Unsolicited connection failures (blocked_by_firewall) against Azure SQL Database Logical Server & [master] database

Richard Main 1 Reputation point
2022-05-11T09:09:21.19+00:00

I am seeing multiple unsolicited connection failures (blocked_by_firewall) against an Azure SQL Database Logical Server & the [master] database in DMV sys.database_connection_stats - 236 in the last 48 hours.
These attempts all originate from 2 x IPs that seem to relate to other Azure customer's Azure SQL Database Logical Server (<individualname>.database.windows.net)
This is the TSQL I am using to spot these failures:
SELECT *
FROM sys.database_connection_stats
WHERE database_name = 'Master'
AND 24 >= DATEDIFF(HOUR, end_time, GETUTCDATE())
ORDER BY end_time;

Why am I seeing these?
Is this something to be concerned about?
Am I seeing these because these are other customers sharing the same underlying SQL infrastructure within the same Azure Region/DataCentre?

Azure SQL Database
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alberto Morillo 32,896 Reputation points MVP
    2022-05-11T13:34:08.323+00:00

    If you have the "Allow Azure services and resources to access this server" checkbox set off on the Azure SQL firewall settings, that may explain those failed conenctions.

    201018-image.png

    Those failed connections may be related to Microsoft services trying to gather statistics and management information from your logical server:

    Please considere to enable threat detection in order to have probably more information and take action in case of anomalous activities.

    You can also try to get more detailed information using Extended Events or by enabling Auditing. See the following query to teh ring buffer to gather more info like RemoteHost: 

    ;WITH RingBufferConnectivity as  
(   SELECT  
        records.record.value('(/Record/@id)[1]', 'int') AS [RecordID],  
        records.record.value('(/Record/ConnectivityTraceRecord/RecordType)[1]', 'varchar(max)') AS [RecordType],  
        records.record.value('(/Record/ConnectivityTraceRecord/RecordTime)[1]', 'datetime') AS [RecordTime],  
        records.record.value('(/Record/ConnectivityTraceRecord/SniConsumerError)[1]', 'int') AS [Error],  
        records.record.value('(/Record/ConnectivityTraceRecord/State)[1]', 'int') AS [State],  
        records.record.value('(/Record/ConnectivityTraceRecord/Spid)[1]', 'int') AS [Spid],  
        records.record.value('(/Record/ConnectivityTraceRecord/RemoteHost)[1]', 'varchar(max)') AS [RemoteHost],  
        records.record.value('(/Record/ConnectivityTraceRecord/RemotePort)[1]', 'varchar(max)') AS [RemotePort],  
        records.record.value('(/Record/ConnectivityTraceRecord/LocalHost)[1]', 'varchar(max)') AS [LocalHost]  
    FROM  
    (   SELECT CAST(record as xml) AS record_data  
        FROM sys.dm_os_ring_buffers  
        WHERE ring_buffer_type= 'RING_BUFFER_CONNECTIVITY'  
    ) TabA  
    CROSS APPLY record_data.nodes('//Record') AS records (record)  
)  
SELECT RBC.*, m.text  
FROM RingBufferConnectivity RBC  
LEFT JOIN sys.messages M ON  
    RBC.Error = M.message_id AND M.language_id = 1033  
WHERE RBC.RecordType='Error' --Comment Out to see all RecordTypes  
ORDER BY RBC.RecordTime DESC