5 out of 7 rated this helpful - Rate this topic

Windows Azure SQL Database Firewall

Microsoft Windows Azure SQL Database provides a relational database service for Windows Azure and other Internet-based applications. To help protect your data, the SQL Database firewall prevents all access to your SQL Database server until you specify which computers have permission. The firewall grants access based on the originating IP address of each request.

To configure your firewall, you create firewall rules that specify ranges of acceptable IP addresses. You can create firewall rules at the server and database levels.

Server-level firewall rules: These rules enable clients to access your entire SQL Database server, that is, all the databases within the same logical server. These rules are stored in the master database. You create the server-level firewall rules using the Windows Azure Platform Management Portal or programmatically using the Operations on Server-Level Firewall Rules that are exposed by the SQL Database Database Management REST API. Alternatively, after you have established access, you can programmatically use the master database to review and edit your firewall configuration.

Database-level firewall rules: These rules enable clients to access individual databases within your SQL Database server. These rules are created per database and are stored in the individual databases (including master). If you specify an IP address range in this rule that is beyond the range specified in the server-level firewall rule, only those clients that have IP address in the range specified in the database-level rule can access the database. Therefore, these rules can be helpful in restricting client’s access to certain (secure) databases within the same logical server. You can have a maximum of 128 database-level firewall rules for a database. You create the database-level firewall settings for master and user databases using Transact-SQL. For more information, see How to: Configure the Database-Level Firewall Settings (Windows Azure SQL Database).

Note
If you create a database federation in SQL Database where the root database contains database-level firewall rules, the rules are not copied to the federation member databases. If you need database-level firewall rules for the federation members, you will have to recreate the rules for the federation members. However, if you split a federation member containing a database-level firewall rule into new federation members using the ALTER FEDERATION … SPLIT statement, the new destination members will have the same database-level firewall rules as the source federation member. For more information about federations, see Federations in Windows Azure SQL Database (formerly SQL Azure).

Note

If you create a database federation in SQL Database where the root database contains database-level firewall rules, the rules are not copied to the federation member databases. If you need database-level firewall rules for the federation members, you will have to recreate the rules for the federation members. However, if you split a federation member containing a database-level firewall rule into new federation members using the ALTER FEDERATION … SPLIT statement, the new destination members will have the same database-level firewall rules as the source federation member. For more information about federations, see Federations in Windows Azure SQL Database (formerly SQL Azure).

This topic describes the SQL Database firewall and how you can define firewall rules to specify which clients can access your SQL Database server and individual databases.

In This Topic

Overview
Connecting from the Internet
Connecting from Windows Azure
Creating the First Firewall Rule
Managing Server-Level and Database-Level Firewall Rules
Troubleshooting the Firewall

Overview

Initially, all access to your SQL Database server is blocked by the SQL Database firewall; connection attempts originating from the Internet or Windows Azure will not be able to reach your SQL Database server. In order to begin using your SQL Database server, you must go to the Management Portal and specify one or more server-level firewall rules that enable access to your SQL Database server. Use the firewall rules to specify which IP address ranges from the Internet are allowed, and whether or not Windows Azure applications can attempt to connect to your SQL Database server.

However, if you want to selectively grant access to just one of the databases in your SQL Database server, you must create a database-level rule for the required database with an IP address range that is beyond the IP address range specified in the server-level firewall rule, and ensure that the IP address of the client falls in the range specified in the database-level rule.

Connection attempts from the Internet and Windows Azure must first pass through the SQL Database firewall before they can reach your SQL Database server or database, as shown in the following diagram.

SQL Database firewall limits access to the server

Connecting from the Internet

When a computer attempts to connect to your SQL Database server from the Internet, the SQL Database firewall checks the originating IP address of the request against the full set of server-level and (if required) database-level firewall rules:

If the IP address of the request is within one of the ranges specified in the server-level firewall rules, the connection is granted to your SQL Database server.
If the IP address of the request is not within one of the ranges specified in the server-level firewall rule, the database-level firewall rules are checked. If the IP address of the request is within one of the ranges specified in the database-level firewall rules, the connection is granted only to the database that has a matching database-level rule.
If the IP address of the request is not within the ranges specified in any of the server-level or database-level firewall rules, the connection request fails.

Note
In addition to configuring the SQL Database firewall, you may also need to configure the firewall on your network and local computer. To access a SQL Database database from your computer, ensure that the firewall on your network and local computer allows outgoing TCP communication on TCP port 1433. (The Windows Azure SQL Database service is only available with TCP port 1433.)

Connecting from Windows Azure

When an application from Windows Azure attempts to connect to your SQL Database server, the SQL Database firewall looks for a specific firewall setting that indicates whether Windows Azure connections are allowed.

A firewall setting with starting and ending address equal to 0.0.0.0 indicates that Windows Azure connections are allowed. If the connection attempt is not allowed, the request does not reach the SQL Database server.

Note
On the Management Portal, you can enable connections from Windows Azure with a single checkbox. For more information, see How to: Configure the Server-Level Firewall Settings (Windows Azure SQL Database).

Creating the First Firewall Rule

To connect to your SQL Database server for the first time, the first server-level firewall setting must be specified using the Management Portal or programmatically using the Operations on Server-Level Firewall Rules provided by the Database Management API. To begin configuring the firewall, on the Management Portal, click the Firewall Settings tab on the Server Administration page. If you are using the new Management Portal, click the server under your subscription. Add, Update, and Delete buttons are provided in the right pane to manage server-level firewall rules. If the server-level firewall rules and buttons are not visible, click the Firewall Rules button to toggle the server-level firewall rules view.

The Management Portal also allows you to remove server-level firewall settings. For more information about managing server-level firewall settings, see How to: Configure the Server-Level Firewall Settings (Windows Azure SQL Database).

You can also create a database-level firewall rule if you want to selectively allow access to certain user databases for specific clients. To create a database-level rule, see How to: Configure the Database-Level Firewall Settings (Windows Azure SQL Database).

Managing Server-Level and Database-Level Firewall Rules

After you have used the Management Portal to create a server-level firewall setting that enables connection to your SQL Database server, you can use the server-level principal login and the master database to view and edit your server-level firewall settings. In the master database, the firewall settings are referred to as rules. The sys.firewall_rules view displays the current firewall settings and the sp_set_firewall_rule and sp_delete_firewall_rule stored procedures allow you to change the firewall settings. For more information, see sys.firewall_rules (Windows Azure SQL Database), sp_set_firewall_rule (Windows Azure SQL Database), and sp_delete_firewall_rule (Windows Azure SQL Database).

Similarly, after creating a database-level firewall setting, you can login to the master or a user database to view the database-level firewall settings for the respective database. The sys.database_firewall_rules view in each database displays the current database-level firewall settings and the sp_set_database_firewall_rule and sp_delete_database_firewall_rule stored procedures allow you to change the firewall settings. For more information, see sys.database_firewall_rules (Windows Azure SQL Database), sp_set_database_firewall_rule (Windows Azure SQL Database), and sp_delete_database_firewall_rule (Windows Azure SQL Database).

Note
There can be up as much as a five-minute delay for changes to the firewall settings to take effect.

Troubleshooting the Firewall

Consider the following points when access to the Windows Azure SQL Database service does not behave as you expect:

Local firewall configuration: Before your computer can access SQL Database, you may need to create a firewall exception on your computer for TCP port 1433.
Network address translation (NAT): Due to NAT, the IP address used by your computer to connect to SQL Database may be different then the IP address shown in your computer IP configuration settings. To see which IP address is being used, use that computer to connect to the Management Portal and click the Firewall Settings tab. When you click Add Rule or Edit Rule, your IP address is displayed in the dialog box with the label Your IP Address is.
Changes to the allow list have not taken effect yet: There may as much as a five minute delay for changes to the SQL Database firewall configuration to take effect.
The login is not authorized or an incorrect password was used: If a login does not have permissions on the SQL Database server or the password used is incorrect, the connection to the SQL Database server will be denied. Creating a firewall setting only provides clients with an opportunity to attempt connecting to your SQL Database server; each client must provide the necessary security credentials. For more information about preparing logins, see Managing Databases and Logins in Windows Azure SQL Database.
Dynamic IP address: If you have an Internet connection with dynamic IP addressing and you are having trouble getting through the SQL Database firewall, you could try one of the following solutions:
- Ask your Internet Service Provider (ISP) for the IP address range assigned to your client computers that will access the SQL Database server, and the then add the IP address range as SQL Database firewall rule.
- Get static IP addressing instead for your client computers, and then add the IP addresses as SQL Database firewall rules.

Community Additions

ADD