Azure SQL with Managed Identity Authentication
This guide demonstrates the most secure method for connecting to Azure SQL Database and Azure SQL Managed Instance using VM-attached managed identities, eliminating the need to manage credentials or connection strings. For alternative authentication methods and detailed configuration options, refer to:- Azure SQL authentication methods overview
- Managed identities for Azure resources
- Configure Azure AD authentication for SQL Database
- Connect to Azure SQL with managed identity
Step 1: Create Azure VM with System-Assigned Managed Identity
-
Create VM with Managed Identity
- Go to Azure Portal → Virtual Machines
- Click Create → Azure virtual machine
- Configure VM settings as needed
-
Under Management tab:
- Enable System assigned managed identity: Set to On
- Complete VM creation
Security Best Practice: System-assigned managed identities are automatically managed by Azure and tied to the VM lifecycle. This eliminates credential management and reduces security risks. Learn more: Managed identity best practices
- Deploy Bytebase on the VM Deploy Bytebase on your Azure VM. The VM’s managed identity is automatically available - no credential configuration needed.
Step 2: Configure Azure SQL Database
-
Enable Microsoft Entra Authentication
- Navigate to your Azure SQL Server in Azure Portal
- Go to Settings → Microsoft Entra ID
- Click Set admin and select an Entra admin account
- Click Save to enable Entra authentication Reference: Configure Entra authentication for Azure SQL
-
Grant Database Access to Managed Identity
- Note your VM’s managed identity name (same as VM name)
- Connect to Azure SQL using the Entra admin account
- Run the following for each database:
Production Best Practice: Follow the principle of least privilege. Grant only the minimum permissions required for your use case. See Azure SQL Database permissions.
Step 3: Connect from Bytebase
- Access Bytebase on your VM (typically
http://localhost:5678
) - Click New Instance
- Configure the connection:
- Host: Your Azure SQL server name (e.g.,
yourserver.database.windows.net
) - Port: 1433
- Database: Target database name
- Authentication: Select
Azure Default Credential
- Host: Your Azure SQL server name (e.g.,
- Test and save the connection
Advantages of this approach:
- No passwords or connection strings to manage
- Automatic credential rotation handled by Azure
- Enhanced security through Azure RBAC
- Simplified compliance and auditing
Alternative: User-Assigned Managed Identity
For more granular control or cross-resource scenarios:-
Create User-Assigned Managed Identity
- Go to Managed Identities
- Create a new identity with a descriptive name
- Assign it to your VM under Settings → Identity → User assigned
-
Configure Database Access
-
Set Environment Variable (if using multiple identities)
Azure Database for PostgreSQL
Entra ID Authentication
-
Enable Entra Authentication
- In Azure Portal, navigate to your PostgreSQL server
- Go to Authentication → Active Directory admin
- Set an Entra admin and save
-
Create Database User
Connect as the Entra admin and run:
-
Connect from Bytebase
- Host: Your PostgreSQL server name
- Port: 5432
- Username: VM name (for system-assigned identity)
- Authentication: Select
Azure Default Credential
Azure Database for MySQL
Entra ID Authentication
-
Enable Entra Authentication
- Navigate to your MySQL server in Azure Portal
- Go to Active Directory admin
- Set an Entra admin
-
Create Database User
-
Connect from Bytebase
- Host: Your MySQL server name
- Port: 3306
- Username: VM name
- Authentication: Select
Azure Default Credential
Private Endpoints and VNet Integration
For enhanced security using private endpoints:Configure Private Endpoint
-
Create Private Endpoint
- Navigate to your database resource
- Go to Networking → Private endpoint connections
- Click + Private endpoint
- Select your VNet and subnet
- Complete the configuration
-
Update DNS
- Use Azure Private DNS zones for automatic resolution
- Or manually configure DNS for the private endpoint
-
Connect from Bytebase
- Deploy Bytebase in the same VNet or peered VNet
- Use the private endpoint DNS name for connection
Best Practices
- Use Managed Identities: Eliminate password management overhead
- Enable Private Endpoints: Restrict database access to your VNet
- Follow Least Privilege: Grant minimal required permissions
- Enable Auditing: Use Azure SQL Auditing for compliance
- Use Azure Key Vault: For scenarios requiring password storage
Troubleshooting
Authentication Failed
- Verify managed identity is properly assigned to VM
- Check database user was created with
FROM EXTERNAL PROVIDER
- Ensure Entra authentication is enabled on the database
Connection Timeout
- Verify network security group rules
- Check VNet and subnet configuration
- Ensure database firewall rules allow your IP
Private Endpoint Issues
- Verify DNS resolution for private endpoint
- Check VNet peering if using multiple VNets
- Ensure network security allows traffic
Managed Identity Not Working
- Restart VM after enabling managed identity
- Check Azure RBAC assignments
- Verify IMDS endpoint is accessible from VM