Share via

How to configure an on premise firewall to support Azure SQL Database IP rotation and switching.

20256908 0 Reputation points
2024-08-23T17:56:16.2033333+00:00

We have a customer that need to know how to configure their firewall so that their firewall does not drop database connection because Azure SQL server is constantly changing IP's.

Azure SQL Database

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vinodh247 34,666 Reputation points MVP Volunteer Moderator
    2024-08-25T05:58:26.4833333+00:00

    To ensure continuous connectivity to Azure SQL Database despite IP rotations and changes, you can follow these steps to configure an on prem fw...

    1. Use Azure SQL Database's Service Tags

    Azure provides service tags that represent a group of IP address prefixes to help manage the firewall rules. For Azure SQL Database, you should allow the Sql service tag. The firewall should be configured to allow outbound traffic to the Sql service tag over port 1433.

    1. Download and Automate the Update of the IP Ranges

    Microsoft publishes the IP ranges for Azure services, including Azure SQL Database. You can download the JSON file containing the IP ranges here. Use scripts to automate the process of updating your firewall rules based on this JSON file. Ensure the rules are updated regularly to avoid disruptions due to IP changes.

    1. Allow Traffic on Port 1433

    Azure SQL Database communicates over TCP port 1433. Ensure that your firewall allows outbound traffic on this port to the IP ranges specified in the JSON file or the Sql service tag.

    1. Consider Using Azure Private Link

    If your customer needs to avoid exposing their data to the internet, consider using Azure Private Link. This service allows you to access Azure SQL Database via a private endpoint, which will remain stable and eliminate concerns over IP changes.

    1. Monitor and Update as Necessary

    Keep monitoring for any updates or changes in IP ranges from Microsoft, and ensure the firewall configuration reflects those changes.

    This configuration will help ensure that the firewall does not drop the connection when Azure SQL's IP addresses change.

    Please 'Upvote'(Thumbs-up) and 'Accept' as an answer if the reply was helpful. This will benefit other community members who face the same issue.

    0 comments
  2. Oury Ba-MSFT 20,926 Reputation points Microsoft Employee Moderator
    2024-08-26T19:29:59.5766667+00:00

    @20256908 Thank you for reaching out and sorry to hear about the issue you are facing.

    If you are using proxy connection policy/default with connection is coming from on premises, then you will need to allow outbound traffic on port 1433 to all gateway and gateway subnets in your server's region. All possible IP addresses you can get will be contained in that range.

    You can find each region and IP range in this doc:

    Azure SQL Database connectivity architecture - Azure SQL Database and Azure Synapse Analytics | Microsoft Learn

    For example, for East US server, the entire range to allow is:

    User's image

    For redirect connections, you can find the extended range here. It is also allocated by region, and you have to allow all of those IPs for your region on 1433,11000-11999 outbound:

    User's image

    Download Azure IP Ranges and Service Tags – Public Cloud from Official Microsoft Download Center 

     If using VNET in the same region, then you can leverage service endpoint for the redirect connection policy:

    Virtual network endpoints and rules for databases - Azure SQL Database | Microsoft Learn

    For most though for their own firewalls, the main one will be to allow the first one- the gateway and gateway subnets for their server's region on 1433 outbound.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.