SQL managed instance backup

[tm67]

Hi
#07948219
I have some issues protecting my SQL managed instance.
Basically, the issue is that I have enabled public network access but limited with a network security group the access to port 3342 from only specific sources.
Support told me that I have to open port 3342 from "any", they cannot provide a source IP list. This is absolutely not a valid solution in my opinion.
Is there no way Veeam can provide this source IP list so I can restrict the access?

Another solution would be to allow a connection with a private endpoint while the public endpoint is enabled. But this seems to be not possible at the moment. Maybe this could be added in a future release?

The other solution support provided me is to deploy another SQL managed instance just for backup as a staging server. This is also not a valid solution for me since it generates extra costs for no reason.

Is there no other way in my setup to protect this SQL managed instance?

Timo

[nielsengelen]

Hi Timo,

We do support private connectivity/endpoints for AzureSQL (you should just accept the endpoint for it) as described in our user guide.

Did you look into this already?

[tm67]

Hi Niels
Yes this should be possible. But the issue is that I have enabled public access (since its needed for some services).
And as soon as public access is enabled, the private access will not work / will not be considered. (this is what support told me)
It would be best if I had the option to "force" the use of private endpoint.
Or if I would get an IP list to limit the access for public endpoints. But this is not possible (also what support told me)

[nielsengelen]

Hi Timo,

I don't think getting this full list is possible due to Azure's architecture. Regarding using private mode first, this does make sense and we'll discuss internally if we can enhance it.

[tm67]

Hi Niels
Is this something that might come soon? If not, we will need to protect those managed instances by another method outside Veeam.

[nielsengelen]

I cannot place a timeline on it as of now. I did see your request as well for Files and the list of IPs. Please give me some time to figure out if anything could be provided. I know that there is a general document from Microsoft with Azure IP Ranges and Service Tags – Public Cloud which could be a start.

[tm67]

Thank you, Niels! I thought I'd do separate requests since maybe those services operate differently so you can track them separately.