Share via

Explain behavior of SQL Azure when assigned to Network Security Perimeter

Antonio Buonaiuto 21 Reputation points MVP
2025-11-19T08:45:20.14+00:00

I'm using a network security perimeter.

In the perimeter there are two resources assigned: A storage Account and An Azure SQL.

I'm using the BULK INSERT dbo.YourTable FROM 'sample_data.csv' getting data from the storage account.

The NSP is enforced for both resources, so the public connectivity is denied for resources outside the perimeter

I have experienced this behavior: the azure SQL CANNOT access the storage account for two issues

  1. I need to add an outbound rule in the NSP to reach the storage fqdn
  2. I need to add an inbound rule in the NSP to allow the public IP of the SQL Azure

When I do 1 and 2, azure SQL is able to pump data from the storage.

IMHO this is not the expected behavior for two resources in the NSP. I expect that as they are in the same NSP they can communicate to each other.

I have also a keyvault in the NSP, and I'm using it to get the keys for encryption for the same storage. For the key vault, i didnt' have to create any rule to make it able to communicate to the storage, as they are in the same NSP.

I know, Azure SQL is in preview for the NSP, but I want to ask if the experienced behavior (the SQL CANNOT connect to the storage even if in the same NSP) is due to a unstable or unimplemented feature, or I'm missing something?

Azure SQL Database

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Manoj Kumar Boyini 1,660 Reputation points Microsoft External Staff Moderator
    2025-11-19T10:48:04.15+00:00

    Hi Antonio Buonaiuto,

    Thank you for reaching out to Microsoft QA. The behavior you are experiencing is due to the current preview status of the NSP for Azure SQL Database. Unlike services like Azure Key Vault, Azure SQL requires explicit outbound rules to the Storage Account’s domain and inbound rules for its public IP within the NSP to allow the BULK INSERT operation to succeed.

    This level of control is by design in the preview phase to ensure secure boundaries. Microsoft is actively working on enhancing NSP capabilities, and future updates may reduce the need for these manual rules.

    In the meantime, your approach of adding these outbound and inbound rules is the correct way to enable communication between SQL Database and Storage within the NSP.

    Helpful References:
    1.https://learn.microsoft.com/en-us/azure/azure-sql/database/network-security-perimeter?view=azuresql
    2.https://learn.microsoft.com/en-us/azure/azure-sql/database/security-overview?view=azuresql

    3.https://docs.microsoft.com/en-us/azure/azure-sql/database/outbound-firewall-rule-overview

    Hope this helps. Do let us know if you have any further queries.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.