You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-sql/managed-instance/connectivity-architecture-overview.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -95,16 +95,16 @@ Service endpoints could be used to configure virtual network firewall rules on s
95
95
96
96
Deploy SQL Managed Instance in a dedicated subnet inside the virtual network. The subnet must have these characteristics:
97
97
98
-
-**Dedicated subnet:**The managed instance's subnet can't contain any other cloud service that's associated with it, but other managed instances are allowed and it can't be a gateway subnet. The subnet can't contain any resource but the managed instance(s), and you can't later add other types of resources in the subnet.
98
+
-**Dedicated subnet:**SQL Managed Instance's subnet can't contain any other cloud service that's associated with it, but other managed instances are allowed and it can't be a gateway subnet. The subnet can't contain any resource but the managed instance(s), and you can't later add other types of resources in the subnet.
99
99
-**Subnet delegation:** The SQL Managed Instance subnet needs to be delegated to the `Microsoft.Sql/managedInstances` resource provider.
100
100
-**Network security group (NSG):** An NSG needs to be associated with the SQL Managed Instance subnet. You can use an NSG to control access to the SQL Managed Instance data endpoint by filtering traffic on port 1433 and ports 11000-11999 when SQL Managed Instance is configured for redirect connections. The service will automatically provision and keep current [rules](#mandatory-inbound-security-rules-with-service-aided-subnet-configuration) required to allow uninterrupted flow of management traffic.
101
101
-**User defined route (UDR) table:** A UDR table needs to be associated with the SQL Managed Instance subnet. You can add entries to the route table to route traffic that has on-premises private IP ranges as a destination through the virtual network gateway or virtual network appliance (NVA). Service will automatically provision and keep current [entries](#mandatory-user-defined-routes-with-service-aided-subnet-configuration) required to allow uninterrupted flow of management traffic.
102
102
-**Sufficient IP addresses:** The SQL Managed Instance subnet must have at least 32 IP addresses. For more information, see [Determine the size of the subnet for SQL Managed Instance](vnet-subnet-determine-size.md). You can deploy managed instances in [the existing network](vnet-existing-add-subnet.md) after you configure it to satisfy [the networking requirements for SQL Managed Instance](#network-requirements). Otherwise, create a [new network and subnet](virtual-network-subnet-create-arm-template.md).
103
-
-**Unlocked resources:**The virtual network that contains the subnet delegated to SQL Managed Instance must not have any [write or delete locks](../../azure-resource-manager/management/lock-resources.md) placed on the virtual network resource, its parent resource group, or subscription. Placing locks on the virtual network or its parent resources may prevent SQL Managed Instance from completing its regular maintenance and cause degraded performance, delayed bugfixes, loss of regulatory compliance, operation outside of SLOs, and make the instance unusable.
104
-
-**Allowed by Azure policies:** If you leverage [Azure Policy](../../governance/policy/overview.md) to control the creation, modification and deletion of resources via deny effects in the scope that includes the virtual network whose subnet is delegated to SQL Managed Instance, you need to take steps to ensure that such policies do not prevent SQL Managed Instance from deploying or performing regular maintenance. If resources of those resource types cannot be created or managed by SQL Managed Instance, it may fail to deploy or become unusable following a maintenance operation. The types of resources that need to be excluded from deny effects are:
-**Allowed by Azure policies:**If you use [Azure Policy](../../governance/policy/overview.md)'s to deny the creation or modification of resources in the scope that includes SQL Managed Instance subnet/virtual network, such policies should not prevent Managed Instance from managing its internal resources. The following resources need to be excluded from deny effects to enable normal operation:
104
+
- Resources of type Microsoft.Network/serviceEndpointPolicies, when resource name begins with \_e41f87a2\_
105
+
-All resources of type Microsoft.Network/networkIntentPolicies
106
+
-All resources of type Microsoft.Network/virtualNetworks/subnets/contextualServiceEndpointPolicies
107
+
-**Locks on virtual network:**[Locks](../../azure-resource-manager/management/lock-resources.md) on the dedicated subnet's virtual network, its parent resource group, or subscription, may occasionally interfere with SQL Managed Instance's management and maintenance operations. Take special care when you use such locks.
108
108
109
109
> [!IMPORTANT]
110
110
> When you create a managed instance, a network intent policy is applied on the subnet to prevent noncompliant changes to networking setup. After the last instance is removed from the subnet, the network intent policy is also removed. Rules below are for the informational purposes only, and you should not deploy them using ARM template / PowerShell / CLI. If you want to use the latest official template you could always [retrieve it from the portal](../../azure-resource-manager/templates/quickstart-create-templates-use-the-portal.md).
0 commit comments