I'm looking for advice on securing our SQL managed instance, which is currently exposed via a public endpoint despite having access restricted through a Network Security Group (NSG). Some allowed IP addresses belong to developers working from home. We're considering connecting the instance to our hub and spoke network, but feedback from Microsoft suggests that using an Azure firewall isn't common practice. We're leaning towards maintaining the VNet as is. Should we focus on minimizing the reliance on public endpoints, possibly setting up a VPN for developers? What other measures can be taken to enhance security beyond using Defender for SQL? I'm eager to hear what others are doing to protect their setups!
2 Answers
Are you sure this is your production database? Allowing public access, even with authentication, feels risky. Devs shouldn't need direct access to production databases, really. It's worth reconsidering who needs access.
Funny enough, Azure Managed Instances are generally secure by default. Someone had to specifically enable that public endpoint. If many developers need access, I’d suggest switching to a private endpoint and considering something like a Point-to-Site (P2S) VPN or using Bastion for secure access.
I totally agree! I was also going to mention that default settings usually prioritize security. Have you thought about going full private endpoint?