get-AzStorageAccountKey -ResourceGroupName $resourceGroupName `
                        -StorageAccountName "<storageAccountName>").Value[0] 
        -StorageUri "https://myStorageAccount.blob.core.windows.net/importsample/sample.bacpac" `
        -Edition "Standard" -ServiceObjectiveName "P6" ` -UseNetworkIsolation $true `
        -StorageAccountResourceIdForPrivateLink "/subscriptions/<subscriptionId>/resourcegroups/<resource_group_name>/providers/Microsoft.Storage/storageAccounts/<storage_account_name>" `
 	    -SqlServerResourceIdForPrivateLink "/subscriptions/<subscriptionId>/resourceGroups/<resource_group_name>/providers/Microsoft.Sql/servers/<server_name>" `
        -AdministratorLogin "<userID>" `
        -AdministratorLoginPassword $(ConvertTo-SecureString -String "<password>" -AsPlainText -Force)

Existing APIs to perform Import and Export jobs have been enhanced to support Private Link. Refer to Import Database API

Limitations

  • Import using Private Link does not support specifying a backup storage redundancy while creating a new database and creates with the default geo-redundant backup storage redundancy. As a work around, first create an empty database with desired backup storage redundancy using Azure portal or PowerShell and then import the BACPAC into this empty database.
  • Import using REST API with private link can only be done to existing database since the API uses database extensions. To workaround this create an empty database with desired name and call Import REST API with Private link.

Next steps