| title | Secure Azure SQL Managed Instance Public Endpoints | |
|---|---|---|
| description | Securely use public endpoints in Azure SQL Managed Instance | |
| author | zoran-rilak-msft | |
| ms.author | zoranrilak | |
| ms.reviewer | vanto, mathoma | |
| ms.date | 08/26/2025 | |
| ms.service | azure-sql-managed-instance | |
| ms.subservice | security | |
| ms.topic | concept-article | |
| ms.update-cycle | 365-days | |
| ms.custom |
|
[!INCLUDE appliesto-sqlmi]
Azure SQL Managed Instance can provide user connectivity over public endpoints. This article explains how to make this configuration more secure.
Azure SQL Managed Instance provides a VNet-local endpoint to allow connectivity from inside its virtual network. The default option is to provide maximum isolation. However, there are scenarios where you need to provide a public endpoint connection:
- The SQL managed instance must integrate with multitenant-only platform as a service (PaaS) offerings.
- You need higher throughput of data exchange than is possible when you're using a VPN.
- Company policies prohibit PaaS inside corporate networks.
The public endpoint always uses the proxy connection type regardless of the connection type setting.
Although not mandatory, the common deployment model for a SQL managed instance with public endpoint access is to create the instance in a dedicated isolated virtual network. In this configuration, the virtual network is used only for virtual cluster isolation. It doesn't matter if the SQL managed instance's IP address space overlaps with a corporate network's IP address space.
SQL Managed Instance data traffic is always encrypted if the client driver supports encryption. Data sent between the SQL managed instance and other Azure virtual machines or Azure services never leaves Azure's backbone. If there's a connection between the SQL managed instance and an on-premises network, we recommend you use Azure ExpressRoute. ExpressRoute helps you avoid moving data over the public internet. For SQL managed instance local connectivity, only private peering can be used.
The following diagram shows the recommended security configurations:
A SQL managed instance has a public endpoint address that is dedicated to a customer. This endpoint shares the IP address with the management endpoint but uses a different port. Similar to a VNet-local endpoint, the public endpoint might change after certain management operations. Always determine the public endpoint address by resolving the endpoint FQDN record. For example, when configuring application-level firewall rules.
To ensure traffic to the SQL managed instance is coming from trusted sources, we recommend connecting from sources with well-known IP addresses. Use a network security group to limit access to the SQL managed instance public endpoint on port 3342.
When clients need to initiate a connection from an on-premises network, make sure the originating address is translated to a well-known set of IP addresses. If you can't do so (for example, a mobile workforce being a typical scenario), we recommend you use Point-to-site VPN connections and a VNet-local endpoint.
If connections are started from Azure, we recommend that traffic come from a well-known assigned virtual IP address (for example, a virtual machine). To make managing virtual IP (VIP) addresses easier, you might want to use public IP address prefixes.
[!div class="nextstepaction"] Configure public endpoints in Azure SQL Managed Instance