| title | Server trust group |
|---|---|
| titleSuffix | Azure SQL Managed Instance |
| description | Learn how to manage trust between instances by using a server trust group in Azure SQL Managed Instance. |
| author | MladjoA |
| ms.author | mlandzic |
| ms.reviewer | mathoma |
| ms.date | 11/02/2021 |
| ms.service | azure-sql-managed-instance |
| ms.subservice | service-overview |
| ms.topic | how-to |
[!INCLUDEappliesto-sqlmi]
Server trust group (also known as SQL trust group) is a concept used for managing trust between instances in Azure SQL Managed Instance. By creating a group, a certificate-based trust is established between its members. This trust can be used for different cross-instance scenarios. Removing servers from the group or deleting the group removes the trust between the servers. To create or delete a server trust group, the user needs to have write permissions on the managed instance. Server trust group is an Azure Resource Manager object, which has been labeled as SQL trust group in Azure portal.
Server trust group can be set up via Azure PowerShell or Azure CLI.
To create a server trust group by using the Azure portal, follow these steps:
-
Go to the Azure portal.
-
Navigate to Azure SQL Managed Instance that you plan to add to a server trust group.
-
On the Security settings, select the SQL trust groups tab.
:::image type="content" source="./media/server-trust-group-overview/sql-trust-groups.png" alt-text="Screenshot shows SQL trust groups page for a SQL managed instance.":::
-
On the SQL trust groups configuration page, select the New Group icon.
:::image type="content" source="./media/server-trust-group-overview/new-sql-trust-group-button.png" alt-text="Screenshot shows SQL trust groups page with New Group selected.":::
-
On the SQL trust group, create pane set the Group name. It needs to be globally unique in its Azure region. Trust scope defines the type of cross-instance scenario that is enabled with the server trust group. Trust scope is fixed - all available functionalities are preselected and this can't be changed. Select Subscription and Resource group to choose the managed instances that will be members of the group.
:::image type="content" source="./media/server-trust-group-overview/new-sql-trust-group.png" alt-text="Screenshot shows the Create SQL trust group create page with values.":::
-
After all required fields are populated, select Save.
To edit a server trust group, follow these steps:
-
Go to Azure portal.
-
Navigate to a managed instance that belongs to the trust group.
-
On the Security settings select the SQL trust groups tab.
-
Select the trust group you want to edit.
-
Click Configure group.
:::image type="content" source="./media/server-trust-group-overview/configure-sql-trust-group.png" alt-text="Screenshot shows a SQL trust group with Configure group highlighted.":::
-
Add or remove managed instances from the group.
-
Click Save to confirm choice or Cancel to abandon changes.
To delete a server trust group, follow these steps:
-
Go to the Azure portal.
-
Navigate to a managed instance that belongs to the SQL trust group.
-
On the Security settings, select the SQL trust groups tab.
-
Select the trust group you want to delete.
:::image type="content" source="./media/server-trust-group-overview/select-delete-sql-trust-group.png" alt-text="Screenshot shows SQL trust groups page with a group highlighted.":::
-
Select Delete group.
:::image type="content" source="./media/server-trust-group-overview/delete-sql-trust-group.png" alt-text="Screenshot shows a SQL trust group with Delete Group highlighted.":::
-
Type in the SQL trust group name to confirm deletion and select Delete.
:::image type="content" source="./media/server-trust-group-overview/confirm-delete-sql-trust-group-2.png" alt-text="Confirm SQL trust group deletion":::
Note
Deleting the SQL trust group might not immediately remove the trust between the two managed instances. Trust removal can be enforced by invoking a failover of managed instances. Check the Known issues for the latest updates on this.
Following limitations apply to Server Trust Groups:
- Group can contain only instances of Azure SQL Managed Instance.
- Trust scope can't be changed when a group is created or modified.
- The name of the server trust group must be unique for its subscription, resource group, and region.
- For more information about distributed transactions in Azure SQL Managed Instance, see Distributed transactions.
- For release updates and known issues state, see What's new?.
- If you have feature requests, add them to the Managed Instance forum.