Backing up SQL Server databases in an AG using a Standard ILB to RSV on IaaS vm's in Azure

Laurence Schwarz 1 Reputation point
2021-01-14T20:33:49.503+00:00

Hello,

There is an understanding that when backing up SQL Server databases that reside on IaaS vm's in an AG in Azure to RSV that if a Standard ILB is used, then a public IP is required to push the backups to RSV. I can't seem to find any documentation on this requirement. Why can't a private endpoint be used? We want to have an AG with two replica's in one region, and a replica in a different region for DR that will communicate over Global vNET peering, so Standard ILB's are required.

Thanks much,

Laurence M. Schwarz

SQL Server on Azure Virtual Machines
Azure Backup
Azure Backup
An Azure backup service that provides built-in management at scale.
1,132 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SadiqhAhmed-MSFT 38,081 Reputation points Microsoft Employee
    2021-01-18T18:13:55.457+00:00

    @Laurence Schwarz Welcome to Microsoft Q&A community forum!
    Apologies for delay in response to your queries.

    Adding my 2 cents on this topic:

    It is a ILB limitation on Standard that it blocks all the outbound public traffic when set to Standard by default.

    Standard Load Balancer is built on the zero trust network security model at its core. Standard Load Balancer is secure by default and part of your virtual network. The virtual network is a private and isolated network. This means Standard Load Balancers and Standard Public IP addresses are closed to inbound flows unless opened by Network Security Groups. NSGs are used to explicitly permit allowed traffic. If you do not have an NSG on a subnet or NIC of your virtual machine resource, traffic is not allowed to reach this resource. To learn more about NSGs and how to apply them for your scenario, see Network Security Groups. Basic Load Balancer is open to the internet by default. In addition, Load Balancer does not store customer data.
    https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-overview#securebydefault

    And for SQL based backups to run on Azure VM, it needs connectivity to Azure Service Ips for Azure Backup, Storage and AAD. You will still have to find a way to reach AAD from those VMs as Private endpoints only support Storage and Backup services out of the requirement list.

    https://learn.microsoft.com/en-us/azure/backup/private-endpoints

    • Azure Active Directory doesn't currently support private endpoints. So IPs and FQDNs required for Azure Active Directory to work in a region will need to be allowed outbound access from the secured network when performing backup of databases in Azure VMs and backup using the MARS agent. You can also use NSG tags and Azure Firewall tags for allowing access to Azure AD, as applicable.

    ----------------------------------------------------------------------------------------------------------------------

    If the response helped, do "Accept Answer" and up-vote it

    0 comments