| title | Configure Public Endpoint | ||||
|---|---|---|---|---|---|
| description | Learn how to configure a public endpoint for Azure SQL Managed Instance by using the Azure portal, Azure PowerShell, or the Azure CLI. | ||||
| author | zoran-rilak-msft | ||||
| ms.author | zoranrilak | ||||
| ms.reviewer | vanto, mathoma | ||||
| ms.date | 09/11/2025 | ||||
| ms.service | azure-sql-managed-instance | ||||
| ms.subservice | security | ||||
| ms.topic | how-to | ||||
| ms.custom |
|
[!INCLUDE appliesto-sqlmi]
Public endpoints for Azure SQL Managed Instance enable data access to your SQL managed instance from outside the virtual network. You're able to access your SQL managed instance from multitenant Azure services like Power BI, Azure App Service, or an on-premises network. By using the public endpoint on a SQL managed instance, you don't need to use a VPN, which can help avoid VPN throughput issues.
In this article, you learn how to:
[!div class="checklist"]
- Enable or disable a public endpoint for your SQL managed instance
- Configure your SQL managed instance network security group (NSG) to allow traffic to the SQL managed instance public endpoint
- Obtain the SQL managed instance public endpoint connection string
Due to the sensitivity of data in a SQL managed instance, the configuration to enable SQL managed instance public endpoint requires a two-step process. This security measure adheres to separation of duties (SoD):
- The SQL managed instance admin needs to enable the public endpoint on the SQL managed instance. The SQL managed instance admin can be found on the Overview page for your SQL managed instance resource.
- A network admin needs to allow traffic to the SQL managed instance using a network security group (NSG). For more information, review network security group permissions.
You can enable the public endpoint for your SQL Managed Instance by using the Azure portal, Azure PowerShell, or the Azure CLI.
To enable the public endpoint for your SQL Managed Instance in the Azure portal, follow these steps:
- Go to the Azure portal.
- Open the resource group with the SQL managed instance, and select the SQL managed instance that you want to configure public endpoint on.
- On the Security settings, select the Networking tab.
- In the Virtual network configuration page, select Enable, and then the Save icon to update the configuration.
:::image type="content" source="./media/public-endpoint-configure/mi-vnet-config.png" alt-text="Screenshot shows the Virtual network page of SQL Managed Instance with the Public endpoint enabled.":::
To enable the public endpoint with PowerShell, set -PublicDataEndpointEnabled to true when you update instance properties with Set-AzSqlInstance.
Use the sample PowerShell script to enable the public endpoint for your SQL Managed Instance. Replace the following values:
- subscription-id with your subscription ID
- rg-name with the resource group of your SQL managed instance
- mi-name with the name of your SQL managed instance
To enable the public endpoint by using PowerShell, run the following script:
Install-Module -Name Az
Import-Module Az.Accounts
Import-Module Az.Sql
Connect-AzAccount
# Use your subscription ID in place of subscription-id below
Select-AzSubscription -SubscriptionId {subscription-id}
# Replace rg-name with the resource group for your SQL managed instance, and replace mi-name with the name of your SQL managed instance
$mi = Get-AzSqlInstance -ResourceGroupName {rg-name} -Name {mi-name}
$mi = $mi | Set-AzSqlInstance -PublicDataEndpointEnabled $true -forceTo enable the public endpoint with the Azure CLI, set --public-data-endpoint-enabled to true when you update instance properties with az sql mi update.
Use the sample Azure CLI command to enable the public endpoint for your SQL Managed Instance. Replace the following values:
- subscription with your subscription ID
- rg-name with the resource group of your SQL managed instance
- mi-name with the name of your SQL managed instance
To enable the public endpoint by using the Azure CLI, run the following command:
az sql mi update --subscription {subscription-id} --resource-group {rg-name} --name {mi-name} --public-data-endpoint-enabled true
You can disable the public endpoint for your SQL Managed Instance by using the Azure portal, Azure PowerShell, and the Azure CLI.
To disable the public endpoint by using the Azure portal, follow these steps:
- Go to the Azure portal.
- Open the resource group with the SQL managed instance, and select the SQL managed instance that you want to configure public endpoint on.
- On the Security settings, select the Networking tab.
- In the Virtual network configuration page, select Disable, and then the Save icon to update the configuration.
To disable the public endpoint with PowerShell, set -PublicDataEndpointEnabled to false when you update instance properties with Set-AzSqlInstance.
Use Azure PowerShell to disable the public endpoint for your SQL Managed Instance. Remember to also close the inbound security rule for port 3342 in your network security group (NSG) if you've configured it.
To disable the public endpoint, use the following command:
Set-AzSqlInstance -PublicDataEndpointEnabled $false -forceTo disable the public endpoint with the Azure CLI, set --public-data-endpoint-enabled to false when you update instance properties with az sql mi update.
Use the Azure CLI to disable the public endpoint for your SQL Managed Instance. Replace the following values:
- subscription with your subscription ID
- rg-name with the resource group of your SQL managed instance
- mi-name with the name of your SQL managed instance.
Remember to also close the inbound security rule for port 3342 in your network security group (NSG) if you've configured it.
To disable the public endpoint, use the following command:
az sql mi update --subscription {subscription-id} --resource-group {rg-name} --name {mi-name} --public-data-endpoint-enabled false
Use the Azure portal to allow public traffic within the network security group. Follow these steps:
-
Go to the Overview page for your SQL Managed Instance in the Azure portal.
-
Select the Virtual network/subnet link, which takes you to the Virtual network configuration page.
:::image type="content" source="./media/public-endpoint-configure/mi-overview.png" alt-text="Screenshot shows the Virtual network configuration page where you can find your Virtual network/subnet value.":::
-
Select the Subnets tab on the configuration pane of your Virtual network, and make note of the SECURITY GROUP name for your SQL managed instance.
:::image type="content" source="./media/public-endpoint-configure/mi-vnet-subnet.png" alt-text="Screenshot shows the Subnet tab, where you can get the SECURITY GROUP for your SQL managed instance.":::
-
Go back to the resource group that contains your SQL managed instance. You should see the Network security group name noted previously. Select the Network security group name to open the Network Security Group configuration page.
-
Select the Inbound security rules tab, and Add a rule that has higher priority than the deny_all_inbound rule with the following settings:
Setting Suggested value Description Source Any IP address or Service tag - For Azure services like Power BI, select the Azure Cloud Service Tag
- For your computer or Azure virtual machine, use NAT IP address
Source port ranges * Leave this to * (any) as source ports are typically dynamically allocated and as such, unpredictable Destination Any Leaving destination as Any to allow traffic into the SQL managed instance subnet Destination port ranges 3342 Scope destination port to 3342, which is the SQL managed instance public TDS endpoint Protocol TCP SQL Managed Instance uses TCP protocol for TDS Action Allow Allow inbound traffic to SQL managed instance through the public endpoint Priority 1300 Make sure this rule is higher priority than the deny_all_inbound rule :::image type="content" source="./media/public-endpoint-configure/mi-nsg-rules.png" alt-text="Screenshot shows the Inbound security rules with your new public_endpoint_inbound rule above the deny_all_inbound rule.":::
[!NOTE]
Port 3342 is used for public endpoint connections to SQL managed instance, and can't be changed currently.
A route with the 0.0.0.0/0 address prefix instructs Azure how to route traffic destined for an IP address that isn't within the address prefix of any other route in a subnet's route table. When a subnet is created, Azure creates a default route to the 0.0.0.0/0 address prefix, with the Internet next hop type.
Overriding this default route without adding the necessary route(s) to ensure the public endpoint traffic is routed directly to Internet might cause asymmetric routing issues since incoming traffic doesn't flow via the Virtual appliance/Virtual network gateway. Ensure that all traffic reaching the SQL managed instance over public internet goes back out over public internet as well by either adding specific routes for each source or setting the default route to the 0.0.0.0/0 address prefix back to Internet as next hop type.
See more the details about impact of changes on this default route at 0.0.0.0/0 address prefix.
-
Navigate to the SQL managed instance configuration page that's been enabled for public endpoint. Select the Connection strings tab under the Settings configuration.
-
The public endpoint host name comes in the format
<mi_name>.public.<dns_zone>.database.windows.net, and the port used for the connection is 3342. The following is an example of a connection string denoting the public endpoint port that can be used in SQL Server Management Studio connections:<mi_name>.public.<dns_zone>.database.windows.net,3342:::image type="content" source="./media/public-endpoint-configure/mi-public-endpoint-conn-string.png" alt-text="Screenshot shows the connection strings for your public and VNet-local endpoints." lightbox="./media/public-endpoint-configure/mi-public-endpoint-conn-string.png":::
[!div class="nextstepaction"] Use Azure SQL Managed Instance securely with public endpoints