Indexer connections to Azure SQL Managed Instance through a public endpoint

  • Article

Indexers in Azure AI Search connect to external data sources over a public endpoint. If you're setting up an Azure SQL indexer for a connection to a SQL managed instance, follow the steps in this article to ensure the public endpoint is set up correctly.

Alternatively, if the managed instance is behind a firewall, create a shared private link instead.

Note

Always Encrypted columns are not currently supported by Azure AI Search indexers.

Enable a public endpoint

This article highlights just the steps for an indexer connection in Azure AI Search. If you want more background, see Configure public endpoint in Azure SQL Managed Instance instead.

  1. For a new SQL Managed Instance, create the resource with the Enable public endpoint option selected.

    Enable public endpoint

  2. Alternatively, if the instance already exists, you can enable public endpoint on an existing SQL Managed Instance under Security > Virtual network > Public endpoint > Enable.

    Enable public endpoint using managed instance VNET

Verify NSG rules

Check the Network Security Group has the correct Inbound security rules that allow connections from Azure services.

NSG Inbound security rule

Restrict inbound access to the endpoint

You can restrict inbound access to the public endpoint by replacing the current rule (public_endpoint_inbound) with the following two rules:

  • Allowing inbound access from the AzureCognitiveSearch service tag ("SOURCE" = AzureCognitiveSearch, "NAME" = cognitive_search_inbound)

  • Allowing inbound access from the IP address of the search service, which can be obtained by pinging its fully qualified domain name (for example, <your-search-service-name>.search.azure.cn). ("SOURCE" = IP address, "NAME" = search_service_inbound)

For each rule, set "PORT" = 3342, "PROTOCOL" = TCP, "DESTINATION" = Any, "ACTION" = Allow.

Get public endpoint connection string

Copy the connection string to use in the search indexer's data source connection. Be sure to copy the connection string for the public endpoint (port 3342, not port 1433).

Public endpoint connection string

Next steps

With configuration out of the way, you can now specify a SQL managed instance as an indexer data source using the basic instructions for setting up an Azure SQL indexer.