Frequently asked questions - SQL Server enabled by Azure Arc

General FAQ

Can I exclude any SQL Server instances when I onboard with Azure Policy with SQL Server enabled by Azure Arc?

Yes, you can use the excludedInstances setting in the Azure Policy to indicate the SQL Server instances that you don't want to include in the onboarding process.

For example, if you have any standby instances, you might not want to view them in the portal. When you use Azure Policy to onboard, you can exclude such instances based using pattern matching of the instance names.

  1. Create a copy of the definition that we provide in Azure to create a custom definition.
  2. Set the value for excluded instances in the custom definition.
  3. Target the subscription and resource group.

Is the data from my instance of SQL Server sent to Azure?

No. Microsoft only captures metadata and information about your SQL Server to help troubleshoot and inventory. The data sent doesn't include user data or about your utilization of SQL Server.

Billing

Does pay-as-you-go billing stop charging when connectivity between the SQL Server resource and Azure is temporarily interrupted?

No, Intermittent internet connectivity doesn't stop the pay-as-you-go billing. The usage is reported and accounted for by the billing logic when the connectivity is restored.

Do I get charged if my virtual machine is stopped?

No. When the VM is stopped, the usage data isn't collected. Therefore, you'll not be charged for the time the VM was stopped.

Do I get charged if my SQL Server instance is stopped?

No. The usage data collection requires an active SQL Server instance. Therefore, you'll not be charged for the time the SQL Server instance was stopped.

Do I get charged if my SQL Server instance was running for less than an hour?

The billing granularity is one hour. If your instance was active for less than an hour, you are billed for the full hour.

Is there a minimum number of cores with pay-as-you-go billing?

Pay-as-you-go billing doesn't change the licensing terms of SQL Server. Therefore, it's subject to the four-core limit as defined in the SQL Server licensing terms.

If the affinity mask is specified for my SQL Server to use a subset of virtual cores, will it reduce the pay-as-you-go-charges?

No. When you run your SQL Server instance on a virtual or physical machine, you're required to license the full set of cores that the machine can access. Therefore, your pay-as-you-go charges are based on the full core count even if you use the affinity mask to limit your SQL Server's usage of these cores. See SQL Server licensing guide for details.

Can I switch from pay-as-you-go to license and vice versa?

Yes, you can change your selection. To change, run SQL Server Setup again, and choose the Maintenance tab, then select Edition Upgrade. The mode is now changed to Enterprise license. To revert back to pay-as-you-go, you can use the same steps and change the setting.

Security

What are the best practices for security?

Is TDE with Azure Key Vault supported?

No. TDE with Azure Key Vault is not supported today SQL Server enabled by Azure Arc. You can manually set up TDE for your own instances.

Is there key vault support?

Yes, there is key vault support today for SQL Server enabled by Azure Arc for storing the Microsoft Entra ID certificate.

Yes. SQL Server enabled by Azure Arc supports Private Link for most endpoints, but some endpoints don't require Private Link and some endpoints aren't supported. For specific information, see Connected Machine agent network requirements.

What configuration changes are made?

You can find details on the roles created by the Azure extension for SQL Server at Roles created by Azure extension for SQL Server installation.

What is the URL list of endpoints that need to be opened up?

You need to open up the endpoint at *.<region>.arcdataservices.com. For specific information, review Prerequisites - Connect to Azure Arc data processing service.

Does TLS inspection work with Azure Extension for SQL Server?

If your organization uses TLS inspection, the Azure Extension for SQL Server does not use certificate pinning and will continue to work, so long as your machine trusts the certificate presented by the TLS inspection service. For information on TLS inspection with Azure Arc-enabled server extension, see Network Security.

What are the details on the permissions assigned?

What user is the Microsoft SQL Server extension service running as?

When the least privileges mode is enabled, then it runs as the NT Service\SQLServerExtension account. When it is disabled, it runs as Local System. To enable least privilege mode, review Least privilege mode (preview).

Is least privilege mode supported for SQL Server enabled by Azure Arc?

Yes, least privilege mode is currently in preview for SQL Server enabled by Azure Arc. When this mode is generally available, least privilege mode will become the default configuration. Existing deployments will also be migrated automatically to least privilege mode to bolster security. Learn more about the permission assigned at Configure Windows service accounts and permissions for Azure extension for SQL Server.

How do I set the minimum permissions to deploy SQL Server enabled by Azure Arc?

Least privileges mode uses the minimum amount of permissions to deploy SQL Server enabled by Azure Arc.