Indexer connections to Azure SQL Managed Instance through a public endpoint
If you are setting up an Azure SQL indexer that connects to an Azure SQL managed instance, you'll need to enable a public endpoint on the managed instance as a prerequisite. By default, an indexer connects to a managed instance over a public endpoint.
This article provides basic steps that include collecting information necessary for data source configuration. For more information and methodologies, see Configure public endpoint in Azure SQL Managed Instance.
Always Encrypted columns are not currently supported by Cognitive Search indexers.
Enable a public endpoint
For a new SQL Managed Instance, create the resource with the Enable public endpoint option selected.
Alternatively, if the instance already exists, you can enable public endpoint on an existing SQL Managed Instance under Security > Virtual network > Public endpoint > Enable.
Verify NSG rules
Check the Network Security Group has the correct Inbound security rules that allow connections from Azure services.
Restrict inbound access to the endpoint
You can restrict inbound access to the public endpoint by replacing the current rule (
public_endpoint_inbound) with the following two rules:
Allowing inbound access from the
AzureCognitiveSearchservice tag ("SOURCE" =
AzureCognitiveSearch, "NAME" =
Allowing inbound access from the IP address of the search service, which can be obtained by pinging its fully qualified domain name (eg.,
<your-search-service-name>.search.windows.net). ("SOURCE" =
IP address, "NAME" =
For each rule, set "PORT" =
3342, "PROTOCOL" =
TCP, "DESTINATION" =
Any, "ACTION" =
Get public endpoint connection string
Copy the connection string to use in the search indexer's data source connection. Be sure to copy the connection string for the public endpoint (port 3342, not port 1433).
With configuration out of the way, you can now specify a SQL Managed Instance as an indexer data source.