Skip to main content

Azure Arc-enabled SQL Server

Azure Arc projects a SQL Server instance running anywhere β€” on-prem, AWS EC2, GCP, edge β€” into Azure as a first-class resource. Once Arc-enabled, the SQL Server can use a curated subset of Azure management services as if it were an Azure VM, without moving any data or changing the connection string the application uses.

🏒 Real-World DBA Note

Why customers care: Migrations take years. Arc gives you Azure governance, security, backup, and centralized monitoring on the SQL estate today, while the migration plan runs in parallel. It is the single most useful "starting point" service for an on-prem SQL DBA being told "we want to be on Azure".

At a glance​

0
Inbound ports opened
Outbound HTTPS 443 only. No firewall changes that increase exposure.
~5Β min
Onboarding per server
One signed script. The Connected Machine agent registers in minutes.
0Β GB
Customer database data sent
Configuration + telemetry only. The database stays where it runs.
$0
Arc onboarding cost
Free. You pay only when you opt into Defender, Monitor, Backup, Purview or ESUs.
βœ… Pricing model

Arc onboarding (agent + inventory + Best Practices Assessment) is free. Each value-add plan β€” Defender for SQL, Backup, Monitor / Log Analytics, Purview, ESUs β€” is opt-in and billed separately. Scope plans via Azure Policy rather than the subscription default if you want selective coverage.

Architecture​

Three zones. One outbound connection. Zero inbound exposure.
Only metadata, configuration, and telemetry are transmitted to Azure. No customer database data plane traffic is sent.
Customer datacenter
443 outbound
Microsoft Azure
πŸ—„οΈ
SQL Server 2022
vm-arc-sql Β· WS2022
πŸ”Œ
Connected Machine Agent
himds service
βš™οΈ
SQL Extension
WindowsAgent.SqlServer
πŸ›‘οΈ
Proxy / Private Link
optional
πŸ—ΊοΈ
Azure Arc
Connected machine
πŸ—ƒοΈ
Arc-enabled SQL
first-class resource
πŸ›‘οΈ
Defender for SQL
vuln + threat
πŸ”
Purview
data discovery
πŸ“Š
Azure Monitor
+ Log Analytics
πŸ“œ
Azure Policy
+ RBAC
πŸ”„
Update Manager
OS + SQL patching

Capabilities unlocked by Arc for SQL​

πŸ›‘οΈ
Defender for SQL
Vulnerability Assessment + threat protection. Same engine as Azure SQL DB. Billed per vCore.
πŸ”
Best practices assessment
Free configuration & performance scan curated by the SQL product group. Surfaces TempDB, MaxDOP, instant file init, etc.
πŸ’Ύ
Automated backups to Azure
Policy-driven backups to Azure Blob β€” central retention, point-in-time restore, cross-region copy.
πŸ‘€
Microsoft Entra authentication
Sign in to on-prem SQL Server 2022+ with Entra identities (no domain controller required).
πŸ“Š
Azure Monitor + Log Analytics
Centralize SQL Server logs/perf counters from any environment. KQL queries across the estate.
🏷️
Resource Graph & Policy
Inventory, tag and apply Azure Policy across the entire SQL estate from a single pane.
πŸ”
Extended Security Updates
Pay-as-you-go ESU billing for SQL 2012/2014 via Azure invoice β€” no upfront ESU contract.
βš™οΈ
Migration assessment
Built-in readiness scan for moving to Azure SQL DB / MI / VM. Free.
πŸ“œ
Purview integration
Catalog and classify on-prem SQL data alongside cloud sources.
πŸ”„
Update Manager
Centralized OS + SQL Server patching on a schedule for the entire Arc estate.

The two resource types you create​

Resource typeWhat it representsLifecycle
Microsoft.HybridCompute/machinesThe host OS (Windows / Linux server)Lives until you uninstall the Connected Machine agent or az connectedmachine delete
Microsoft.AzureArcData/sqlServerInstancesA SQL Server instance discovered on the hostAuto-created/removed by the Arc SQL extension

Each instance also has a child collection of databases as readable Azure resources β€” useful for Resource Graph queries like "show me every SQL DB across the estate over 1 TB on a sub-2019 engine".

What Arc DOES vs DOES NOT do​

βœ… βœ… What Azure Arc DOES
  • Outbound HTTPS only β€” TCP 443, TLS 1.2
  • Sends telemetry + configuration only β€” no customer database data plane traffic
  • Supports Managed Identity or Service Principal authentication
  • Integrates with Azure RBAC, Policy, and Activity Logs
  • Supports private connectivity via Azure Arc Private Link Scope
  • Uses Microsoft-signed agents and extensions
⚠️ ⚠️ What Azure Arc DOES NOT do
  • Does not open inbound ports
  • Does not move customer database data
  • Does not bypass firewall, proxy, or security controls
  • Does not require domain admin privileges
  • Does not require application or database changes
  • Does not convert SQL Server into a PaaS service

What Arc for SQL is not​

MisconceptionReality
"Arc moves my database to Azure"No data movement. Database stays where it runs; only metadata + telemetry flows to Azure.
"Arc converts SQL Server to Azure SQL DB"No. The engine, version, patching cadence and feature surface are unchanged.
"Arc is a replacement for migration"It's a bridge. Customers typically run Arc for 1–2 years while planning a move to Azure SQL MI / DB.
"Arc-enabled SQL is free"The Arc agent + inventory + best practices assessment are free. Each value-add plan (Defender, Backup, Entra auth, ESUs) bills separately.
"Arc requires opening inbound ports"False. All communication is outbound HTTPS from the host to Azure. No inbound exposure.

Connectivity modes​

ModeUse whenTrade-off
DirectHost has outbound HTTPS to *.arc.azure.com, *.guestconfiguration.azure.com, login.microsoftonline.comSimplest, full feature set, lowest latency for telemetry
Indirect (via Data Controller)Air-gapped or proxied environmentsMore moving parts (Kubernetes-based DC); a few features lag; ~hourly upload cadence

Required outbound URLs (direct mode)​

EndpointPortPurpose
*.his.arc.azure.com443/TCPHybrid Identity Service β€” agent registration & heartbeat
*.guestconfiguration.azure.com443/TCPGuest configuration / policy delivery
*.servicebus.windows.net443/TCPLive troubleshooting (SSH / Run Command)
login.microsoftonline.com443/TCPMicrosoft Entra authentication
login.windows.net443/TCPLegacy Entra endpoint
management.azure.com443/TCPARM control plane
*.blob.core.windows.net443/TCPExtension downloads + VA storage
packages.microsoft.com443/TCPSigned agent + extension packages

Customer firewall ticket = paste the table above + region tag.

🎯 Exam Focus

Common interview / customer-call gotcha: When asked "how do I get Defender for SQL on a SQL Server running in AWS EC2?", the answer is always Arc-enable it first, then turn on the Defender for SQL plan on the Arc resource. Same answer for GCP, on-prem, edge, or co-lo.

Onboarding β€” minimum viable steps​

Single server (interactive)​

# 1. Register required resource providers (one-time per subscription)
az provider register --namespace Microsoft.HybridCompute
az provider register --namespace Microsoft.AzureArcData
az provider register --namespace Microsoft.GuestConfiguration

# 2. From the Azure portal: Azure Arc β†’ SQL Server β†’ Add β†’ "Single server"
#    Generates a script you run on the SQL Server host.
#    The script:
#      a) Installs the Connected Machine agent
#      b) Authenticates to Azure (service principal or device code)
#      c) Auto-installs the SQL Server Arc extension on instance discovery

# 3. Enable Defender for SQL on Arc SQL Server resources subscription-wide
az security pricing create --name SqlServerVirtualMachines --tier Standard

At-scale (PowerShell DSC / Group Policy / Ansible)​

For 10+ servers, use the at-scale onboarding script with a service principal:

# Run on each target host (Windows PowerShell 5.1+)
Invoke-WebRequest -Uri https://aka.ms/AzureConnectedMachineAgent -OutFile install.ps1
./install.ps1
& "$env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe" connect `
  --resource-group "rg-arc-sql" `
  --tenant-id "<tenant>" `
  --location "westeurope" `
  --subscription-id "<sub>" `
  --service-principal-id "<spn-app-id>" `
  --service-principal-secret "<spn-secret>" `
  --tags "estate=on-prem,env=prod"

The Arc SQL extension is auto-installed within ~10 minutes once the agent reports a SQL instance. Production estates use Microsoft Configuration Manager (SCCM) or Intune to push the same script.

Verification​

# List Arc SQL instances in a subscription
az resource list --resource-type Microsoft.AzureArcData/sqlServerInstances -o table

# Detail for one instance
az resource show \
  --ids /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.AzureArcData/sqlServerInstances/<name>

Or in Azure Resource Graph Explorer:

Resources
| where type =~ 'Microsoft.AzureArcData/sqlServerInstances'
| project name, location, resourceGroup,
          version=tostring(properties.version),
          edition=tostring(properties.edition),
          status=tostring(properties.status),
          host=tostring(properties.containerResourceId)
| order by version asc

Decision matrix β€” Arc vs migrate vs native​

ScenarioRecommendedWhy
SQL Server in own data center, no migration plan yetArc + Defender + BackupGet governance/security wins today
SQL Server in AWS EC2 / GCP, want Microsoft-native securityArc + Defender for SQLOne pane of glass, billed per vCore
Greenfield workload, no existing footprintAzure SQL DB / MI (skip Arc)PaaS economics; Arc adds cost without benefit
SQL Server already on an Azure VMSQL IaaS Agent + Defender (no Arc)Already an Azure resource; Arc would duplicate
End-of-life SQL 2012 / 2014Arc for ESUsPay monthly via Azure billing instead of upfront ESU contract
100+ heterogeneous SQL instances, no inventoryArc first for visibilityBuild accurate inventory + assessment before migration planning
Edge / air-gapped manufacturing siteArc indirect modeLocal SQL stays autonomous, Azure governance still applies

Pairing with Defender for SQL β€” DCSA recipe​

This is the most common combo a Microsoft account team recommends to a customer with a large on-prem / multi-cloud SQL footprint:

  1. Arc-enable the existing SQL fleet (zero data movement, ~30 min per host once Connected Machine agent is in place).
  2. Turn on Defender for SQL on the Arc resources β†’ vulnerability scans + threat protection within hours.
  3. Pipe alerts to Microsoft Sentinel if the customer has a SOC.
  4. Use the time bought to plan a real migration to Azure SQL MI for the workloads that fit, and Azure SQL DB Hyperscale for the modern app tier.

See Defender for Cloud β€” Defender for SQL for the security-side detail.

Extended Security Updates (ESUs) via Arc​

End-of-life SQL Server (2012, 2014, eventually 2016) needs Extended Security Updates to stay PCI/HIPAA compliant. Two delivery options:

OptionHow you payBest when
Volume Licensing ESUAnnual upfront, per coreYou have a multi-year support commitment + flat estate
ESU via ArcMonthly PAYG through Azure invoiceEstate is shrinking quarter-over-quarter due to migration

Enabling is a single property on the Arc resource:

az sql server-arc extension update \
  --resource-group <rg> --machine-name <host> \
  --extension-name WindowsAgent.SqlServer \
  --settings '{"ESU": "Enabled"}'

Patches arrive via Windows Update / WSUS as normal once activated.

Backup to Azure Blob via Arc​

Arc-managed backups remove per-host scripting. Behaviors to know:

  • Configured per-database with a retention policy (1–35 days PITR + up to 7 years long-term).
  • Backups stream directly from the SQL host to Azure Blob (no intermediate host required).
  • Restore works to: same host (overwrite or new name), another Arc host, or Azure SQL MI (cross-engine restore β€” limited compatibility).
  • Cost = Blob storage + minimal Arc backup plan fee.

Limitations & gotchas​

  • Failover Cluster Instance (FCI) support: each node is Arc-enabled separately; Arc reports the active instance. Plan group naming carefully so the resource doesn't flip name on failover.
  • Always On Availability Groups: each replica is its own Arc instance. The AG itself is not a top-level Azure resource β€” query via Resource Graph by joining on properties.alwaysOnRole.
  • Express edition: limited Defender support; Best practices assessment may produce noisier output (SKU-aware rules pending).
  • High frequency telemetry: ATP detectors expect β‰₯5 connections/min for some baselines β€” very low-traffic legacy DBs may not produce useful behavioral baselines.
  • Linux SQL Server: supported but extension auto-deploy is sometimes slow; force with az connectedmachine extension create --name WindowsAgent.SqlServer ... (yes, the extension keeps the Windows name on Linux).
  • Disconnected for > 30 days: the Arc resource enters a Disconnected state and stops billing extensions. After 45 days the resource is auto-deleted. Build alerting on the connectionStatus property.
  • Costs: Arc itself is free, but it's easy to inadvertently enable Defender on every Arc SQL β€” scope the Defender plan via Policy rather than subscription default if you want selective coverage.

Multi-cloud reality check (AWS / GCP)​

PlatformArc connectivityNotes
AWS EC2 (Windows / Linux)Direct mode via internet or VPN to AzureUse IAM-issued temporary creds for the install script; keep tag cloud=aws for visibility
GCP Compute EngineDirect modeSame. Outbound HTTPS through GCP VPC firewall
VMware on-premDirect or indirectAt scale, use the Arc-enabled VMware vSphere integration to onboard whole vCenters
Hyper-V on-premDirect or indirectAt scale, use the Arc-enabled SCVMM integration
Air-gapped (gov / industrial)Indirect mode onlyRequires a Data Controller on local Kubernetes (AKS Edge, OpenShift, Tanzu)

When not to recommend Arc​

  • Customer is committed to migrating in less than 6 months β€” Arc adds an extra hop they will throw away.
  • The host has no outbound HTTPS and the customer cannot deploy a Data Controller β€” the indirect path may not be operationally viable.
  • Workload is already on Azure VM with the SQL IaaS Agent β€” adding Arc on top creates duplicate resources and confuses billing.
  • Tiny estate (1–2 servers) where the per-server VA scan + manual patching effort is already trivial β€” Arc's ROI shows up at scale.
  • Customer's compliance regime forbids any out-of-region telemetry β€” verify Arc's data residency commitments before proposing.

Customer demo runbook (~10–12 min)​

A repeatable presenter flow that shows a non-Azure SQL Server become a first-class Azure resource in roughly ten minutes β€” without moving data or changing the application. Times are wall-clock with the agent pre-staged on the host.

1
Current state β€” ~1 min
Open SSMS against the on-prem SQL Server.
In the Azure portal, show no Arc resource exists yet.
Say: "This is your existing SQL Server today β€” nothing is in Azure."
2
Generate onboarding script β€” ~1 min
Azure portal β†’ Azure Arc β†’ SQL Server β†’ Add β†’ Single server.
Pick resource group, region, tags. Download the generated script.
Say: "One script. No agents to install in advance."
3
Run on the host β€” ~90 sec
Run the script on the SQL Server. The Connected Machine Agent installs and registers.
Show outbound 443 only in network monitor β€” no inbound rules added.
Say: "Notice β€” we never opened anything inbound."
4
Visibility β€” ~1 min
Back in the portal: the server appears under Arc β†’ Servers with inventory, tags, resource ID.
Say: "That's your physical server β€” now a managed Azure resource."
5
Enable the SQL extension β€” ~3 min
From the Arc machine resource, enable the SQL Server extension.
Within minutes the SQL instance + databases appear as Azure resources.
Say: "The SQL Server is now first-class in Azure β€” ARM, Bicep, Policy, RBAC."
6
Show the security value β€” ~5 min
Side-by-side: Best Practices Assessment findings + Defender for SQL vulnerability and threat alerts.
Close: "Same SQL Server, now governed, monitored, and protected β€” without moving your data or changing your application."

A security-first, governance-led modernisation strategy. Arc lets the organisation act on its existing SQL estate before any migration decision is made.

πŸ‘οΈ
Visibility
Gain a single inventory across on-prem, branch, edge, and cloud SQL β€” queryable via Azure Resource Graph.
πŸ›‘οΈ
Security posture
Improve posture before migration β€” not after. VA + threat detection on day one.
πŸ“œ
Standardised governance
One set of Azure-native controls (Policy, RBAC, Activity Logs) for the whole SQL estate.
πŸš€
Foundation for AI & cloud
Discovered, classified, governed data is the prerequisite for any later AI or migration motion.

This sequence reduces risk, accelerates decision-making, and ensures that migration β€” when it happens β€” is informed and controlled.

Optional value add β€” assessment-first​

Maximise the Arc onboarding by running a pre-assessment against each instance first using SQL security and configuration analysers (e.g. SQL DBSAT and the free Best Practices Assessment that ships with the Arc extension).

🎯
What it delivers
Prioritised remediation backlog before enabling Defender Β· CIS / Microsoft-aligned baseline Β· sensitive-data inventory ready for Purview Β· upfront migration-readiness signals.
πŸ“ˆ
Outcomes
Faster security wins after onboarding Β· clear roadmap for optimisation or migration Β· stronger compliance alignment Β· predictable cost (turn plans on only where they pay back).
βœ… Best Practice

The assessment runs on-prem before any cloud connection β€” outputs stay with the customer until they choose to act. See Lab: SQL Security Assessment for the runnable script and scored HTML report.

Operational best practices​

  • Tag at onboarding (estate, env, business-unit, dr-tier) so Resource Graph queries are useful from day one.
  • Create a dedicated resource group per region for Arc resources β€” simplifies RBAC and policy scoping.
  • Use a service principal with least privilege (Azure Connected Machine Onboarding role) for at-scale onboarding scripts; rotate the secret quarterly.
  • Monitor the connectionStatus property with an Azure Monitor alert β€” disconnected agents = blind security posture.
  • Enable diagnostics to a Log Analytics workspace before turning on Defender β€” gives you 90 days of context for the first true positive alert.
  • Document the uninstall path (azcmagent disconnect && azcmagent uninstall) in your runbook β€” auditors ask.

Flashcards​

What is the primary purpose of Azure Arc for SQL Server?
Click to reveal answer
To project a SQL Server instance running anywhere (on-prem, AWS, GCP, edge) into Azure as a first-class resource so you can apply Azure governance, security (Defender for SQL), backup, monitoring and policy without moving any data.
1 / 5

Quiz​

Q1/5
0 correct
A customer runs 40 SQL Server instances on VMware in their data center. They have no migration plan for the next 18 months but the CISO wants Microsoft-native vulnerability scanning across the estate. What do you recommend?