How to connect to Azure pass DB from a secure network - azure

I would like to connect to Azure SQL server from a Window server via SSMS. In the “set server firewall” from Azure, I have given my server IP ( from the system I would like to connect). I need to know the destination IP adders of the Azure DB Server. From Azure portal the location is showing central US . To allow firewall I need to know the destination IP address.
My questions are:
1. As Central US could have multiple IP addresses, do I need to provide all IPs to my Firewall team?
2. How can I know the destination IP address ( i.e. Azure) so that I can provide that to my firewall team?
Note: From SQL server management studio, the tcp default port for SQL is enabled and services are running fine.
Hope I have explained it correctly.Thanks

No. You cannot get a static IP address assignment for your Azure SQL Database. Moreover, what you refer (mysqlserverdatabase.mysql.database.azure.com designates your Azure SQL Database Server, not a single Database. This is a logical server, in which you can put up to 149 Databases (150 with the Master DB).
You have to workaround your requirement for static IP address assingment to work with the DNS Name (mysqlserverdatabase.mysql.database.azure.com).
Otherwise if your company firewall can't work with the DNS Name ,you need to set the server connection policy to Proxy as documented in Azure SQL Connectivity Architecture. This allows the database gateway to proxy all traffic between the client and the DB server. The gateways all have static IP addresses, which are listed in the above document.

If you have setup a VNet in Azure, checkout VNet Service Endpoints to connect Azure SQL.
https://azure.microsoft.com/en-in/blog/vnet-service-endpoints-for-azure-sql-database-now-generally-available/

Related

SSMS IP address changes after disconnecting from Azure SQL server

We are connecting to Azure SQL server for our work through SSMS. We are whitelisting all the developers IP in Networking section of Azure SQL Server. Whenever we close SSMS connection all the time SSMS IP get changes. Then we need to go and update the new IP in Azure portal. Why SSMS changes the IP all the time. Any solution for this in SSMS settings.
Your ISP is properly providing you a dynamic IP. You can check your egress IP with a lot of online IP discover services. If it changes overnight/day e.g. https://wtfismyip.com/
To avoid dealing with IP Whitelists you could use a VPN Gateway or Express Route to tunnle your Devs to an Azure VNET and connect the Azure SQL DB with private Link into that VNET.
Alternatively, you could use a Bastion host to run SSMS there.
But in the End, there is nothing which you or Microsoft can do on Azure Side to prevent your client IP from changing when your ISP doesn't provide you a static IP.
Of course, you can ask them to upgrade your internet to a static IP address, or do you use multiple egress IPs in your company? In this case maybe speak with your network admin to get all egress IPs and whitelist those.

Azure SQL Database IP Firewall Rules - Restrict access to mi private network IPs

thanks in advance
I have the following scenario:
SQL database on a SQL Server on premise (source)
SQL database on aAzure (target)
I access to my network from a VPN (F5 - Big IP Edge Client)
I created and configured an Azure VPN Gateway to connect to the VPN. With this configuration and the use of Azure Data Factory, it is possible to see my on-premise database and read the data.
I want to restrict access to the Azure SQL database only to clients from my on-premise network (or connected to the VPN). When i try to set the firewall ip rules, Azure only allow to register public ips address but not recognice IPs from my onpremise network.
Questions
1)It is possible to set access to only clients from insede my private network. How to get this?
2)Is there another better option to get this secure connection?
Regards
SQL Azure maintains a firewall for the SQL Azure servers, preventing anyone from connecting to your server if you do not give their IP address permissions. Permissions are granted by client IP address. Any user’s desktop application that connected to SQL Azure would need to have the SQL Azure firewall open for them in order to connect. The client IP would be the IP address of the desktop machine as seen by the Internet.
Any desktop computer can access SQL Azure as long as it has Internet access, and port 1433 open for outbound connections.
If you're trying to connect from within a corporate network, you can add user machine public IP or the VPN endpoint IP if all user connect through it. Further to allow access from specific on-premises machines, firewall rules can be used to limit connectivity only to your public (NAT) IPs.
A more secure option, you can set up server-level firewall rules (Server-level IP firewall rules apply to all databases within the same server) and Setup database firewall rules (Database-level firewall rules only apply to individual databases, can be configured using Transact-SQL statements, and only after you've configured a server-level firewall rule.)
Create server-level and database-level firewall rules
Configure an Azure Active Directory (AD) administrator
Manage user access with SQL authentication, Azure AD authentication,
and secure connection strings
Enable security features, such as Azure Defender for SQL, auditing,
data masking, and encryption
Refer: Create firewall rules & Configure your client computers

NSG and routing details to connect a Microsoft Flow with Azure SQL database in a VNET

I have a SQL Server DB in a VM in a VNET in an Azure Subscription . Currently it does not have any connection open to the Internet .
My application team has designed a Microsoft Flow application that will read some emails , parse them in some way and push those files into the sql server database (local storage).
I cannot open my VM NSG to the entire internet. What NSG Rules do I need to implement?
The IP address from which Microsoft Flow requests are sent depends on the region where the environment that contains the flow is located. If you want to access SQL Database hosted on Azure VM from your Microsoft Flow application, you may whitelist these IP addresses.
Then you could follow these steps in how to open ports to a virtual machine with the Azure portal to open port 1433 and protocol. You have configured the outbound IP addresses above in the source IP addresses and dest port range 1433 in the inbound rule of NSG. Also, you need to ensure the same inbound traffic flow in VM itself firewall.

Associate static IP to a Azure SQL server/database

I need to associate a public static IP address to points to an Azure SQL server, the server only has DNS name but doesn’t have IP address. I already tried Azure Load Balancer, Trafic Manager and DNS, and in any of the services there is an option to associate a static IP that point to the Data Base Name, for example the DB name is: testnetmarksrv.database.windows.net
Any options…?
This architecture provides the answer Azure SQL Database gateway IP addresses .
The table with the Public IP addresses for each region is what you will need to use for your firewall configuration with the Public IP address of the gateway as the destination address on your firewall and also allowing traffic outbound on port 1433 as this is the only port that the gateway will listen on.
I performed a couple of test to ensure that mydatabase.windows.net resolves to the IP address displayed in the table and it seem to have worked for me. I dont know if this is the official record Microsoft has for listing the public IP addresses for their IP addresses as I could not see some of the newer data centers on that list. The other thing that you will need to do is to set your Azure SQL Datase connection to Proxy mode. The following powershell will set that.
Get SQL Server ID
$sqlserverid=(Get-AzSqlServer -ServerName sql-server-name -ResourceGroupName sql-server-group).ResourceId
Set URI
$id="$sqlserverid/connectionPolicies/Default"
Get current connection policy
(Get-AzResource -ResourceId $id).Properties.connectionType
Update connection policy
Set-AzResource -ResourceId $id -Properties #{"connectionType" = "Proxy"} -f
I am not sure about why you have a requirement to limit outbound SQL traffic but will urge you to also have a look at restricting inbound connections to your Azure SQL Databases.
This should be done on the Azure SQL Server that your Azure SQL Database lives on. Below are some resources to help to configure a Azure SQL Server firewall rule/s and provides a number of methods to set firewall rules including through the protal, through SQL and through the commandline.
Azure SQL Database and SQL Data Warehouse IP firewall rules
Hope this helps!
No. You cannot get a static IP address assignment for your Azure SQL Database. Moreover, what you refer (testnetmarksrv.database.windows.net) designates your Azure SQL Database Server, not a single Database. This is a logical server, in which you can put up to 149 Databases (150 with the Master DB).
You have to workaround your requirement for static IP address assingment to work with the DNS Name (testnetmarksrv.database.windows.net).
You need to set the server connection policy to Proxy as documented in Azure SQL Connectivity Architecture. This allows the database gateway to proxy all traffic between the client and the DB server. The gateways all have static IP addresses, which are listed in the above document.
Currently most regions default to the Proxy connection policy if the connection comes from outside Azure, but this is changing on 2nd Jan 2019, so make sure to explicitly set the policy if you require static IP addresses.

how to connect Microsoft Azure to on-premises sql database

Is it possible to connect a Microsoft Azure Web Site to a SQL Server Database hosted on-premises and, if so, what the steps that I need to follow?
Let any request in coming from you Azure Web Site IP and targeting TCP port 1433 through your firewall . Then change your connectionString on your Azure Web Site to point to the public gateway used on premsie.
As #qux mentioned, you need to allow for inbound traffic on port 1433. With Azure Web Sites, you won't have a dedicated outbound IP address, so you'll need to rely on a secure SQL Server configuration.
If you shift to Cloud Services (web role / worker role), then you will have an IP address to filter against. Same thing with Virtual Machines.
You can also set up a VPN (and there are many VPN appliances certified with Azure).

Resources