I try to access my Azure SQL Database via U-SQL but I got the following error:
Internal error! Cannot open server 'testusql' requested by the login.
Client with IP address '104.44.91.xx' is not allowed to access the
server. To enable access, use the Windows Azure Management Portal or
run sp_set_firewall_rule on the master database to create a firewall
rule for this IP address or address range. It may take up to five
minutes for this change to take effect.
I found an article about IP range in US (here), but not in Europe. Where can I find information about the range for North Europe?
I configured the Azure SQL Server firewall to allow access to Azure Services, but it not works (maybe due to the different regions).
Thank you very much.
Peter
my apology but I am currently on vacation, so I had not time to update the IP ranges yet. It should be 104.44.91.64/27 for EU North.
Related
I have a Website (App Service), 1 Sql Server with 2 databases on it.
Each month I randomly get an error:
Cannot open server 'myServer' requested by the login. Client with IP address 'xx.xxx.87.3' is not allowed to access the server.
To enable access, use the Windows Azure Management Portal or run sp_set_firewall_rule on the master database to create a firewall rule for this IP address or address range.
It may take up to five minutes for this change to take effect.
My question is, how do I know what application/service this IP address is?
It's not the IP address of my website and if I ping the CNAME of my database, it doesnt match this IP. But if I don't add it, my whole site doesn't work.
I must add this manually once per month, when something changes. How do I find out what this IP address is connected to?
Basically, there are 2 ways to solve your issue:
Specify Allow Azure services and resources to access this server as Yes on your SQL server firewall-config so that your SQL server will allow all Azure resources to access.
Adding all of the outbound IPs of your Azure app service into your SQL server firewall whitelist. It has a higher security level than the first way. You can find all the outbound IPs on Azure Portal here:
We use UK West as our primary region and UK South as our secondary. We have a database server in West that we created a SQL Failover Group in order to replicate to South.
What I'm looking to know is whether an Application in UK South, can connect to the SQL Failover Group when the the Primary is still West?
I've already tested using a bi-directional VNet Connection, but I'm getting a forbidden request when connecting from South, which leads me to believe the connection is not being used.
System.AggregateException: One or more errors occurred. (Cannot open server 'ppd-ons-comet-sql-ukwest' requested by the login. Client with IP address '51.140.146.129' is not allowed to access the server. To enable access, use the Windows Azure Management Portal or run sp_set_firewall_rule on the master database to create a firewall rule for this IP address or address range. It may take up to five minutes for this change to take effect.
We have a sql server firewall setup with no IP access and "Allow Azure Services" flag also set to off.
I understand this means no azure services and no external clients will be able to access the sql server and database.
however, when i try Import Database option on sql server, with bacpac stored in azure storage, we get a strange error of an IP that needs to be given access in sql server firewall. The error reads.
Client with IP address 65.52.129.125 is not allowed to access the server.
While our azure infra is in West Europe, there is no mention of what this IP belongs to and what is the purpose of it.
The same error of course also occurs from Infra as a code approach and CI-CD Pipelines. and I think adding an IP without any information is risky.
Has anyone faced this before? or if anyone knows , what is azure database import using underneath for which this IP needs access and will it always be the same?
65.52.129.0 - 65.52.129.255 is an IP address range owned by Microsoft Corporation and located in Netherlands.
Please read the following explanation about why you should enable Azure Services access on the firewall at least while doing export/import operations. When you finish import/export operations, then disable Azure Services access.
"The IP address space used for outbound connections from the Import/Export Service infrastructure to the target logical server is not documented, and is subject to change at any time. Therefore, given that connections to the target Azure SQL Database server are gated by server firewall, the only fully reliable way to ensure that the Import/Export service will be able to connect is to enable the firewall rule that allows access from all Azure services (or, equivalently, from the 0.0.0.0 IP address). Obviously, opening the firewall to a large IP address space is a network security risk. Security conscious organizations will want to mitigate this risk by disabling this firewall rule as soon as the import operation completes successfully..."
Source is here.
Because of my machine IP gets changed dynamically (get ip using website whatismyip.com ) I could not able to access and set Server-Level Firewall Rules to sql azure database.
I tried to add range also 0.0.0.0 to 255.255.255.255 but it is not working.
Is there any work around to access SQL Azure?
getting error:
I wrote a post a while ago on how to access the SQL Azure instance using point-to-site VPN provided by Azure Virtual Network. It does not require anything to be open on the SQL Azure side. Here is a link to it: http://rtumaykin-it.blogspot.com/2015/01/using-linux-iptables-port-forwarding.html
Here is how to create a Virtual network and VPN: https://azure.microsoft.com/documentation/articles/vpn-gateway-point-to-site-create/
Hope this solution can help.
SQL Azure requires you to add your public IP address to be added to restriction so that you can access it. Go to whatismyip.com , fetch the address you get there and paste it in the Azure Management portal to the allowed IP List.
I've a single Web Role Cloud Service instance running the South East Asia, with a SQL Azure Database running in the same region. I am hitting a firewall issue and the connection is blocked unless I add the Cloud Services public virtual IP to the SQL server firewall.
From everything I've read, if the two systems are in the same region, and 'Allowed Windows Azure Services' is enabled (which adds 0.0.0.0 to the firewall), then the two should be able to communicate internally?
I have some concerns about things being routed inappropriately (is data going outside the network / am I being charged for it), and having to reconfigure the firewall should the VIP change.
Is there some other address I am supposed to access the SQL azure instance by (currently hitting blah.database.windows.net)?
Your understanding is correct. If I were you I would open a support ticket with Microsoft; I have heard of this issue before, although I never experienced it myself. This sounds like an issue, so report it and watch your next invoice carefully.
Firstly,
Allowed Windows Azure Services - Will allow only azure services to access the database.
Secondly,
To be able to access the database server from any other endpoint, you need to add firewall rules to allow those specific IP ranges. If you want to connect from a machine with ip, 132.99.xx.xx you need to add a rule with start IP and end IP as 132.99.xx.xx
Hope this helps!