Demystifying Azure Security - Azure SQL Database - Firewall Rule for Virtual Networks

@20aman    Mar 04, 2018

This blog post is part of the Demystifying Azure Security series. All posts in the series can be found here: Demystifying Azure Security - Series Index

Before going through this blog, please make sure you have covered these:

Setting up the Firewall Rule for Virtual Networks, at the SQL Server level, enables you to allow access to a subnet in a Virtual Network in Azure on all the SQL Databases on the SQL Server. The firewall rules are always set at the server level, hence any rule you put will allow access on all the databases on the SQL Server.

Setting up the Rules is very simple. You navigate to the firewall settings for the SQL Database/SQL Server (as discussed in the previous blog). Then you focus on the lower section on the blade for Virtual Network Firewall rules as shown below.

Virtual Network Firewall Rules section

Note that you can:

  1. Add existing virtual network
  2. Create a new virtual network (and provide access)

As a best practice, you should plan the virtual network and subnets before the configurations on the SQL Server Firewall.

When you click on "Add existing virtual network" you are presented with the below wizard. Here you select:

  1. The name for the rule. This could be any descriptive name for the rule.
  2. The Subscription where the virtual network exists
  3. Virtual network where you want to allow the access
  4. Subnet name within the Virtual network where you want to allow the access
Create/Update Virtual Network Firewall Rule

Below, is the screenshot of the rule with values populated. If the Service Endpoint is not enabled for the "Microsoft.Sql" provider then you will view a message for the same and the wizard will attempt to enable the same.

Virtual Network Firewall Rule Populated

Thats all there is to it. Just hit Ok and then hit Save to apply the rule.

Comments powered by Disqus