Microsoft Solutions Partner — Data & AI · 11,000+ engagements

Azure SQL Database + Managed Instance Enterprise (2026)

The Azure SQL family — SQL Database, Hyperscale, Managed Instance, and SQL on Azure VM — and the five-phase EPC Group Azure SQL Accelerator delivered by a senior-architect-led 29-year Microsoft Solutions Partner.

Book an Azure SQL briefing Call 888-381-9725

What is the Azure SQL family and how do enterprises pick the right deployment option? The Azure SQL family is four destinations under one SQL Server engine: Azure SQL Database (single + elastic, including the Hyperscale service tier for 100 TB workloads), Azure SQL Managed Instance for lift-and-shift of on-prem SQL Server estates with instance-level surface compatibility, and SQL Server on Azure VM for the workloads that need full OS access. The right destination is decided per database by surface compatibility, data volume, HA requirement, and license posture. EPC Group runs a five-phase Assess, Design, Migrate, Optimize, Operate accelerator that takes the customer from on-prem estate to a fully governed Azure SQL platform in 16-to-32 weeks, fixed-fee between $150K and $500K.

Azure SQL is four destinations: SQL Database (PaaS, includes Hyperscale up to 100 TB), Managed Instance (PaaS with near-100% SQL Server surface compatibility for lift-and-shift), and SQL Server on Azure VM (IaaS for full-surface and legacy workloads). Pick by surface compatibility, scale, HA tier, and license posture. EPC Group delivers a fixed-fee five-phase Accelerator between $150K and $500K.

Key Facts

Four Azure SQL deployment options: SQL Database (single + elastic), Hyperscale, Managed Instance, and SQL Server on Azure VM
Hyperscale supports databases up to 100 TB with near-instant compute scale, fast restore, and named read-scale replicas
Managed Instance delivers near-100% SQL Server surface — SQL Agent, cross-database queries, CLR, Service Broker, DTC
Azure Hybrid Benefit converts SQL Server Software Assurance into Azure SQL core entitlements, dropping effective price 30-55%
Reserved Capacity 1-year or 3-year cuts steady-state compute spend by 33-55% across SQL Database, Managed Instance, and SQL on VM
Always Encrypted with secure enclaves protects PCI, PHI, and regulated columns from privileged operators with hardware enclave processing
Microsoft Defender for SQL delivers SQL injection detection, anomalous query, and vulnerability assessment across all four deployment options
EPC Group five-phase Azure SQL Accelerator delivers full activation in 16-to-32 weeks, fixed-fee $150K to $500K
29-year Microsoft Solutions Partner, 70+ Fortune 500 clients, 216+ M&A tenant consolidations

The four Azure SQL deployment options

The Azure SQL family is one SQL Server engine projected through four delivery surfaces. The right destination for any workload is a function of surface compatibility, data volume, HA tier, network model, and license posture — not a starting-point default.

Azure SQL Database (single + elastic pools)

Positioning: The flagship PaaS database for new cloud-native applications and modernized OLTP workloads. Fully-managed SQL Server engine with automatic patching, automatic backup, automatic high availability, and the lowest operational overhead of any deployment option in the Azure SQL family. Single database and elastic pool models cover everything from a small SaaS tenant database up to a 4 TB General Purpose or Business Critical workload.

Three service tiers — General Purpose (HA via remote storage), Business Critical (HA via local SSD + Always On replicas), and Hyperscale (100 TB capacity, near-instant scale)
Provisioned vCore, Serverless (auto-pause + auto-scale), and DTU purchasing models — Serverless is the right call for unpredictable or development workloads
Built-in automated backups with 7-to-35-day point-in-time restore and long-term retention up to ten years
Active geo-replication and auto-failover groups for cross-region DR with read-scale-out replicas in the secondary region
Intelligent performance — automatic tuning, query store, intelligent insights, and machine-learning-driven index recommendations
Full Microsoft Defender for SQL coverage: SQL injection detection, anomalous query, vulnerability assessment, advanced threat protection

Pricing: Provisioned vCore General Purpose starts around $0.50/vCore-hour; Business Critical roughly 2.7× General Purpose; Serverless billed per vCore-second with auto-pause to $0 storage-only when idle. Reserved capacity 1-year or 3-year drops compute spend 33-55%. Azure Hybrid Benefit applies SQL Server SA licenses for additional discount.

Azure SQL Database Hyperscale

Positioning: The Hyperscale service tier inside Azure SQL Database is a re-architected storage and compute model purpose-built for workloads beyond 4 TB and for any workload that values near-instant scale, fast backup, and fast restore over the traditional General Purpose / Business Critical envelope. Decoupled compute, page server, and log service tiers — storage scales independently up to 100 TB, compute scales horizontally with named replicas.

Storage up to 100 TB with no pre-provisioning — pay for what is actually stored, not the maximum size declared
Near-instant database copy, restore, and seeding through snapshot-based storage architecture — minutes instead of hours
Named replicas for read-scale workloads — analytics, reporting, BI — without paying for full HA replicas
Compute scale-up and scale-down completes in under a minute regardless of database size — true serverless economics at warehouse scale
Log throughput up to 100 MB/s with a dedicated log service decoupling write commit from page processing
Now available in Serverless tier for Hyperscale — auto-pause, auto-scale, and per-second billing for compute

Pricing: Compute billed per vCore-hour (Gen5 and DC-series), storage billed per GB-month at roughly $0.10/GB, log throughput allocation, and per-replica pricing for named and HA replicas. Hyperscale economics beat Business Critical above 8-10 TB and beat self-managed SQL Server on Azure VM at any size that needs the operational profile.

Azure SQL Managed Instance

Positioning: The lift-and-shift PaaS destination for on-premises SQL Server estates. Managed Instance is a near-100% surface compatible managed offering — SQL Agent, cross-database queries, CLR, Service Broker, Database Mail, Distributed Transactions — all present. The right call when the legacy application expects a SQL Server instance, not a single database, and the team cannot rewrite to remove instance-level dependencies.

Near-100% SQL Server feature parity — SQL Agent jobs, cross-database queries, linked servers, CLR, Database Mail, Service Broker, DTC
General Purpose (8 TB) and Business Critical (16 TB) tiers; Next-Gen GP raises the GP ceiling and improves IO throughput substantially
Native virtual network deployment — Managed Instance lives inside the customer VNet, no public endpoint required, full NSG and Private Link control
Instance Pools for cost-efficient consolidation of many small SQL workloads onto shared Managed Instance compute
Link feature for hybrid SQL Server 2022 → Managed Instance with continuous replication and one-click failover for DR or migration
Free Azure Hybrid Benefit for SQL Server license mobility plus eligibility for Extended Security Updates included for legacy SQL versions

Pricing: vCore-based: General Purpose starts around $0.50/vCore-hour, Business Critical roughly 3× General Purpose, storage per GB-month. Reserved capacity 1-year or 3-year cuts compute spend 33-55%. Azure Hybrid Benefit converts existing SQL Server SA licenses into Azure SQL Managed Instance core entitlements with no additional license charge.

SQL Server on Azure VM (IaaS)

Positioning: The escape hatch for workloads that require full OS access, an unsupported PaaS feature, or a regulatory constraint that PaaS cannot satisfy. SQL Server on Azure VM is full Enterprise Edition or Standard Edition SQL Server installed on a Windows or Linux VM, managed by the customer DBA team but enhanced by the SQL IaaS Agent Extension for automated patching, backup to Azure Blob, and Defender integration.

Full SQL Server surface — Resource Governor, file streaming, FILETABLE, custom CLR, Polybase, and any feature the PaaS tiers do not yet offer
Memory-optimized M-series and Mv2-series VMs with up to 12 TB RAM for the largest single-instance SQL Server workloads in the industry
SQL IaaS Agent Extension delivers automated backup to Azure Blob, automated patching windows, and Defender for SQL on IaaS
Azure Site Recovery integration for cross-region SQL Server DR with consistent application-level replication
Eligible for SQL Server Extended Security Updates through Azure — legacy SQL 2008/2012/2014/2016 workloads get free ESU when run on Azure VM
Always On availability groups, log shipping, and database mirroring fully supported for the patterns PaaS HA cannot model

Pricing: VM compute per hour plus SQL Server license (bring your own with Azure Hybrid Benefit, or pay-as-you-go through the marketplace image). Azure Hybrid Benefit converts existing SQL Server SA into the VM license entitlement, dropping the effective spend to compute-only. ESU for legacy SQL versions is included free on Azure VM, a multi-thousand-dollar-per-core annual savings.

Six Azure SQL enterprise patterns

Every Azure SQL engagement composes from one or more of these patterns. EPC Group picks the destination per workload, not per estate — a single enterprise typically runs three or four of these patterns simultaneously across the SQL estate.

Pattern 1 — High-throughput OLTP at SaaS or e-commerce scale

A SaaS provider running 12,000 transactions per second across a global customer base needs single-digit-millisecond write latency, automatic regional failover, and zero downtime maintenance windows. Azure SQL Database Business Critical or Hyperscale fits — Business Critical for sub-2 ms write latency on local SSD with Always On replicas, Hyperscale for write-intensive workloads above 4 TB where the decoupled log service architecture sustains 100 MB/s of log throughput. Active geo-replication with auto-failover groups handles regional DR, read-scale replicas absorb reporting load, and intelligent performance auto-tunes indexes against the production workload. EPC Group sizes the compute and IO envelope from the customer transaction profile rather than picking a starting tier and discovering the headroom problem in week three.

Pattern 2 — Mission-critical applications that demand five-nines

A financial services firm running a real-time trade-capture application cannot tolerate more than 26 seconds of downtime per month. Azure SQL Database Business Critical with zone-redundant configuration delivers 99.995% SLA — synchronous Always On replicas across three Azure Availability Zones, automatic failover in single-digit seconds, and zone-redundant storage for the backups and log. Active geo-replication carries a hot standby copy in a paired region for site-failure events. Microsoft Defender for SQL detects anomalous query, SQL injection, and credential brute force; Always Encrypted with secure enclaves protects PCI-scope columns end-to-end; Ledger writes append-only tamper-evident history for the regulators. EPC Group ships the chaos-engineering runbook the operations team uses to validate failover behavior quarterly.

Pattern 3 — SQL Server on-prem to Azure SQL migration

A manufacturer running 380 SQL Server instances across SQL 2012, 2014, 2016, 2019, and 2022 — Standard and Enterprise Editions, on Windows Server and a handful on Linux — needs to retire the on-prem footprint over an 18-month window. EPC Group runs Data Migration Assistant and the SQL Server Migration Assistant across every instance, classifies each database as Azure SQL Database, Managed Instance, or SQL on Azure VM based on surface usage, and ships the costed roadmap. Managed Instance is the destination for the legacy applications with cross-database queries, SQL Agent jobs, and Service Broker. SQL Database is the destination for the cloud-modernized workloads. SQL on Azure VM catches the 8% of instances that need a feature PaaS does not yet expose. Azure Database Migration Service runs the actual cutover with one-way or two-way replication, and Azure Hybrid Benefit cuts the post-cutover license bill substantially.

Pattern 4 — Multi-tenant SaaS with elastic per-tenant scale

A SaaS platform serving 6,000 customers with wildly variable per-tenant load chooses between three multi-tenancy patterns: database-per-tenant in an elastic pool, shared database with row-level security, or sharded Hyperscale. EPC Group sizes the right pattern from the customer profile — elastic pools fit when most tenants are small and idle, shared database fits when tenants are uniform and the DPaaS sprawl is intolerable, sharded Hyperscale fits when individual tenants exceed elastic pool limits and the per-tenant data sovereignty story matters. The platform layer uses elastic database tools, the management surface uses Azure SQL Sharding Helper or a custom shard map manager, and the cross-tenant analytics workload runs against named Hyperscale replicas without touching the OLTP path.

Pattern 5 — ERP backing store (Dynamics 365 F&O, SAP, JDE migration)

An enterprise running Dynamics 365 Finance and Operations on Azure SQL Managed Instance, or migrating an SAP ECC estate to S/4HANA running SQL Server on Azure VM, or carrying a JDE estate to Azure SQL — these are large, instance-flavored workloads that benefit from PaaS operational characteristics but cannot tolerate any surface incompatibility. Azure SQL Managed Instance Business Critical is the right destination for the F&O backing store and for many SAP and JDE patterns; SQL on Azure M-series VM is the right destination for the largest ERP workloads that need 6-12 TB of RAM. EPC Group has migrated 30+ Dynamics, SAP, and JDE estates to Azure SQL — the playbook covers per-tier sizing, geo-DR, the Always On configuration that ERP vendors actually certify against, and the Defender for SQL tuning that suppresses false positives on ERP query patterns.

Pattern 6 — Hybrid SQL with Azure Arc projection

A regulated enterprise cannot move 400 SQL Server instances to Azure in the next 24 months — data sovereignty, application coupling, and contractual lock-in keep them on-prem — but the cloud-ops team needs one governance plane across the entire SQL estate. Azure Arc-enabled SQL Server projects every on-prem and AWS-hosted SQL instance into Azure Resource Manager. Defender for SQL runs on the Arc-projected instances with the same surface as Azure SQL. Best-practice assessments flow into the Azure portal. Pay-as-you-go billing converts the Software Assurance line item into Azure consumption. When individual workloads are ready to migrate, the same Arc inventory becomes the source for the Database Migration Service plan. The /azure-arc-hybrid-multicloud-enterprise-2026 hub covers the broader Arc projection model.

Security stack

Azure SQL security — defense in depth on top of the engine

Azure SQL inherits the security surface SQL Server has built for two decades and layers on Azure-native protection. The compound stack — TDE, Always Encrypted, dynamic data masking, Ledger, and Microsoft Defender for SQL — protects data at rest, in transit, in use, and against credential, query, and configuration threats. The Microsoft Defender for Cloud CNAPP hub covers the unified Defender for Cloud plane Azure SQL participates in.

Transparent Data Encryption (TDE)

Automatic encryption at rest using service-managed or customer-managed keys (BYOK) through Azure Key Vault. Default on for every new Azure SQL Database and Managed Instance — zero-config protection of the database files, backups, and log.

Always Encrypted + secure enclaves

Client-side encryption with column-level granularity — encryption keys never leave the client. Secure enclaves extend Always Encrypted to range queries, pattern match, and richer indexing through a hardware-protected enclave inside the engine.

Dynamic Data Masking

Real-time masking of sensitive fields in query results for low-privileged users without changing the underlying data. Mask credit cards, SSNs, and PHI fields at read-time per RBAC role with no application change required.

Azure SQL Ledger

Tamper-evident append-only history with cryptographic hash chains backed by an off-database digest store. Regulators get verifiable proof that ledger-table rows were never silently modified — SOX, HIPAA, supply-chain provenance, audit logs.

Microsoft Defender for SQL

SQL injection detection, anomalous query, brute-force credential alerting, and vulnerability assessment across SQL Database, Managed Instance, SQL on VM, and Arc-projected on-prem SQL. Native Sentinel integration for SOC workflow.

Private Link + VNet integration

Azure SQL Database via Private Endpoint to the customer VNet, Managed Instance deployed directly inside a customer subnet with full NSG control. Public endpoints can be disabled estate-wide via Azure Policy at management-group scope.

HA + DR

High availability — three SLAs, three architectures, one decision tree

Azure SQL high availability is not one SLA — it is three architectures with different failover behavior, different cost profiles, and different ceiling characteristics. The right choice is a function of the application RTO, the workload IO profile, and the budget for read-scale and cross-region DR.

99.99% SLA

General Purpose / Premium remote storage

Stateless compute node, remote premium SSD storage. Failover detaches storage from the failed compute and re-attaches to a healthy compute node — typically under 30 seconds. Right for the broad enterprise OLTP and reporting estate.

99.995% SLA

Business Critical + zone-redundant

Four-node Always On availability group on local NVMe SSD spread across three Azure Availability Zones. Synchronous replicas deliver single-digit-second failover and read-scale-out. The right HA architecture for mission-critical applications.

99.99% SLA

Hyperscale with HA replicas

Decoupled compute, page server, and log service architecture. HA delivered through a primary compute, one or more HA replicas, and the page server tier. Adds named read replicas for read-scale-out without paying for full HA copies.

Cross-region DR — auto-failover groups

Auto-failover groups orchestrate a secondary in an Azure-paired region for site-level DR. RPO measured in seconds, RTO measured in minutes, application connection strings point at the failover group listener so the failover is transparent to the application tier. Works across Azure SQL Database and Managed Instance.

Cost optimization

Four levers that actually move the Azure SQL bill

Azure SQL cost optimization is not a one-time exercise — it is a continuous discipline with four well-understood levers. EPC Group typically takes 25-40% off the post-cutover cost trajectory in the first 90 days by applying these four levers in the right order against the right portion of the estate.

1. Reserved Capacity

One-year or three-year commitments cut compute spend 33-55% on the steady-state portion of the estate. Apply to the workloads that do not change tier — production OLTP, reporting databases, the ERP backing store.

2. Azure Hybrid Benefit (AHB)

Convert existing SQL Server Software Assurance into Azure SQL Database, Managed Instance, or SQL on VM core entitlements at no additional charge. AHB drops the effective price 30-55% on the SA-bound portion of the estate.

3. Serverless + auto-scale

Auto-pause drops the compute bill to storage-only when the workload idles, auto-scale handles unpredictable demand. Right for development, staging, multi-tenant per-tenant databases, and any production workload with idle windows.

4. Right-sizing from Query Store

Intelligent Insights and Query Store data shows where compute is over-provisioned. Vertical scale down completes in seconds and is reversible — no risk to test the lower tier on production once telemetry confirms the headroom.

The EPC Group Azure SQL Accelerator — five phases, fixed fee

The accelerator anchors on The EPC Group Lifecycle — Assess, Design, Migrate, Optimize, Operate — applied to the Azure SQL family specifically. Fixed-scope between $150,000 and $500,000 depending on instance count, multi-region DR breadth, regulatory scope, and managed-service tail. Senior-architect led, no offshore handoff, named senior on-record from kickoff through go-live.

Phase 1 — Assess

Full SQL estate inventory and migration classification in three weeks

Phase one is a fixed-fee assessment that inventories every SQL Server instance and every Azure SQL workload the enterprise already runs, classifies each one by target deployment option, and ships a costed migration roadmap. EPC Group runs Data Migration Assistant, SQL Server Migration Assistant, and Azure Migrate against the entire estate and converts the technical findings into a board-ready dollar-and-timeline plan.

SQL Server estate inventory by version, edition, Software Assurance status, license model, and Extended Security Update eligibility
Per-database compatibility classification — Azure SQL Database, Managed Instance, SQL on VM, or stay on-prem with Arc
Workload sizing — vCore, IO, memory, storage envelope for every target destination
Costed three-year TCO model comparing current state vs Azure SQL with reserved capacity and Azure Hybrid Benefit

Phase 2 — Design

Landing zone, HA, DR, security, and governance baseline

Phase two ships the Azure SQL landing zone — virtual network topology, Private Link endpoints, Managed Instance subnets, Defender for SQL configuration, Purview classification scope, Always Encrypted key vault hierarchy, and the Azure Policy initiative library applied at management-group scope. The deliverable is a deploy-ready landing zone that every subsequent migration wave lands into without bespoke decisions.

Hub-and-spoke network with Private Link for Azure SQL Database and VNet integration for Managed Instance
Defender for SQL, Azure Policy compliance initiatives, and Purview classification rules baseline configured
Always Encrypted with secure enclaves and Transparent Data Encryption with customer-managed keys (BYOK) configured
HA tier selection per workload — zone-redundant Business Critical, geo-DR via auto-failover groups, Hyperscale named replicas

Phase 3 — Migrate

Wave-based cutover with Azure Database Migration Service

Phase three runs the migration in named waves — pilot, broad ring one, broad ring two, long-tail — with Azure Database Migration Service or transactional replication as the cutover mechanism per workload. Each wave includes a documented rollback plan, a pre-cutover acceptance window, and a post-cutover validation runbook. EPC Group does not run T&M migrations; every wave is fixed-fee with a documented exit gate.

Azure DMS online migration for zero-downtime cutover where the source uptime requirement demands it
Backup-restore migration for workloads where a maintenance window is acceptable and the cutover speed matters less than simplicity
Transactional replication-based migration for the largest workloads or the most cutover-sensitive applications
Per-wave acceptance criteria — query latency, transaction throughput, application smoke tests — before the wave is declared production

Phase 4 — Optimize

Performance, cost, and security tuning post-cutover

Phase four hardens the post-cutover estate. Intelligent performance recommendations get reviewed and applied, Query Store baselines get captured for regression detection, reserved capacity and Azure Hybrid Benefit get applied to the steady-state estate, and Defender for SQL tuning suppresses the noise that the first 30 days inevitably generate.

Intelligent performance — automatic tuning enabled with the right scope, Query Store baselines captured, regression alerting wired
Reserved capacity 1-year or 3-year applied to the steady-state portion of the estate, Serverless applied to the variable portion
Azure Hybrid Benefit applied estate-wide where SA-bound SQL licenses exist; PAYG applied where SA is lapsing
Defender for SQL alert tuning — suppress the false positives, surface the genuine threats, integrate with Microsoft Sentinel

Phase 5 — Operate

Run-state operations with optional managed services

Phase five is the operating model — the customer runs the estate, EPC Group provides a managed-service overlay on the workloads that warrant it. Monthly review cycles cover capacity, security posture, license optimization, and the next wave of intelligent performance recommendations. The optional EPC Group Azure SQL managed service handles DBA operations for the customer accounts that prefer to consume the platform as a service rather than staff a dedicated team.

Monthly operating review covering capacity utilization, cost trajectory, security findings, and performance regression
Quarterly DR test using zone-redundant failover, auto-failover groups, or Hyperscale named-replica promotion
Continuous Microsoft Defender for SQL and Defender for Cloud findings triage routed into Sentinel for SOC visibility
Optional fully-managed Azure SQL DBA service — patching, backup validation, capacity planning, incident response

Why EPC Group leads enterprise Azure SQL migrations

Years Microsoft consulting

70+

Fortune 500 clients

216+

M&A tenant consolidations

1.83 million

Users migrated

Microsoft Solutions Partner — Data & AI + Infrastructure

Microsoft Solutions Partner with the Data & AI and Infrastructure designations plus Modern Work, Security, Digital & App Innovation, and Business Applications. Senior architects average two decades of SQL Server, Azure SQL, and Fabric platform delivery experience.

Four-time Microsoft Press author

Founder Errin O’Connor has nearly three decades of Microsoft consulting leadership and is a four-time Microsoft Press author across Power BI, SharePoint, Azure, and large-scale migrations.

Fixed-fee accelerators

Every Azure SQL engagement is fixed-fee with a costed roadmap and named senior architect on-record from kickoff through go-live. No T&M overruns, no offshore handoff, no junior-analyst-led production cutover.

Compliance-native

EPC Group is compliance-native across HIPAA, SOC 2, FedRAMP, FINRA, CMMC, and GxP. Azure SQL deployments ship with auditor-ready control matrices, Defender for SQL tuning, Always Encrypted + Ledger configuration, and Purview classification.

HIPAA

SOC 2

FedRAMP

FINRA

CMMC

GxP

Frequently asked questions — Azure SQL

When do I pick Azure SQL Database Hyperscale vs Azure SQL Managed Instance — what is the real decision rule?

The decision rule is surface compatibility vs operational scale. Pick Managed Instance when the workload depends on instance-level SQL Server features — SQL Agent jobs, cross-database queries, linked servers, CLR, Service Broker, Database Mail, Distributed Transactions, or any of the dozens of compatibility surfaces that single-database PaaS does not expose. Pick Hyperscale when the workload is a single database (or can be refactored to one), the data volume is above 4 TB or the rate of change is high, and the operational profile — near-instant backup and restore, fast compute scale, named read replicas — is the main value. There is also a third call: if the data is below 4 TB and the application is cloud-modernized to live on a single database, vanilla Azure SQL Database Business Critical is the most cost-effective destination — neither Hyperscale nor Managed Instance is required. The /database-vs-data-warehouse-vs-data-lake-microsoft-2026 hub covers the broader OLTP vs OLAP fit decision.

How do I migrate an on-prem SQL Server estate to Azure SQL — what does the actual cutover look like?

Migration runs in three phases. First, classify every database — Data Migration Assistant identifies the compatibility issues and recommends Azure SQL Database, Managed Instance, or SQL on Azure VM as the destination. Second, land the target — provision the destination instance or database, configure HA, set up Defender for SQL, apply Azure Policy initiatives, configure the network endpoints. Third, cut over — Azure Database Migration Service runs online migrations with continuous replication and a single-digit-minute cutover window, or backup-restore handles workloads where a maintenance window is acceptable. EPC Group runs migrations in named waves with documented acceptance criteria per wave and a rollback plan that every customer signs off on before the wave starts. The /digital-transformation-microsoft-enterprise-2026 lifecycle covers the broader Assess-Modernize-Govern-Operate-Innovate framing inside which an Azure SQL migration sits.

How does Azure SQL cost compare to Amazon RDS for SQL Server — is the TCO really better on Azure?

For SQL Server workloads, Azure has two structural cost advantages that RDS does not match. First, Azure Hybrid Benefit converts existing SQL Server Software Assurance licenses into Azure SQL Database, Managed Instance, or SQL on VM core entitlements at no additional charge — the equivalent feature on AWS (BYOL for SQL on EC2) is narrower and does not apply to RDS for SQL Server PaaS. Second, Extended Security Updates for SQL 2008/2012/2014/2016 are free on Azure VM, a multi-thousand-dollar-per-core annual savings vs running the same legacy workload on RDS or EC2. On Hyperscale specifically, Azure runs above 4 TB at substantially better economics than RDS for SQL Server Multi-AZ once storage and IO are factored in. On Managed Instance there is no RDS equivalent — Aurora is PostgreSQL/MySQL only, and RDS for SQL Server is single-database PaaS without the instance-level surface. EPC Group has built side-by-side three-year TCO models for 40+ enterprise migrations and Azure has won the SQL Server line on price every time.

What does Always Encrypted with secure enclaves actually protect against — and where do I use it?

Always Encrypted protects sensitive data from privileged Azure operators, malicious DBAs, and compromised application servers — encryption and decryption happen in the client driver, so the database engine never sees plaintext. The original Always Encrypted (no enclaves) only supported equality predicates and exact-match joins on encrypted columns; secure enclaves extend that to range queries, pattern matching, and richer indexing through a hardware-protected enclave inside the SQL engine. Use Always Encrypted with secure enclaves for PCI cardholder data, PHI, government-classified data, and any column where the regulator or the data owner requires cryptographic separation from the database administrator role. Microsoft Defender for SQL detects credential brute force and anomalous queries against Always Encrypted columns; Microsoft Purview classifies them; the /microsoft-defender-for-cloud-cnapp-enterprise-2026 hub covers the unified Defender for Cloud security plane Azure SQL participates in.

What is Azure SQL Database Ledger and when does it earn its keep over the engineering work to adopt it?

Ledger makes Azure SQL Database (and Managed Instance) a tamper-evident system of record. Every modification to a ledger table is captured in an append-only history with cryptographic hashes that can be verified against an off-database digest store — Azure Storage with WORM policy, Azure Confidential Ledger, or an immutable blob. The use case is regulatory or audit-driven evidence that a row was never silently modified — financial transactions under SOX, clinical records under HIPAA, supply-chain provenance, audit logs of privileged operations. Ledger is not a substitute for transactional logging or a CDC stream; it is a cryptographic proof surface that the data the auditor sees today is the data that was written when it was written. It earns its keep when an auditor or regulator is the primary consumer of the proof, not when the use case is internal change tracking.

How does Azure SQL High Availability actually work across the three service tiers?

General Purpose uses remote premium storage with a stateless compute node — failover restarts the compute on healthy hardware and re-attaches the storage, usually under 30 seconds. Business Critical runs a four-node Always On availability group on local SSD inside an Azure region, with three synchronous replicas providing single-digit-second failover and read-scale-out to the secondary replicas — when configured zone-redundant, the four nodes spread across three Availability Zones and the SLA rises to 99.995%. Hyperscale uses a decoupled architecture where the storage layer (page servers) and the log service run independently; HA is delivered through a primary compute node and one or more high-availability replicas plus the page server tier. For cross-region DR, auto-failover groups orchestrate the secondary in a paired region with automatic or manual failover, RPO measured in seconds and RTO in minutes. EPC Group sizes the HA tier from the workload SLA, not from a default.

How do I optimize Azure SQL cost — what actually moves the bill?

Four levers move Azure SQL cost meaningfully. First, Reserved Capacity — committing to one-year or three-year reservations cuts compute spend 33-55% on the steady-state portion of the estate. Second, Azure Hybrid Benefit — if the customer has existing SQL Server Software Assurance, AHB drops the effective price 30-55% by converting SA into Azure SQL core entitlements. Third, Serverless — auto-pause and auto-scale on Azure SQL Database (and now Hyperscale) drops the bill to storage-only when the workload idles, ideal for development, staging, and unpredictable production patterns. Fourth, right-sizing — Query Store and Intelligent Insights data shows where compute is over-provisioned, and the platform supports vCore scale down with seconds of impact. EPC Group typically takes 25-40% off the post-cutover cost trajectory in the first 90 days through these four levers combined.

What does the EPC Group Azure SQL Accelerator deliver, and what does it cost?

The accelerator is the five-phase Assess, Design, Migrate, Optimize, Operate program that takes an enterprise from on-prem SQL Server estate to a fully operating Azure SQL platform with documented HA, DR, security, governance, and cost-optimization baselines. Pricing is fixed-fee between $150,000 and $500,000 depending on instance count, regulatory scope, multi-region DR requirements, and managed-service tail. Senior-architect-led, no offshore handoff, named senior on-record from kickoff through go-live. Most enterprise engagements complete the Migrate phase between 16 and 32 weeks from kickoff, with the broader estate transitioning over the 12-to-18-month horizon. The /services/azure-consulting-services page covers the broader Azure service line, and the /microsoft-cloud-orchestrator hub covers the platform layer inside which Azure SQL sits.

Continue exploring the EPC Group enterprise Microsoft library

Azure SQL is one platform inside the broader Microsoft data and cloud orchestration story. These hubs cover adjacent and complementary territory.

Microsoft Cloud Orchestrator

The end-to-end Microsoft cloud orchestration model under which Azure SQL sits as the relational data platform layer.

Azure consulting services

EPC Group Azure consulting service line — landing zones, migrations, governance, and the broader Azure platform engagement.

Database vs warehouse vs lake on Microsoft

How Azure SQL fits into the broader OLTP-vs-OLAP architecture decision against Fabric, Synapse, and the Microsoft data lake.

Azure Arc Hybrid + Multicloud

How Arc-enabled SQL Server projects on-prem and AWS SQL into Azure with PAYG license mobility, Defender for SQL, and unified governance.

Microsoft Defender for Cloud CNAPP

The unified CNAPP plane under which Defender for SQL participates — SQL injection detection, vulnerability assessment, posture management.

Azure Synapse Analytics enterprise guide

When the analytical workload moves out of Azure SQL into Synapse dedicated SQL pools, serverless SQL, or Spark.

Digital transformation — Microsoft enterprise 2026

The five-stage EPC Group Lifecycle inside which the Azure SQL Accelerator is the relational data modernization workstream.

Standards alignment library

NIST CSF 2.0, ISO 27001, HIPAA, FedRAMP, FINRA, CMMC, and GxP control mappings applied to Azure SQL and the surrounding Microsoft data platform.

One Azure SQL platform for every workload in your relational data estate

Book an Azure SQL briefing with an EPC Group senior architect. Two-hour working session — SQL estate inventory, destination classification, accelerator scoping. Zero obligation, board-ready output.

Book the briefing 888-381-9725

‌
‌
‌

‌
‌

‌
‌
‌

‌
‌
‌
‌
‌

‌
‌
‌
‌
‌
‌

‌

‌
‌

AI assistant — not human

Microsoft Solutions Partner — Data & AI · 11,000+ engagements

Azure SQL Database + Managed Instance Enterprise (2026)

Book an Azure SQL briefing Call 888-381-9725

Key Facts

Four Azure SQL deployment options: SQL Database (single + elastic), Hyperscale, Managed Instance, and SQL Server on Azure VM
Hyperscale supports databases up to 100 TB with near-instant compute scale, fast restore, and named read-scale replicas
Managed Instance delivers near-100% SQL Server surface — SQL Agent, cross-database queries, CLR, Service Broker, DTC
Azure Hybrid Benefit converts SQL Server Software Assurance into Azure SQL core entitlements, dropping effective price 30-55%
Reserved Capacity 1-year or 3-year cuts steady-state compute spend by 33-55% across SQL Database, Managed Instance, and SQL on VM
Always Encrypted with secure enclaves protects PCI, PHI, and regulated columns from privileged operators with hardware enclave processing
Microsoft Defender for SQL delivers SQL injection detection, anomalous query, and vulnerability assessment across all four deployment options
EPC Group five-phase Azure SQL Accelerator delivers full activation in 16-to-32 weeks, fixed-fee $150K to $500K
29-year Microsoft Solutions Partner, 70+ Fortune 500 clients, 216+ M&A tenant consolidations

The four Azure SQL deployment options

Azure SQL Database (single + elastic pools)

Three service tiers — General Purpose (HA via remote storage), Business Critical (HA via local SSD + Always On replicas), and Hyperscale (100 TB capacity, near-instant scale)
Provisioned vCore, Serverless (auto-pause + auto-scale), and DTU purchasing models — Serverless is the right call for unpredictable or development workloads
Built-in automated backups with 7-to-35-day point-in-time restore and long-term retention up to ten years
Active geo-replication and auto-failover groups for cross-region DR with read-scale-out replicas in the secondary region
Intelligent performance — automatic tuning, query store, intelligent insights, and machine-learning-driven index recommendations
Full Microsoft Defender for SQL coverage: SQL injection detection, anomalous query, vulnerability assessment, advanced threat protection

Azure SQL Database Hyperscale

Storage up to 100 TB with no pre-provisioning — pay for what is actually stored, not the maximum size declared
Near-instant database copy, restore, and seeding through snapshot-based storage architecture — minutes instead of hours
Named replicas for read-scale workloads — analytics, reporting, BI — without paying for full HA replicas
Compute scale-up and scale-down completes in under a minute regardless of database size — true serverless economics at warehouse scale
Log throughput up to 100 MB/s with a dedicated log service decoupling write commit from page processing
Now available in Serverless tier for Hyperscale — auto-pause, auto-scale, and per-second billing for compute

Azure SQL Managed Instance

Near-100% SQL Server feature parity — SQL Agent jobs, cross-database queries, linked servers, CLR, Database Mail, Service Broker, DTC
General Purpose (8 TB) and Business Critical (16 TB) tiers; Next-Gen GP raises the GP ceiling and improves IO throughput substantially
Native virtual network deployment — Managed Instance lives inside the customer VNet, no public endpoint required, full NSG and Private Link control
Instance Pools for cost-efficient consolidation of many small SQL workloads onto shared Managed Instance compute
Link feature for hybrid SQL Server 2022 → Managed Instance with continuous replication and one-click failover for DR or migration
Free Azure Hybrid Benefit for SQL Server license mobility plus eligibility for Extended Security Updates included for legacy SQL versions

SQL Server on Azure VM (IaaS)

Full SQL Server surface — Resource Governor, file streaming, FILETABLE, custom CLR, Polybase, and any feature the PaaS tiers do not yet offer
Memory-optimized M-series and Mv2-series VMs with up to 12 TB RAM for the largest single-instance SQL Server workloads in the industry
SQL IaaS Agent Extension delivers automated backup to Azure Blob, automated patching windows, and Defender for SQL on IaaS
Azure Site Recovery integration for cross-region SQL Server DR with consistent application-level replication
Eligible for SQL Server Extended Security Updates through Azure — legacy SQL 2008/2012/2014/2016 workloads get free ESU when run on Azure VM
Always On availability groups, log shipping, and database mirroring fully supported for the patterns PaaS HA cannot model

Six Azure SQL enterprise patterns

Pattern 1 — High-throughput OLTP at SaaS or e-commerce scale

Pattern 2 — Mission-critical applications that demand five-nines

Pattern 3 — SQL Server on-prem to Azure SQL migration

Pattern 4 — Multi-tenant SaaS with elastic per-tenant scale

Pattern 5 — ERP backing store (Dynamics 365 F&O, SAP, JDE migration)

Pattern 6 — Hybrid SQL with Azure Arc projection

Security stack

Azure SQL security — defense in depth on top of the engine

Transparent Data Encryption (TDE)

Always Encrypted + secure enclaves

Dynamic Data Masking

Azure SQL Ledger

Microsoft Defender for SQL

Private Link + VNet integration

HA + DR

High availability — three SLAs, three architectures, one decision tree

99.99% SLA

General Purpose / Premium remote storage

99.995% SLA

Business Critical + zone-redundant

99.99% SLA

Hyperscale with HA replicas

Cross-region DR — auto-failover groups

Cost optimization

Four levers that actually move the Azure SQL bill

1. Reserved Capacity

2. Azure Hybrid Benefit (AHB)

3. Serverless + auto-scale

4. Right-sizing from Query Store

The EPC Group Azure SQL Accelerator — five phases, fixed fee

Phase 1 — Assess

Full SQL estate inventory and migration classification in three weeks

SQL Server estate inventory by version, edition, Software Assurance status, license model, and Extended Security Update eligibility
Per-database compatibility classification — Azure SQL Database, Managed Instance, SQL on VM, or stay on-prem with Arc
Workload sizing — vCore, IO, memory, storage envelope for every target destination
Costed three-year TCO model comparing current state vs Azure SQL with reserved capacity and Azure Hybrid Benefit

Phase 2 — Design

Landing zone, HA, DR, security, and governance baseline

Hub-and-spoke network with Private Link for Azure SQL Database and VNet integration for Managed Instance
Defender for SQL, Azure Policy compliance initiatives, and Purview classification rules baseline configured
Always Encrypted with secure enclaves and Transparent Data Encryption with customer-managed keys (BYOK) configured
HA tier selection per workload — zone-redundant Business Critical, geo-DR via auto-failover groups, Hyperscale named replicas

Phase 3 — Migrate

Wave-based cutover with Azure Database Migration Service

Azure DMS online migration for zero-downtime cutover where the source uptime requirement demands it
Backup-restore migration for workloads where a maintenance window is acceptable and the cutover speed matters less than simplicity
Transactional replication-based migration for the largest workloads or the most cutover-sensitive applications
Per-wave acceptance criteria — query latency, transaction throughput, application smoke tests — before the wave is declared production

Phase 4 — Optimize

Performance, cost, and security tuning post-cutover

Intelligent performance — automatic tuning enabled with the right scope, Query Store baselines captured, regression alerting wired
Reserved capacity 1-year or 3-year applied to the steady-state portion of the estate, Serverless applied to the variable portion
Azure Hybrid Benefit applied estate-wide where SA-bound SQL licenses exist; PAYG applied where SA is lapsing
Defender for SQL alert tuning — suppress the false positives, surface the genuine threats, integrate with Microsoft Sentinel

Phase 5 — Operate

Run-state operations with optional managed services

Monthly operating review covering capacity utilization, cost trajectory, security findings, and performance regression
Quarterly DR test using zone-redundant failover, auto-failover groups, or Hyperscale named-replica promotion
Continuous Microsoft Defender for SQL and Defender for Cloud findings triage routed into Sentinel for SOC visibility
Optional fully-managed Azure SQL DBA service — patching, backup validation, capacity planning, incident response