Azure SQL Redirect Policy

Question

We have come across an issue where the connection to an Azure SQL instance is redirected to a different IP and port.

We first establish a connection to the host by connecting using the SQL FQDN on port 1433.

However traffic is being redirect to UKSouth and UKWest as per IPs mentioned here:

https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-architecture?view=azuresql#change-azure-sql-database-connection-policy

https://www.microsoft.com/en-us/download/details.aspx?id=56519

MS recommendation is to create firewall rules for ports 11000-11999 and to whitelist 30 IPs for our region.

There is some resistance from the internal security team to create firewall rules for 30 IPs and are asking if Microsoft has an FQDN in place for these IP ranges.

Can someone please advise

Answer 1

Hi Brian Francis

Thanks for using the Q&A platform.

Microsoft doesn’t provide a solitary FQDN for the dynamic IPs used in the 11000–11999 port range. However, you can simplify firewall rule management using Service Tags, which essentially group those IP ranges for your region under a tag like Sql.<region>.

Service Tags are special firewall tokens that represent a group of IP address prefixes for Azure services. For SQL, you're looking for these tags Sql.<region>. Using these tags, you don't need to maintain or update 30+ IP rules manually.

This configuration replaces hundreds of individual IP entries with just two clean rules, while still supporting the redirect connection method.

For additional information on how to get those tags for your required region, kindly go through the provided link:
https://www.microsoft.com/en-us/download/details.aspx?id=56519
https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview

If the response was helpful, please feel free to mark it as “Accepted Answer” and consider giving it an upvote. This helps others in the community as well.

Regards,

Obinna.