none
Azure SQL Database managed instance - Security risk in opening ports 1438, 1440, 1452, 9000 and 9003 for Inbound security rules RRS feed

  • Question

  • The Managed Instance mandatory inbound security rules require management ports 9000, 9003, 1438, 1440, 1452 to be open from Any source on the Network Security Group (NSG) that protects the Managed Instance. Although these ports are open at the NSG level, they are protected at the network level by the built-in firewall.

    Opening the ports violate the client's no-trust security policy and our client wants to know if there is a workaround for this issue and specifically what do we have to do to resolve this. Has anything has changed with respect to the above rules/policies ? 
    Friday, October 18, 2019 7:08 PM

Answers

All replies

  • The Managed Instance mandatory inbound security rules require management ports 9000, 9003, 1438, 1440, 1452 to be open from Any source on the Network Security Group (NSG) that protects the Managed Instance. Although these ports are open at the NSG level, they are protected at the network level by the built-in firewall.

    Opening the ports violate the client's no-trust security policy and our client wants to know if there is a workaround for this issue and specifically what do we have to do to resolve this. Has anything has changed with respect to the above rules/policies ? 

    Good day ,

    As much as I understand the ports 9000, 9003, 1438, 1440, 1452 are used for internal management by the azure system (which is why it open from Any source and not from your NSG). This is a service and not on-premises physical machine, and someone/something must manage it which mean it must connect to it and you have the service dependencies. As you said these ports "are protected at the network level by the built-in firewall".

    >> Opening the ports violate the client's no-trust security policy and our client wants to know if there is a workaround for this issue and specifically what do we have to do to resolve this. Has anything has changed with respect to the above rules/policies ? 

    As much as I know (maybe someone from the MI team will fix me in this) you cannot change these rules since it is mandatory for the service dependencies.


    signature   Ronen Ariely
     [Personal Site]    [Blog]    [Facebook]    [Linkedin]

    Saturday, October 19, 2019 1:13 AM
    Moderator
  • Hi Vinodh

    We are checking with our Product team regarding this and will get back to you.

    Thanks
    Navtej S

    Saturday, October 19, 2019 3:07 AM
    Moderator
  • Thanks for your response Ronen. But, with the ports being wide open to a large traffic, might lead to possible security risks, wouldn't it ? 
    Tuesday, October 22, 2019 4:44 PM
  • Navtej,

    Could you please provide an ETA for this request ?

    Thanks,

    Vinodh

    Tuesday, October 22, 2019 4:46 PM
  • Hi Vinodh

    We have got response from the PG team that these rules are required for Managed Instance to function within the scope of customer's VNET.

    But they also mentioned that service-aided network configuration feature is in public preview that among other things addresses this concern. Here are the links for the same:

    https://azure.microsoft.com/en-us/updates/service-aided-subnet-configuration-for-azure-sql-managed-instance-is-now-available-in-preview/

    https://docs.microsoft.com/en-us/azure/sql-database/sql-database-managed-instance-connectivity-architecture#service-aided-subnet-configuration-public-preview-in-east-us-and-west-us

    Hope this helps.

    Thanks
    Navtej S


    Thursday, October 24, 2019 8:22 PM
    Moderator