Rediger

Del via

Prerequisites - SQL Server enabled by Azure Arc

Applies to: SQL Server

An Azure Arc-enabled instance of SQL Server is an instance on-premises or in a cloud provider that is connected to Azure Arc. This article explains those prerequisites.

If your SQL Server virtual machines run in VMware vSphere-based environments (including environments licensed through VMware vSphere Foundation or VMware Cloud Foundation), review Support on VMware.

Before you deploy

Before you can Arc-enable an instance of SQL Server, you need to:

Installation account permissions

The user or service principal needs:

  • Read permission on the subscription
  • Local administrator permission on the operating system to install and configure the agent
    • For Linux, use the root account
    • For Windows, use an account that's a member of the Local Administrators group

Before enabling SQL Servers with Arc, the installation script checks:

  • The region where the Arc-enabled SQL Server is supported
  • Microsoft.AzureArcData resource provider is registered

These checks require read permission on the subscription for the user.

To complete the task, the user or service principal needs the following permissions in the Azure resource group:

  • Azure Connected Machine Onboarding role
  • Microsoft.AzureArcData/register/action
  • Microsoft.HybridCompute/machines/extensions/read
  • Microsoft.HybridCompute/machines/extensions/write
  • Microsoft.Resources/deployments/validate/action

Assign users to built-in roles that have these permissions, such as:

For more information, see Assign Azure roles using the Azure portal.

Verify state of user databases

When a SQL Server instance is enabled by Azure Arc, the connection sets some database permissions so that you can manage databases from Azure. For details about the permissions set at a database level, see SQL permissions.

Only databases that are online and updatable are included.

Verify the state of any databases you plan to manage from Azure.

This query lists all databases, their status, and if they're updatable:

SELECT name AS DatabaseName,
       CASE WHEN state_desc = 'ONLINE' THEN 'Online'
            WHEN state_desc = 'OFFLINE' THEN 'Offline'
            ELSE 'Unknown'
       END AS Status,
       CASE WHEN is_read_only = 0 THEN 'READ_WRITE'
            ELSE 'READ_ONLY'
       END AS UpdateableStatus
FROM sys.databases;

Run that query on any instance that you enable.

Service account permissions

The SQL Server service account must be a member of the sysadmin fixed server role on each SQL Server instance. By default, the SQL Server service account is a member of the sysadmin fixed server role.

For more information about this requirement, see SQL Server service account.

NT AUTHORITY\SYSTEM login requirements

The Azure extension for SQL Server Deployer runs under the LocalSystem (NT AUTHORITY\SYSTEM) account to perform permission configuration. As part of this process, the deployer connects to each SQL Server instance using Windows integrated authentication.

By default, NT AUTHORITY\SYSTEM has a SQL Server login with CONNECT SQL permission. In environments where SQL Server security hardening removes or restricts the NT AUTHORITY\SYSTEM login (such as by disabling the login or denying CONNECT SQL), the Azure extension for SQL Server fails to provision successfully.

Before running this query in a production environment, review and test it in a non-production or test environment to validate the results. To verify that NT AUTHORITY\SYSTEM can connect to SQL Server, run the following query on each instance (review and test in a non-production or test environment before running in production):

SELECT sp.name AS login_name,
       CASE WHEN sp.is_disabled = 1 THEN 'DISABLED' ELSE 'ENABLED' END AS login_status,
       ISNULL(p.state_desc, 'NONE (implicit)') AS connect_sql_permission
FROM sys.server_principals AS sp
     LEFT OUTER JOIN sys.server_permissions AS p
         ON p.grantee_principal_id = sp.principal_id
        AND p.permission_name = N'CONNECT SQL'
        AND p.class_desc = N'SERVER'
WHERE sp.name = N'NT AUTHORITY\SYSTEM';

Successful provisioning requires that:

  • The login exists (a row is returned)
  • The login status is ENABLED
  • CONNECT SQL permission is granted

If your organization determines that re-adding the NT AUTHORITY\SYSTEM account or granting extra permissions is acceptable for your environment, restore connectivity by creating the authentication and granting CONNECT SQL permission:

CREATE LOGIN [NT AUTHORITY\SYSTEM] FROM WINDOWS;
GRANT CONNECT SQL TO [NT AUTHORITY\SYSTEM];

After making changes, verify that the extension provisions successfully.

Set proxy exclusions

Note

Starting with the April 2024 release, this exclusion isn't required. Beginning with extension version 1.1.2986.256, you can set the NO_PROXY environment variable to bypass the proxy for specific URLs while routing all other requests through the proxy server. For example, use NO_PROXY to route requests to Azure Key Vault through private endpoints.

If you use a proxy server, set the NO_PROXY environment variable to exclude proxy traffic for:

  • localhost
  • 127.0.0.1

Connect to Azure Arc data processing service

Arc-enabled SQL Server requires outbound connection to Azure Arc Data Processing Service.

Each virtual or physical server needs to communicate with Azure. Specifically, they require connectivity to:

  • URL: *.<region>.arcdataservices.com
    • For US Government Virginia regions, use *.<region>.arcdataservices.azure.us.
  • Port: 443
  • Direction: Outbound
  • Authentication provider: Microsoft Entra ID

To get the region segment of a regional endpoint, remove all spaces from the Azure region name. For example, East US 2 region, the region name is eastus2.

For example: *.<region>.arcdataservices.com should be *.eastus2.arcdataservices.com in the East US 2 region.

For a list of supported regions, review Supported Azure regions.

For a list of all regions, run this command:

az account list-locations -o table

Note

You can't use Azure Private Link connections to the Azure Arc data processing service. See Unsupported configurations.

Network requirements for enabling Microsoft Entra authentication

Enabling Microsoft Entra authentication for SQL Server enabled by Azure Arc requires some URLs to be allowed explicitly if a firewall blocks outbound URLs. Add the following URLs to the allowlist:

  • https://login.microsoftonline.com/
  • https://login.microsoft.com/
  • https://enterpriseregistration.windows.net/
  • https://graph.microsoft.com/
  • https://<azure-keyvault-name>.vault.azure.net/ (Required only if you're using certificates for Microsoft Entra authentication)

Additionally, you might need to allow Azure portal authentication URLs.

Supported SQL Server versions and environments

Supported configurations

SQL Server version

SQL Server 2012 (11.x) and later versions.

Note

Only 64-bit SQL Server versions are supported.

Operating systems

  • Windows 10 and 11
  • Windows Server 2012 and later versions
  • Ubuntu 20.04 (x64)
  • Red Hat Enterprise Linux (RHEL) 8 (x64)
  • SUSE Linux Enterprise Server (SLES) 15 (x64)

Important

Windows Server 2012 and Windows Server 2012 R2 support ended on October 10, 2023. For more information, see SQL Server 2012 and Windows Server 2012/2012 R2 end of support.

.NET Framework

On Windows, .NET Framework 4.7.2 and later.

This requirement begins with extension version 1.1.2504.99 (November, 14 2023 release). Without this version, the extension might not function as intended. Windows Server 2012 R2 doesn't come with .NET Framework 4.7.2 by default and must be updated accordingly.

Support on VMware

You can deploy SQL Server enabled by Azure Arc in VMware VMs running:

  • On-premises
  • In VMware solutions, for example:

    • Azure VMware Solution (AVS)

      VMware vSphere remains the underlying virtualization platform. Following Broadcom's acquisition of VMware, the vSphere product name didn't change; however, VMware updated how vSphere is packaged and licensed (for example, through VMware vSphere Foundation and VMware Cloud Foundation).

      Warning

      If you're running SQL Server VMs in Azure VMware Solution (AVS) private cloud, follow the steps in Deploy Arc-enabled Azure VMware Solution to enable.

      This is the only deployment mechanism that provides you with a fully integrated experience with Arc capabilities within the AVS private cloud.

    • VMware Cloud on AWS

    • Google Cloud VMware Engine

VMware packaging and support scope

SQL Server enabled by Azure Arc supports SQL Server instances running on virtual machines hosted in VMware vSphere–based environments, including Azure VMware Solution.

Support doesn't depend on specific VMware commercial bundles, editions, or packaging. The following requirements determine support:

  • The supported guest operating system
  • The supported SQL Server version
  • Azure Arc Connected Machine agent requirements

VMware (Broadcom) defines VMware packaging, licensing, and lifecycle policies and may change them independently of Azure Arc.

Unsupported configurations

Azure Arc-enabled SQL Server doesn't currently support the following configurations:

  • Windows Server 2012 or older versions of Windows Server. They don't have the minimum required versions of TLS to securely authenticate to Azure.
  • Windows Server 2012 R2 is supported for DPS because it supports TLS 1.2. Windows Server 2012 R2 doesn't support the telemetry endpoint. Therefore features such as performance dashboard, migration assessment, and others aren't supported.
  • SQL Server running in containers.
  • SQL Server editions: Business Intelligence.
  • Private Link connections to the Azure Arc data processing service at the <region>.arcdataservices.com endpoint used for inventory and usage upload.
  • SQL Server 2008 (10.0.x), SQL Server 2008 R2 (10.50.x), and older versions.
  • Installing the Arc agent and SQL Server extension can't be done as part of sysprep image creation.
  • Multiple instances of SQL Server installed on the same host operating system with the same instance name.
  • SQL Server in Azure Virtual Machines.
  • An Always On availability group where one or more replicas is on a failover cluster instance.
  • SQL Server Reporting Services (SharePoint Mode).
  • DBCC CLONEDATABASE (Transact-SQL) throws error on the default installation of the Azure extension for SQL Server. To run the DBCC CLONEDATABASE, the Azure extension must be run in least privilege mode.
  • SQL Server instance names containing a # symbol aren't supported. For a complete list of naming rules and restrictions, review naming rules and restrictions.

Register resource providers

To register the resource providers, use one of the following methods:

  1. Select Subscriptions.
  2. Choose your subscription.
  3. Under Settings, select Resource providers.
  4. Search for Microsoft.AzureArcData and Microsoft.HybridCompute and select Register.

Azure subscription and service limits

Before configuring your SQL Server instances and machines with Azure Arc, review the Azure Resource Manager subscription limits and resource group limits to plan for the number of machines to connect.

Supported regions

SQL Server enabled by Azure Arc is available in the following regions:

  • East US
  • East US 2
  • West US
  • West US 2
  • West US 3
  • Central US
  • North Central US
  • South Central US
  • West Central US
  • US Government Virginia 1
  • Canada Central
  • Canada East
  • UK South
  • UK West
  • France Central
  • West Europe
  • North Europe
  • Switzerland North
  • Central India
  • Brazil South
  • South Africa North
  • UAE North
  • Japan East
  • Korea Central
  • Southeast Asia
  • Australia East
  • Sweden Central
  • Norway East

1 Not all features are supported yet in the US Government Virginia region. For details, review SQL Server enabled by Azure Arc in US Government.

Important

  • For successful onboarding and functioning, assign the same region to both Arc-enabled Server and Arc-enabled SQL Server.

Install Azure extension for SQL Server

The SQL Server 2022 (16.x) Setup Installation Wizard doesn't support installation of the Azure extension for SQL Server.

You can install this component in two ways:

For VMware vSphere-based environments, review Support on VMware.

Related content

  • Last updated on