How restrict access to my Azure SQL Database from services on Azure?

When I created our Azure SQL DB I accepted the offer to "Allow Azure Services to access server". I think that was necessary to let our Azure webserver access the DB.

1. Is that correct?

2. If so, then doesn't that mean that any webserver on Azure (regardless of the company that created it) can, if they find out our Azure SQL DB Name, attempt to access our server?

TIA,

edm2

August 30th, 2015 5:32pm

1. Yes, that is correct.

2. Yes, that is also correct.  To mitigate exposure, one can create a static IP address for their Windows Azure VM [link] and then limit the FW to that specific static IP address.

Free Windows Admin Tool Kit Click here and download it now
August 30th, 2015 6:09pm

Joseph --

I think you are referring to Windows VMs. I don't think this applies to  Azure SQL Databases which are fully managed by Microsoft.

edm2

August 30th, 2015 7:30pm

Each Azure SQL Database server has an IP-based firewall.  In the Azure Portal, one can check a box that enables the Azure SQL Database server to be connected to from any IP within the Azure IP range.  Thus, any Azure VM does have the ability to initiate a connection to a database for that particular server as the request originates from the Azure IP range. To further restrict IP address that are able to connect to an Azure SQL Database, one can create a static IP address for their test/stage/prod Azure VM and thus restrict the Azure SQL Database server firewall rule to a specific IP address that is managed and a part of the same application.

Azure VMs have a similar concept in which one can restrict the open ports and IP address that are able to access those ports.

Free Windows Admin Tool Kit Click here and download it now
August 30th, 2015 8:10pm

Interesting. You wrote

>>> one can create a static IP address for their test/stage/prod Azure VM and thus restrict the Azure SQL

can you provide a URL showing how to create a static IP address on a managed VM such as Azure SQL Database?  (Again, my current understanding is the we can NOT have a static IP address assigned to a server.  That's why I don't know of any way to prevent other companies with Azure subscriptions, in their "naughty" moments, from trying to  access our Azure Sql Server.)

edm2

August 30th, 2015 10:04pm
Sorry for the confusion.  One cannot currently create a static IP for Azure SQL Database.  You can, however, control which IP address can connect to your Azure SQL Database via an IP-firewall if the requesting server has a static IP.
Free Windows Admin Tool Kit Click here and download it now
August 30th, 2015 10:08pm

Yes, that may just be a limitation of the present architecture. Again, as I don't know the IP addresses of potential trouble makers, especially those using Azure, I can't protect the Azure SQL Database by the firewall\IP combination alone. Something else is needed.

edm2

August 30th, 2015 11:57pm

1) Azure VM hosting your application:

  • Configure a static IP address (e.g., 207.40.30.33)

2) Azure SQL Database:

  • Disable "Allow all Azure services to access.."
  • Limit the Azure SQL Database firewall rules to only the static IP of the Azure VM hosting the application (i.e., 207.40.30.33) [this way, only a connection originating from your app in step 1 will be able to attempt a connection to your Azure SQL Database]
  • Marked as answer by edm2 5 hours 58 minutes ago
Free Windows Admin Tool Kit Click here and download it now
August 31st, 2015 12:26pm

1) Azure VM hosting your application:

  • Configure a static IP address (e.g., 207.40.30.33)

2) Azure SQL Database:

  • Disable "Allow all Azure services to access.."
  • Limit the Azure SQL Database firewall rules to only the static IP of the Azure VM hosting the application (i.e., 207.40.30.33) [this way, only a connection originating from your app in step 1 will be able to attempt a connection to your Azure SQL Database]
  • Marked as answer by edm2 5 hours 48 minutes ago
August 31st, 2015 12:27pm

1) Azure VM hosting your application:

  • Configure a static IP address (e.g., 207.40.30.33)

2) Azure SQL Database:

  • Disable "Allow all Azure services to access.."
  • Limit the Azure SQL Database firewall rules to only the static IP of the Azure VM hosting the application (i.e., 207.40.30.33) [this way, only a connection originating from your app in step 1 will be able to attempt a connection to your Azure SQL Database]
  • Marked as answer by edm2 Tuesday, September 01, 2015 1:20 AM
Free Windows Admin Tool Kit Click here and download it now
August 31st, 2015 4:25pm

1) Azure VM hosting your application:

  • Configure a static IP address (e.g., 207.40.30.33)

2) Azure SQL Database:

  • Disable "Allow all Azure services to access.."
  • Limit the Azure SQL Database firewall rules to only the static IP of the Azure VM hosting the application (i.e., 207.40.30.33) [this way, only a connection originating from your app in step 1 will be able to attempt a connection to your Azure SQL Database]
  • Marked as answer by edm2 Tuesday, September 01, 2015 1:20 AM
August 31st, 2015 4:25pm

1) Azure VM hosting your application:

  • Configure a static IP address (e.g., 207.40.30.33)

2) Azure SQL Database:

  • Disable "Allow all Azure services to access.."
  • Limit the Azure SQL Database firewall rules to only the static IP of the Azure VM hosting the application (i.e., 207.40.30.33) [this way, only a connection originating from your app in step 1 will be able to attempt a connection to your Azure SQL Database]
  • Marked as answer by edm2 Tuesday, September 01, 2015 1:20 AM
Free Windows Admin Tool Kit Click here and download it now
August 31st, 2015 4:25pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics