Share via


Create and manage Azure Database for MySQL firewall rules by using the Azure CLI

APPLIES TO: Azure Database for MySQL - Single Server

Important

Azure Database for MySQL single server is on the retirement path. We strongly recommend that you upgrade to Azure Database for MySQL flexible server. For more information about migrating to Azure Database for MySQL flexible server, see What's happening to Azure Database for MySQL Single Server?

Server-level firewall rules can be used to manage access to an Azure Database for MySQL Server from a specific IP address or a range of IP addresses. Using convenient Azure CLI commands, you can create, update, delete, list, and show firewall rules to manage your server. For an overview of Azure Database for MySQL firewalls, see Azure Database for MySQL server firewall rules.

Virtual Network (VNet) rules can also be used to secure access to your server. Learn more about creating and managing Virtual Network service endpoints and rules using the Azure CLI.

Prerequisites

Firewall rule commands:

The az mysql server firewall-rule command is used from the Azure CLI to create, delete, list, show, and update firewall rules.

Commands:

  • create: Create an Azure MySQL server firewall rule.
  • delete: Delete an Azure MySQL server firewall rule.
  • list: List the Azure MySQL server firewall rules.
  • show: Show the details of an Azure MySQL server firewall rule.
  • update: Update an Azure MySQL server firewall rule.

Sign in to Azure and list your Azure Database for MySQL Servers

Securely connect Azure CLI with your Azure account by using the az login command.

  1. From the command-line, run the following command:

    az login
    

    This command outputs a code to use in the next step.

  2. Use a web browser to open the page https://aka.ms/devicelogin, and then enter the code.

  3. At the prompt, sign in using your Azure credentials.

  4. After your login is authorized, a list of subscriptions is printed in the console. Copy the ID of the desired subscription to set the current subscription to use. Use the az account set command.

    az account set --subscription <your subscription id>
    
  5. List the Azure Databases for MySQL servers for your subscription and resource group if you are unsure of the names. Use the az mysql server list command.

    az mysql server list --resource-group myresourcegroup
    

    Note the name attribute in the listing, which you need to specify the MySQL server to work on. If needed, confirm the details for that server and using the name attribute to ensure it is correct. Use the az mysql server show command.

    az mysql server show --resource-group myresourcegroup --name mydemoserver
    

List firewall rules on Azure Database for MySQL Server

Using the server name and the resource group name, list the existing server firewall rules on the server. Use the az mysql server firewall list command. Notice that the server name attribute is specified in the --server switch and not in the --name switch.

az mysql server firewall-rule list --resource-group myresourcegroup --server-name mydemoserver

The output lists the rules, if any, in JSON format (by default). You can use the --output table switch to output the results in a more readable table format.

az mysql server firewall-rule list --resource-group myresourcegroup --server-name mydemoserver --output table

Create a firewall rule on Azure Database for MySQL Server

Using the Azure MySQL server name and the resource group name, create a new firewall rule on the server. Use the az mysql server firewall create command. Provide a name for the rule, as well as the start IP and end IP (to provide access to a range of IP addresses) for the rule.

az mysql server firewall-rule create --resource-group myresourcegroup --server-name mydemoserver --name FirewallRule1 --start-ip-address 13.83.152.0 --end-ip-address 13.83.152.15

To allow access for a single IP address, provide the same IP address as the Start IP and End IP, as in this example.

az mysql server firewall-rule create --resource-group myresourcegroup --server-name mydemoserver --name FirewallRule1 --start-ip-address 1.1.1.1 --end-ip-address 1.1.1.1

To allow applications from Azure IP addresses to connect to your Azure Database for MySQL server, provide the IP address 0.0.0.0 as the Start IP and End IP, as in this example.

az mysql server firewall-rule create --resource-group myresourcegroup --server mysql --name "AllowAllWindowsAzureIps" --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0

Important

This option configures the firewall to allow all connections from Azure including connections from the subscriptions of other customers. When selecting this option, make sure your login and user permissions limit access to only authorized users.

Upon success, each create command output lists the details of the firewall rule you have created, in JSON format (by default). If there is a failure, the output shows error message text instead.

Update a firewall rule on Azure Database for MySQL server

Using the Azure MySQL server name and the resource group name, update an existing firewall rule on the server. Use the az mysql server firewall update command. Provide the name of the existing firewall rule as input, as well as the start IP and end IP attributes to update.

az mysql server firewall-rule update --resource-group myresourcegroup --server-name mydemoserver --name FirewallRule1 --start-ip-address 13.83.152.0 --end-ip-address 13.83.152.1

Upon success, the command output lists the details of the firewall rule you have updated, in JSON format (by default). If there is a failure, the output shows error message text instead.

Note

If the firewall rule does not exist, the rule is created by the update command.

Show firewall rule details on Azure Database for MySQL Server

Using the Azure MySQL server name and the resource group name, show the existing firewall rule details from the server. Use the az mysql server firewall show command. Provide the name of the existing firewall rule as input.

az mysql server firewall-rule show --resource-group myresourcegroup --server-name mydemoserver --name FirewallRule1

Upon success, the command output lists the details of the firewall rule you have specified, in JSON format (by default). If there is a failure, the output shows error message text instead.

Delete a firewall rule on Azure Database for MySQL Server

Using the Azure MySQL server name and the resource group name, remove an existing firewall rule from the server. Use the az mysql server firewall delete command. Provide the name of the existing firewall rule.

az mysql server firewall-rule delete --resource-group myresourcegroup --server-name mydemoserver --name FirewallRule1

Upon success, there is no output. Upon failure, error message text displays.

Next steps