Edit

Set up trust between instances with server trust group (Azure SQL Managed Instance)

  • Article

Applies to: Azure SQL Managed Instance

Server trust group (also known as SQL trust group) is a concept used for managing trust between instances in Azure SQL Managed Instance. By creating a group, a certificate-based trust is established between its members. This trust can be used for different cross-instance scenarios. Removing servers from the group or deleting the group removes the trust between the servers. To create or delete a server trust group, the user needs to have write permissions on the managed instance. Server trust group is an Azure Resource Manager object which has been labeled as SQL trust group in Azure portal.

Set up group

Server trust group can be setup via Azure PowerShell or Azure CLI.

To create a server trust group by using the Azure portal, follow these steps:

  1. Go to the Azure portal.

  2. Navigate to Azure SQL Managed Instance that you plan to add to a server trust group.

  3. On the Security settings, select the SQL trust groups tab.

    Screenshot shows SQL trust groups page for a SQL managed instance.

  4. On the SQL trust groups configuration page, select the New Group icon.

    Screenshot shows SQL trust groups page with New Group selected.

  5. On the SQL trust group create pane set the Group name. It needs to be unique in the group's subscription, resource group and region. Trust scope defines the type of cross-instance scenario that is enabled with the server trust group. Trust scope is fixed - all available functionalities are preselected and this cannot be changed. Select Subscription and Resource group to choose the managed instances that will be members of the group.

    Screenshot shows the Create SQL trust group create page with values.

  6. After all required fields are populated, select Save.

Edit group

To edit a server trust group, follow these steps:

  1. Go to Azure portal.

  2. Navigate to a managed instance that belongs to the trust group.

  3. On the Security settings select the SQL trust groups tab.

  4. Select the trust group you want to edit.

  5. Click Configure group.

    Screenshot shows a SQL trust group with Configure group highlighted.

  6. Add or remove managed instances from the group.

  7. Click Save to confirm choice or Cancel to abandon changes.

Delete group

To delete a server trust group, follow these steps:

  1. Go to the Azure portal.

  2. Navigate to a managed instance that belongs to the SQL trust group.

  3. On the Security settings select the SQL trust groups tab.

  4. Select the trust group you want to delete.

    Screenshot shows SQL trust groups page with a group highlighted.

  5. Select Delete group.

    Screenshot shows a SQL trust group with Delete Group highlighted.

  6. Type in the SQL trust group name to confirm deletion and select Delete.

    Confirm SQL trust group deletion

Note

Deleting the SQL trust group might not immediately remove the trust between the two managed instances. Trust removal can be enforced by invoking a failover of managed instances. Check the Known issues for the latest updates on this.

Limitations

Following limitations apply to Server Trust Groups:

  • Group can contain only instances of Azure SQL Managed Instance.
  • Trust scope cannot be changed when a group is created or modified.
  • The name of the server trust group must be unique for its subscription, resource group and region.

Next steps