> Software > Protect > Databases > Azure > Azure SQL Database Managed Instance > Getting Started

Set Up Azure Blob Storage

A cloud account represents an Azure subscription. You can use one of two authentication methods for the subscription: a Microsoft Entra ID application or managed identity. The authentication method that you used to create the cloud account determines how you configure the Azure SQL Managed Instance blob credential.

Set up Azure Blob Storage to store backup and restore files, and then give your Azure SQL Managed Instance access to the files by using either a Microsoft Entra ID application or managed identity.

Requirements

If the storage account allows access only from selected networks or private endpoints, both of the following resources must be able to reach the blob service endpoint:

  • The Azure SQL Managed Instance

  • The access node

If the Azure SQL Managed Instance and the access node are deployed in different virtual networks, configure connectivity for each virtual network.

You can use either of the following Azure networking methods:

  • Service endpoints, when the resources are in the same region and you want traffic to use the Azure backbone

    For service endpoints, enable the Microsoft.Storage service endpoint on the required subnets, and then allow those subnets on the storage account. For more information, see Azure virtual network service endpoints and Azure Storage firewall rules.

  • Private endpoints, when you require private connectivity, cross-region access, or your security policy requires private access

    For private endpoints, create a private endpoint for the blob subresource and configure DNS for privatelink.blob.core.windows.net. If the Azure SQL Managed Instance and the access node are in different virtual networks, make sure that both virtual networks can resolve and reach the private endpoint. For more information, see Use private endpoints for Azure Storage.

Set up access by using a Microsoft Entra ID application

You can use a Microsoft Entra ID application to access backup and restore files in Azure Blob Storage.

Generate a shared access signature (SAS) token for the storage account, and then create a T-SQL credential for the Azure SQL Managed Instance.

  1. Generate a shared access signature (SAS) token for the storage account.

    • For Azure guidance, see Delegate access with shared access signatures.

    • Make sure that the SAS token includes at least the following settings:

      • Allowed services: Blob

      • Allowed resource types: Container and Object

      • Allowed permissions: Read, Write, and Create

  2. Use CREATE CREDENTIAL (Transact-SQL) to create a T-SQL credential in the Azure SQL Managed Instance.

    • Use the following values:

      • CREDENTIAL_NAME: The Azure Blob Storage URL with commvault appended. The container name must be commvault.

      • IDENTITY: Shared Access Signature

      • SECRET: The SAS token

      Example statement:

      SQL
CREATE CREDENTIAL [https://testazurestorage.blob.core.windows.net/commvault]
WITH IDENTITY = 'Shared Access Signature',
SECRET = 'sas_token'

Set up access by using managed identity

You can use managed identity to access backup and restore files in Azure Blob Storage.

Assign the required Azure role to the managed identity, and then create a T-SQL credential for the Azure SQL Managed Instance.

  1. Assign the Storage Blob Data Contributor role to the managed identity of the Azure SQL Managed Instance and the access node.

  2. Use CREATE CREDENTIAL (Transact-SQL) to create a T-SQL credential in the Azure SQL Managed Instance.

  3. If a credential already exists for the same Blob container URL, remove or update it before you create the new credential.

    • Use the following values for the System-Assigned Managed Identity:

      • CREDENTIAL_NAME: The Azure Blob Storage URL with commvault appended. The container name must be commvault.
      • IDENTITY: Managed Identity

      Example statement:

      SQL
CREATE CREDENTIAL [https://storageaccount.blob.core.windows.net/commvault]
WITH IDENTITY = 'Managed Identity'
      - Use the following values for the User-Assigned Managed Identity:
      • CREDENTIAL_NAME: The Azure Blob Storage URL with commvault appended. The container name must be commvault.
      • IDENTITY: Managed Identity
      • SECRET: client id of the user assigned managed identity

      Example statement:

      SQL
CREATE CREDENTIAL [https://<storageaccount>.blob.core.windows.net/commvault]
WITH IDENTITY = 'Managed Identity',
SECRET = '<client-id-of-user-assigned-managed-identity>';

Validate blob storage access

Run a test backup from the access node to confirm that the credential and permissions are configured correctly.

  1. Connect to the Azure SQL Managed Instance from the access node by using SQL Server Management Studio (SSMS).

  2. Run the following T-SQL command:

SQL
BACKUP DATABASE [database_name]
TO URL = 'https://storageaccount.blob.core.windows.net/commvault/database_name.bak'
WITH COPY_ONLY;

Common issues

  • OS Error 5 (Access is denied): The managed identity of the Azure SQL Managed Instance might not have the Storage Blob Data Contributor role, or storage account network rules might block the subnet. Assign the required role and allow the subnet in the storage account networking settings.

  • OS Error 86 (The specified network password is not correct): The T-SQL credential might be missing, expired, or misconfigured, such as a user-assigned managed identity without a client ID. Verify and update the credential configuration.

Adding a Cloud Account for SQL Managed Instances

×

Loading...