Create SQL MI with point-to-site connection configured

Azure Public Test Date Azure Public Test Result

Azure US Gov Last Test Date Azure US Gov Last Test Result

Best Practice Check Cred Scan Check

Deploy To Azure Deploy To Azure US Gov Visualize

This template allows you to create a Azure SQL Database Managed Instances inside a new virtual network with Virtual network gateway that will be configured for point-to-site connections.

Tags: Azure, SqlDb, Managed Instance, Point-to-Site VPN, Microsoft.Network/networkSecurityGroups, Microsoft.Network/routeTables, Microsoft.Network/virtualNetworks, Microsoft.Sql/managedInstances, SystemAssigned, Microsoft.Network/publicIPAddresses, Microsoft.Network/virtualNetworkGateways

Solution overview and deployed resources

This deployment will create an Azure Virtual Network with two subnets ManagedInstance and GatewaySubnet. Managed Instance will be deployed in ManagedInstance subnet. Virtual network gateway will be created in GatewaySubnet subnet and configured for Point-to-Site VPN conncetions.

Deployment using PowerShell

The easiast way to deploy this template is by running the following PowerShell script. The script will create and configure VPN certificates and run template deployment afterwards.

$scriptUrlBase = ''

$parameters = @{
    subscriptionId = '<subscriptionId>'
    resourceGroupName = '<resourceGroupName>'
    location = '<location>'
    virtualNetworkName = '<virtualNetworkName>'
    managedInstanceName = '<managedInstanceName>'
    administratorLogin = '<login>'
    administratorLoginPassword = '<password>'
    certificateNamePrefix = '<certificateNamePrefix>'

Invoke-Command -ScriptBlock ([Scriptblock]::Create((New-Object System.Net.WebClient).DownloadString($scriptUrlBase+'/scripts/deploy.ps1'))) -ArgumentList $parameters, $scriptUrlBase

Deployment from template

You can click the "Deploy to Azure" button at the beginning of this document or follow the instructions for command line deployment using the scripts in the root of this repo, and populate following parameters:

  • Name of the Managed Instance that will be create including Managed Instance admin name and password
  • Public self-signed root certificate data. For detailed information on this and setting up certificates for point-to-site VPN visit the documentation
  • Name of the Azure Virtual Network that will be created and configured, including the address range that will be associated to this VNet. Default address range is but you could change it to fit your needs.
  • Name of the subnet where Managed Instance will be created. The name will be ManagedInstance, if you don't want to change it. Default address range is but you could change it to fit your needs.
  • Address range for GatewaySubnet. Default address range is but you could change it to fit your needs.
  • VPN client address pool prefix - computer that connects via VPN would get address from this pool. This IP range must not overlap with virtual network IP address range. Default address pool prefix is but you could change it to fit your needs.
  • Sku name that combines service tear and hardware generation, number of virtual cores and storage size in GB. The table below shows supported combinations.
  • License type that could be BasePrice if you are eligible for Azure Hybrid Use Benefit for SQL Server or LicenseIncluded otherwise
GP_Gen5 BC_Gen5
Tier General Purpose Busines Critical
Hardware Gen 5 Gen 5
Min vCores 8 8
Max vCores 80 80
Min storage size 32 32
Max storage size 8192 1024 GB for 8, 16 vCores
2048 GB for 24 vCores
4096 GB for 32, 40, 64, 80 vCores


Deployment of first instance in the subnet might take up to six hours, while subsequent deployments take up to 1.5 hours. This is because a virtual cluster that hosts the instances needs time to deploy or resize the virtual cluster. For more details visit Overview of Azure SQL Managed Instance management operations

Each virtual cluster is associated with a subnet and deployed together with first instance creation. In the same way, a virtual cluster is automatically removed together with last instance deletion leaving the subnet empty and ready for removal.