Configuring the Azure SQL Database Firewall

SQLShack

SQL Server training Español

Configuring the Azure SQL Database Firewall

February 28, 2017 by Minette Steynberg

Introduction

The Azure SQL Database firewall lets you decide which IP addresses may or may not have access to either your Azure SQL Server or your Azure SQL database. When creating an Azure SQL Database, the firewall needs to be configured before anyone will be able to access the database. By default, no external access to your SQL Database will be allowed until you explicitly assign permission by creating a firewall rule. An initial server level rule will need to be created using the portal before you will be able to access your SQL Database server.

How to create the initial server level rule

To create the initial server level firewall rule, you need to go to the Firewall settings in Azure and add an IP range which will be allowed access. Access from the client you are connecting from can be added by clicking on the Add client IP button. This will automatically add a rule for the IP address for the client you are currently connection from as both the Start and End IP. Allowing you to access the server on which your database resides.
Figure 1: create initial firewall rule This rule can also be created using the REST API or Azure Powershell.

Types of firewall rules

There are 2 types of firewall rules: Server level rules Server level rules allow access to the Azure SQL Server. Which means that the client will have access to all the databases stored on that SQL Server. Server level rules are stored in the mater database. Only subscription owners or contributors can create server level firewall rules using the Azure portal , PowerShell or the REST API. Server principal logins or Azure Active Directory Administrators can create rules using Transact-SQL. Typically, this access will be given to administrators or anyone who may need access to all the databases. As a best practice, server level access should only be given when absolutely necessary and database level rules must be used wherever possible. Creating a server level rule In Azure, you can get to the server firewall configuration screen in the portal in 2 ways: Go to your Azure SQL Server and select the Firewall option under settings.
Figure 2: Firewall under Settings When have selected your SQL Database in the Azure portal you can click on the Set server Firewall button. This sets the server firewall. The database firewall cannot be configured in the portal.
Figure 3: Set server firewall from SQL Database portal Once you are on the firewall settings screen, the rule name from and to IP addresses of the allowable range must be configured. Figure 4: Parameters to configure Server level rules can also be configured using Transact-SQL, PowerShell or the REST API. This is beyond the scope of this article. To create or modify a server level rule using Transact-SQL the following statement can be executed on the master database: 123 EXECUTE sp_set_firewall_rule N'my_server_rule','168.0.0.2','168.0.0.2'; and can be deleted using: 123 EXECUTE sp_delete_database_firewall_rule N'my_server_rule';
Database level rules Unlike server level rules, the database level rules are stored within the relevant database. Database level rules cannot be created using the Azure portal or PowerShell, it can only be done using Transact-SQL. Using database level rules adds security by ensuring that clients do not have access to database that they don’t need and it also makes it easier to move databases, since the rules are contained within the database itself. Creating a database level rule Database level rules can only be created using Transact-SQL. The following T-SQL command can be used to create or modify an existing rule: 12345 EXECUTE sp_set_database_firewall_rule N'my_db_rule'; ,'168.0.0.0' ,'168.0.0.0' The first parameter is the rule name, followed by the first IP address that you wish to give access to. The third parameter is the last IP address in the range you wish to give access to. Setting the start IP address and the end IP address to the same address will only provide access to that one specific IP address. CONTROL permissions are required on the database on which you want to create the firewall rule. Once the command has been issued to change a rule, the change can take up to 5 minutes to take effect. To delete a database firewall rule use: 123 EXECUTE sp_delete_database_firewall_rule N'my_db_rule';

Viewing existing rules

To view existing database and server level rules, you can use the system view: sys.firewall_rules. I.e. 123 SELECT * FROM sys.firewall_rules
Figure 5: Sys.firewall_rules result This must be executed on the master database will display server level rules. Note how the AllowAllWindowsAzureIps have both a start and an end IP address of 0.0.0.0. To view existing database level rules you can execute the following command on the relevant database: 123 SELECT * FROM sys.database_firewall_rules
Figure 6: Sys.database_firewall_rules result

Allowing access from Azure

To allow connection from Azure to your Azure SQL Server, the Allow access to Azure services must be set to on. This effectively adds a rule with a from and to address of 0.0.0.0. It is important to remember that this also allows access to anyone else with an Azure subscription. So configuring permissions on your SQL Server itself is pivotal.
Figure 7: Allow access to Azure services

How the rules are applied

Any connection attempt from either Azure or the Internet will be met by the firewall. The database level rules will be applied.
Any client which has an IP address which falls within the allowable range of the specific database level firewall rule, will be allowed to pass through to the database directly. The server level firewall rules will be applied. If the abovementioned check failed. If the IP address of the client falls within the allowable range of the server level rule, access will be granted to all the SQL Databases in the server. If the IP address is not in the allowable range the connection will fail.

Authentication

The firewall restricts the clients which are allowed to connect to your SQL Database. But it does not authenticate users. User authentication happens at the database level. Similarly to SQL on premise, two methods of authentication can be used: SQL Authentication
Which is a username and password created on the SQL Server database. Azure Active Directory Authentication
This is integrated security which is domain based. Author Recent Posts Minette SteynbergMinette Steynberg has over 15 years’ experience in working with data in different IT roles including SQL developer and SQL Server DBA to name but a few. Minette enjoys being an active member of the SQL Server community by writing articles and the occasional talk at SQL user groups.

Minette currently works as a Data Platform Solution Architect at Microsoft South Africa.

View all posts by Minette Steynberg Latest posts by Minette Steynberg (see all) The end is nigh! (For SQL Server 2008 and SQL Server 2008 R2) - April 4, 2018 8 things to know about Azure Cosmos DB (formerly DocumentDB) - September 4, 2017 Introduction to Azure SQL Data Warehouse - August 29, 2017

Related posts

How to copy an Azure SQL database using the Azure Portal, Cloud Shell and T-SQL Top SQL Server Books How to migrate MySQL tables to Microsoft Azure SQL database Domain Controller and Domain Client Node setup for AlwaysON High Availability Background to exception handling in SQL Server 29,650 Views

Follow us

Popular

SQL Convert Date functions and formats SQL Variables: Basics and usage SQL PARTITION BY Clause overview Different ways to SQL delete duplicate rows from a SQL Table How to UPDATE from a SELECT statement in SQL Server SQL Server functions for converting a String to a Date SELECT INTO TEMP TABLE statement in SQL Server SQL WHILE loop with simple examples How to backup and restore MySQL databases using the mysqldump command CASE statement in SQL Overview of SQL RANK functions Understanding the SQL MERGE statement INSERT INTO SELECT statement overview and examples SQL multiple joins for beginners with examples Understanding the SQL Decimal data type DELETE CASCADE and UPDATE CASCADE in SQL Server foreign key SQL Not Equal Operator introduction and examples SQL CROSS JOIN with examples The Table Variable in SQL Server SQL Server table hints – WITH (NOLOCK) best practices

Trending

SQL Server Transaction Log Backup, Truncate and Shrink Operations Six different methods to copy tables between databases in SQL Server How to implement error handling in SQL Server Working with the SQL Server command line (sqlcmd) Methods to avoid the SQL divide by zero error Query optimization techniques in SQL Server: tips and tricks How to create and configure a linked server in SQL Server Management Studio SQL replace: How to replace ASCII special characters in SQL Server How to identify slow running queries in SQL Server SQL varchar data type deep dive How to implement array-like functionality in SQL Server All about locking in SQL Server SQL Server stored procedures for beginners Database table partitioning in SQL Server How to drop temp tables in SQL Server How to determine free space and file size for SQL Server databases Using PowerShell to split a string into an array KILL SPID command in SQL Server How to install SQL Server Express edition SQL Union overview, usage and examples

Solutions

Read a SQL Server transaction logSQL Server database auditing techniquesHow to recover SQL Server data from accidental UPDATE and DELETE operationsHow to quickly search for SQL database data and objectsSynchronize SQL Server databases in different remote sourcesRecover SQL data from a dropped table without backupsHow to restore specific table(s) from a SQL Server database backupRecover deleted SQL data from transaction logsHow to recover SQL Server data from accidental updates without backupsAutomatically compare and synchronize SQL Server dataOpen LDF file and view LDF file contentQuickly convert SQL code to language-specific client codeHow to recover a single table from a SQL Server database backupRecover data lost due to a TRUNCATE operation without backupsHow to recover SQL Server data from accidental DELETE, TRUNCATE and DROP operationsReverting your SQL Server database back to a specific point in timeHow to create SSIS package documentationMigrate a SQL Server database to a newer version of SQL ServerHow to restore a SQL Server database backup to an older version of SQL Server

Categories and tips

►Auditing and compliance (50) Auditing (40) Data classification (1) Data masking (9) Azure (295) Azure Data Studio (46) Backup and restore (108) ►Business Intelligence (482) Analysis Services (SSAS) (47) Biml (10) Data Mining (14) Data Quality Services (4) Data Tools (SSDT) (13) Data Warehouse (16) Excel (20) General (39) Integration Services (SSIS) (125) Master Data Services (6) OLAP cube (15) PowerBI (95) Reporting Services (SSRS) (67) Data science (21) ►Database design (233) Clustering (16) Common Table Expressions (CTE) (11) Concurrency (1) Constraints (8) Data types (11) FILESTREAM (22) General database design (104) Partitioning (13) Relationships and dependencies (12) Temporal tables (12) Views (16) ►Database development (418) Comparison (4) Continuous delivery (CD) (5) Continuous integration (CI) (11) Development (146) Functions (106) Hyper-V (1) Search (10) Source Control (15) SQL unit testing (23) Stored procedures (34) String Concatenation (2) Synonyms (1) Team Explorer (2) Testing (35) Visual Studio (14) DBAtools (35) DevOps (23) DevSecOps (2) Documentation (22) ETL (76) ►Features (213) Adaptive query processing (11) Bulk insert (16) Database mail (10) DBCC (7) Experimentation Assistant (DEA) (3) High Availability (36) Query store (10) Replication (40) Transaction log (59) Transparent Data Encryption (TDE) (21) Importing, exporting (51) Installation, setup and configuration (121) Jobs (42) ►Languages and coding (686) Cursors (9) DDL (9) DML (6) JSON (17) PowerShell (77) Python (37) R (16) SQL commands (196) SQLCMD (7) String functions (21) T-SQL (275) XML (15) Lists (12) Machine learning (37) Maintenance (99) Migration (50) Miscellaneous (1) ►Performance tuning (869) Alerting (8) Always On Availability Groups (82) Buffer Pool Extension (BPE) (9) Columnstore index (9) Deadlocks (16) Execution plans (125) In-Memory OLTP (22) Indexes (79) Latches (5) Locking (10) Monitoring (100) Performance (196) Performance counters (28) Performance Testing (9) Query analysis (121) Reports (20) SSAS monitoring (3) SSIS monitoring (10) SSRS monitoring (4) Wait types (11) ►Professional development (68) Professional development (27) Project management (9) SQL interview questions (32) Recovery (33) Security (84) Server management (24) SQL Azure (271) SQL Server Management Studio (SSMS) (90) SQL Server on Linux (21) ►SQL Server versions (177) SQL Server 2012 (6) SQL Server 2016 (63) SQL Server 2017 (49) SQL Server 2019 (57) SQL Server 2022 (2) ►Technologies (334) AWS (45) AWS RDS (56) Azure Cosmos DB (28) Containers (12) Docker (9) Graph database (13) Kerberos (2) Kubernetes (1) Linux (44) LocalDB (2) MySQL (49) Oracle (10) PolyBase (10) PostgreSQL (36) SharePoint (4) Ubuntu (13) Uncategorized (4) Utilities (21) Helpers and best practices BI performance counters SQL code smells rules SQL Server wait types © 2022 Quest Software Inc. ALL RIGHTS RESERVED. GDPR Terms of Use Privacy