Exporting Azure SQL database to BACPAC fails when Storage Account is restricted to "Selected networks"

Question

Exporting Azure SQL database to BACPAC fails when Storage Account is restricted to "Selected networks"

Ivan Panshin 20

Hi,

I’m trying to export an Azure SQL database to a BACPAC file using both the Azure Portal and the az sql db export command.

The target Storage Account has the following configuration:

Storage Account → Networking → Public network access: Enable from selected networks

To allow the export service access, we already tried the following:

Added the public IPv4 address of the machine from which the export was initiated to the Firewall / Allowed IP addresses list.

Enabled “Allow Azure services on the trusted services list to access this storage account”.

Added the Microsoft.Sql resource provider to the allowed list (with scope All in current subscription).

However, the export still fails to access the Storage Account.

The documentation states:

Storage behind a firewall is currently not supported for the Import/Export service.

Source: https://learn.microsoft.com/en-us/azure/azure-sql/database/database-export

My understanding

The Azure SQL Import/Export service runs on Microsoft-managed backend infrastructure which is not part of my VNet and not included in the allowed networks list, and therefore:

Even if the client machine’s IP is allowed,

Even if “Allow trusted Microsoft services” is enabled,

And even if Microsoft.Sql is permitted,

the Import/Export service still cannot access a storage account that is restricted to selected networks.

Question

Can you please confirm that in order for the Azure SQL Import/Export (Portal / az sql db export) to work, I would need to:

Temporarily set Storage Account network access to “Enabled from all networks”

I just want to confirm this behavior before changing our networking policy.

Mahesh Kurva 10,515 Reputation points Microsoft External Staff Moderator

2025-10-30T13:05:45.4733333+00:00

Hello Ivan Panshin,

we haven’t heard from you on the last response and was just checking back to see if the below answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer accepted by question author

0 additional answers

Your answer

Mahesh Kurva 10,515 Reputation points Microsoft External Staff Moderator

2025-10-30T13:05:45.4733333+00:00

Hello Ivan Panshin,

we haven’t heard from you on the last response and was just checking back to see if the below answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 1

Hello Ivan Panshin,

Welcome to Microsoft Q&A, As far I know no , the Import/Export service runs on Microsoft-managed infra that isn’t part of your VNet, so it can’t access a Storage Account locked to “Selected networks.” Even if you allow your client IP, enable “Allow trusted Microsoft services,” and add Microsoft.Sql to the permitted list, it still fails.

But there’s a workaround: Private Link support is now available (in preview). With this, you can securely connect the Import/Export service to your Storage Account using a service-managed private endpoint, even when network access is restricted. You’ll need to configure it via Azure Portal, PowerShell, or REST API, and make sure the SQL server allows the connection.

Reference:

If this resolves your question, please accept the answer.

Luis

Mahesh Kurva 10,515 Reputation points Microsoft External Staff Moderator

2025-10-31T16:22:45.7166667+00:00

Hello Ivan Panshin,

we haven’t heard from you on the last response and was just checking back to see if the above answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

Exporting Azure SQL database to BACPAC fails when Storage Account is restricted to "Selected networks"

0 additional answers

Your answer