![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 56.00000000000001%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Azure SQL Database
An Azure relational database service.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
AFAIK, this behavior is expected and is tied to how Azure SQL Managed Instance is architected rather than a limitation of Private Endpoint itself. A Managed Instance is not a single endpoint backed by a single IP, but a distributed, stateful PaaS deployment that runs across multiple nodes inside a dedicated customer subnet. That subnet contains compute nodes, gateways, internal load balancers, and management components that all participate in client connectivity, high availability, and platform operations.
The Private Endpoint acts as an entry point into the Managed Instance service, not as a direct NAT to a single database engine IP. When traffic reaches the Private Endpoint, it is forwarded into the Managed Instance subnet, where Azure’s internal load balancing and routing logic determines which gateway and which engine node should handle the connection. This decision depends on factors such as primary versus secondary role, failover state, maintenance activity, and scale unit placement. Because these roles can move at any time, the platform cannot pin client traffic to a single backend IP address.
Once inside the MI subnet, connections may be proxied through gateway components and then redirected to the appropriate database engine node. Even after the initial connection is established, certain operations can trigger redirection to a different node, for example during failovers, patching, or replica role changes. As a result, responses and redirected traffic can originate from multiple IP addresses across the Managed Instance subnet, not from a single fixed address associated with the Private Endpoint.
Outbound traffic follows a similar model. Managed Instance nodes need to communicate with each other, with Azure control plane services, and with platform dependencies such as storage, monitoring, and backup services. These communications originate from different IPs within the subnet depending on which node is performing the operation at that moment. Restricting access to only the Private Endpoint IP would break these internal flows and prevent the service from operating correctly.
This is by design and reflects the fact that Azure SQL Managed Instance is closer to a “SQL Server as a service cluster” than to a single-host database exposed over Private Link. Private Endpoint ensures that traffic enters Microsoft’s network privately and that no public exposure exists, but it does not change the internal multi-IP, multi-node nature of the service.
I'm not aware of any announced plans to support a model where connectivity can be constrained to a single IP address for Managed Instance. The supported security boundary is the Managed Instance subnet combined with NSGs, route tables, and Private Endpoint access control at the subnet or VNet level. For scenarios that require extremely tight, single-IP allow listing, Azure SQL Database (single or elastic pool) might be a better fit, because its architecture is different and aligns more closely with that requirement.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin