A client wants to open up their firewall to allow our app on their server to connect to our Azure SQL Server by adding the IP Address of the Azure SQL Server to their firewall.
Of course on our side we add their static IP address to our Azure SQL Server's firewall to allow inbound access.
The part were they are requesting the IP address of our Azure SQL Server:
Please can you supply us the Public IP of this server in Azure as this IP you have given is a Private IP.
We restrict traffic to SQL server to only allow from approved IPs.
Can you furnish us with the External Server IP and the Ports the system uses so we can create Firewall rules for you.
How would I go about getting the IP address for the Azure SQL Server?
Could it be referring to this list: Gateway IP addresses
You are correct, article describes connectivity from outside to Azure SQL Server
https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-architecture#connectivity-from-outside-of-azure
and range of IP addresses of the Gateway that pass traffic from outside to Azure SQL Server
https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-architecture#gateway-ip-addresses
As long as they are not blocking outgoing traffic in their firewall, you should be good to go without having the IP address of the SQL Server, right? You might need some ports to open up, though.
On-topic: you can download a file that contains the Azure IP Ranges and Service Tags for the public Azure cloud.
This file contains the IP address ranges for Public Azure as a whole, each Azure region within Public, and ranges for several Azure Services (Service Tags) such as Storage, SQL and AzureTrafficManager in Public. This file currently includes only IPv4 address ranges but a schema extension in the near future will enable us to support IPv6 address ranges as well. Service Tags are each expressed as one set of cloud-wide ranges and broken out by region within that cloud. This file is updated weekly. New ranges appearing in the file will not be used in Azure for at least one week.
As stated in the quote the file is updated weekly, so could mean weekly updates are needed on their end.
Try to open powershell... run tnc {xxx-xxx-xxx}-sqlserver.database.windows.net -port 1433
Related
My client's application access an Azure SQL Server database. This database has IP restrictions (only registered IPs can access the database). My IP is dynamic and I cannot change it at the moment.
In case I get a VPN with a dedicated IP address, would I be able to access the database? Or is it possible that they also have some restrictions that identify if I am using a VPN (I do not know if that is possible)?
Thank you all.
Going via a VPN will likely increase your latency, but it will provide a fixed IP address that the Azure firewall will see. If this IP address is allowed access then you will be OK.
The other option would be to create a VM in Azure and run your queries from there - this will be easier for them to grant access to as it is likely that access from Azure will already be enabled.
How do I make connection to an AWS hosted database, and pull or query data into a local or Azure hosted SQL server DB? Can I be directed to the right place or resource?
Thanks.
There's nothing special about the fact that they're in AWS or Azure VMs. For this to work, you need TCP/IP connectivity from your client to the server, and you need port 1433 to not be blocked along the way.
The VM in AWS or Azure needs to have an externally visible IP address, or you need to be connecting via a VPN to the internal network of the cloud-hosted system. The operating system on that VM that's hosting SQL Server needs to have a firewall rule that allows port 1433 inbound.
Once you can do that, you can then just set up a Linked Server on your end, that refers to the SQL Server at the other end. That will allow you to query the tables on the server via 4 part names i.e. linkedservername.databasename.schemaname.tablename.
If you have SQL Server with the same collation at both ends, also ensure you set "collation compatible" on the linked server configuration. (It can make a huge performance difference)
Getting below exception when my Azure Function App tries to connect with Azure SQL Server.
Cannot open server 'my-sql-sever' requested by the login. Client with IP address '52.165.228.212' is not allowed to access the server. To enable access, use the Windows Azure Management Portal or run sp_set_firewall_rule on the master database to create a firewall rule for this IP address or address range. It may take up to five minutes for this change to take effect.
Getting below exception when my Azure Function App tries to connect with Azure SQL Server.
Cannot open server 'my-sql-sever' requested by the login. Client with IP address '52.165.228.212' is not allowed to access the server. To enable access, use the Windows Azure Management Portal or run sp_set_firewall_rule on the master database to create a firewall rule for this IP address or address range. It may take up to five minutes for this change to take effect.
I was in impression that by default all Azure IPs of SQL database are whitelisted to Azure Fuction.
Please suggest.
Thanks,
Siraj
You can either configure your SQL to allow connections from inside Azure or you have to create a firewall rule for the Azure Function IP address (see Create and manage IP firewall rules)
We need to white list the our function app hosted IP address. This can be fund the configuration settings. This is typically a range.
In Azure Server/Database firewall we can set the IP from which connections to the SQL Server can be made. However if I set any IP address eg. 101.202.203.204, then all users of the database can connect through that IP.
There is one user which is used by the application. I do not want anyone to connect to the production database using this username. This connection should only be permissible from the VM hosting the application in Azure.
In SQL Server there is a feature named Logon trigger wherein I can determine the username and the IP address from where the connection is being made and accordingly refuse if the connection request is invalid. This feature would have been helpful, however this feature is not available in the Azure SQL Server which I am using as a service.
Thanks in advance.
I'm not sure that this is the best way to secure a SQL Server/SQL Azure database, but technically you can do this using a login trigger where you check the user name and the IP address in the trigger. There's an example in the docs for triggers here that is basically what you are requesting (checks the login name). You'd just need to join with sys.dm_exec_connections and validate that the IP address is what you wanted.
https://learn.microsoft.com/en-us/sql/t-sql/statements/create-trigger-transact-sql?view=sql-server-2017
How could to connect to Azure DB from any ip that uses Azure,
Without setting the range 0.0.0.0 - 255.255.255.255 in the firewall?
If by connect to Azure DB from any ip that uses Azure you mean any applications running in Azure, then it is possible to do so. In the portal where you configure firewall rules, simply turn on "Allow access to Azure services".
What this does is that it creates a special firewall rule with Start/End IP address as 0.0.0.0. You will not see this firewall rule in portal though.
To do this thing programmatically, simply create a new firewall rule and set the Start/End IP address as 0.0.0.0.
However if your question is about any client IP address that connects to your database, then I would agree with #Aravind's comment above. You should not allow direct connection to your databases from anywhere but only facilitate it via a proxy service/API layer as mentioned by him.