Set up trust between instances with server trust group (Azure SQL Managed Instance)

Applies to: Azure SQL Managed Instance

Server trust group (also known as SQL trust group) is a concept used for managing trust between instances in Azure SQL Managed Instance. By creating a group, a certificate-based trust is established between its members. This trust can be used for different cross-instance scenarios. Removing servers from the group or deleting the group removes the trust between the servers. To create or delete a server trust group, the user needs to have write permissions on the managed instance. Server trust group is an Azure Resource Manager object which has been labeled as SQL trust group in Azure portal.

Set up group

Server trust group can be setup via Azure PowerShell or Azure CLI.

To create a server trust group by using the Azure portal, follow these steps:

  1. Go to the Azure portal.

  2. Navigate to Azure SQL Managed Instance that you plan to add to a server trust group.

  3. On the Security settings, select the SQL trust groups tab.

    SQL trust groups

  4. On the SQL trust groups configuration page, select the New Group icon.

    New Group

  5. On the SQL trust group create blade set the Group name. It needs to be unique in the group's subscription, resource group and region. Trust scope defines the type of cross-instance scenario that is enabled with the server trust group. Trust scope is fixed - all available functionalities are preselected and this cannot be changed. Select Subscription and Resource group to choose the managed instances that will be members of the group.

    SQL trust group create blade

  6. After all required fields are populated, select Save.

Edit group

To edit a server trust group, follow these steps:

  1. Go to Azure portal.

  2. Navigate to a managed instance that belongs to the trust group.

  3. On the Security settings select the SQL trust groups tab.

  4. Select the trust group you want to edit.

  5. Click Configure group.

    Configure SQL trust group

  6. Add or remove managed instances from the group.

  7. Click Save to confirm choice or Cancel to abandon changes.

Delete group

To delete a server trust group, follow these steps:

  1. Go to the Azure portal.

  2. Navigate to a managed instance that belongs to the SQL trust group.

  3. On the Security settings select the SQL trust groups tab.

  4. Select the trust group you want to delete.

    Select SQL trust group

  5. Select Delete group.

    Delete SQL trust group

  6. Type in the SQL trust group name to confirm deletion and select Delete.

    Confirm SQL trust group deletion

Note

Deleting the SQL trust group might not immediately remove the trust between the two managed instances. Trust removal can be enforced by invoking a failover of managed instances. Check the Known issues for the latest updates on this.

Limitations

Following limitations apply to Server Trust Groups:

  • Group can contain only instances of Azure SQL Managed Instance.
  • Trust scope cannot be changed when a group is created or modified.
  • The name of the server trust group must be unique for its subscription, resource group and region.

Next steps