SQL Azure Firewall
Microsoft SQL Azure provides a relational database service for Windows Azure and other Internet-based applications. To help protect your data, the SQL Azure firewall prevents all access to your SQL Azure server until you specify which computers have permission. The firewall grants access based on the originating IP address of each request.
To configure your firewall, you create firewall rules that specify ranges of acceptable IP addresses. This can be accomplished using the Windows Azure Platform Management Portal or programmatically using the Operations on Firewall Rules that are exposed by the SQL Azure Database Management REST API. Alternatively, after you have established access, you can programmatically use the master database to review and edit your firewall configuration.
This topic describes the SQL Azure firewall and how you can define firewall settings to specify which clients should have access to your SQL Azure server.
Overview
Initially, all access to your SQL Azure server is blocked by the SQL Azure firewall; connection attempts originating from the Internet or Windows Azure will not be able to reach your SQL Azure server. In order to begin using your SQL Azure server, you must go to the Management Portal and specify one or more firewall settings that enable access to your SQL Azure server. Use the firewall settings to specify which IP address ranges from the Internet are allowed, and whether or not Windows Azure applications can attempt to connect to your SQL Azure server.
Connection attempts from the Internet and Windows Azure must first pass through the SQL Azure firewall before they can reach your SQL Azure server, as shown in the following diagram.
Connecting from the Internet
When a computer attempts to connect to your SQL Azure server from the Internet, the SQL Azure firewall checks the originating IP address of the request against the full set of firewall settings. If the IP address of the request is not within one of the ranges specified, the connection attempt is blocked and does not reach the SQL Azure server.
|
Note |
|---|
| In addition to configuring the SQL Azure firewall, you may also need to configure the firewall on your network and local computer. To access a SQL Azure database from your computer, ensure that the firewall on your network and local computer allows outgoing TCP communication on TCP port 1433. (The SQL Azure Database service is only available with TCP port 1433.) |
Connecting from Windows Azure
When an application from Windows Azure attempts to connect to your SQL Azure server, the SQL Azure firewall looks for a specific firewall setting that indicates whether Windows Azure connections are allowed.
A firewall setting with starting and ending address equal to 0.0.0.0 indicates that Windows Azure connections are allowed. If the connection attempt is not allowed, the request does not reach the SQL Azure server.
|
Note |
|---|
| On the Management Portal, you can enable connections from Windows Azure with a single checkbox. For more information, see How to: Configure the SQL Azure Firewall. |
Creating the First Firewall Rule
In order to connect to your SQL Azure server for the first time, the first firewall setting must be specified using the Management Portal or programmatically using the Operations on Firewall Rules provided by the Database Management API. To begin configuring the firewall, on the Management Portal, click the Firewall Settings tab on the Server Administration page. If you are using the new Management Portal, click the server under your subscription. Add, Update, and Delete buttons are provided in the right pane to manage firewall rules. If the firewall rules and buttons are not visible, click the Firewall Rules button to toggle the firewall rules view.
The Management Portal also allows you to remove firewall settings. For more information about managing firewall settings, see How to: Configure the SQL Azure Firewall.
The Master Database
After you have used the Management Portal to create a firewall setting that enables connection to your SQL Azure server, you can use the server-level principal login and the master database to view and edit your firewall settings.
In the master database, the firewall settings are referred to as rules. The sys.firewall_rules view displays the current firewall settings and the sp_set_firewall_rule and sp_delete_firewall_rule stored procedures allow you to change the firewall settings. For more information, see sys.firewall_rules (SQL Azure Database), sp_set_firewall_rule (SQL Azure Database), and sp_delete_firewall_rule (SQL Azure Database).
|
Note |
|---|
| There can be up as much as a five-minute delay for changes to the firewall settings to take effect. |
Troubleshooting the Firewall
Consider the following points when access to the SQL Azure Database service does not behave as you expect:
-
Local firewall configuration: Before your computer can access SQL Azure, you may need to create a firewall exception on your computer for TCP port 1433.
-
Network address translation (NAT): Due to NAT, the IP address used by your computer to connect to SQL Azure may be different then the IP address shown in your computer IP configuration settings. To see which IP address is being used, use that computer to connect to the Management Portal and click the Firewall Settings tab. When you click Add Rule or Edit Rule, your IP address is displayed in the dialog box with the label Your IP Address is.
-
Changes to the allow list have not taken effect yet: There may as much as a five minute delay for changes to the SQL Azure firewall configuration to take effect.
-
The login is not authorized or an incorrect password was used: If a login does not have permissions on the SQL Azure server or the password used is incorrect, the connection to the SQL Azure server will be denied. Creating a firewall setting only provides clients with an opportunity to attempt connecting to your SQL Azure server; each client must provide the necessary security credentials. For more information about preparing logins, see Managing Databases and Logins in SQL Azure.
See Also