Is it possible to change the port that the azure server uses? I currently only see the ability to add IP addresses that can be used to access the server. Or is it required that firewalls allow port 1433 outbound traffic?
Assuming you're referring to SQL Database Service and its associated firewall, no: You may only add IP addresses to the firewall, for access.
There is no ability to change the port that the service listens on. You'll need to allow for outbound traffic on port 1433, if you want to access the database remotely.
Also, just FYI - port 1433 is the standard SQL Server port.
Note: The inability to change the listening port is strictly for the SQL Database service. This restriction doesn't exist for SQL Server running in a VM, since you have total control of inbound ports and related port-mapping via network security groups.
A year+ later a lot has changed with Azure. There are a ton of offerings to help "bypass" internal firewalls for port 1433 and integrating with the services in Azure.
Azure is attempting to help developers with Synchronous Hybrid Connectivity� to on premise datasources or visa versa. My personal opinion would be for you to use On-Premises Data Gateway. Here are a few options to help with the port 1433 constants:
WCF Relay
Service Bus offered relays almost from the beginning of Azure
Built on the WCF capability. Security was originally ACS, but now SAS
can be consumed by lots of different tech, eg biztalk, soap, rest, crm online and is very reusable
Hybrid Connections
Built on Web Sockets so not confined to Windows. API accessible for other scenarios.
Azure Virtual Network
Point-to-site virtual private network (VPN):
Established between a single PC connected to your network and the VNet.
Uses the SSTP protocol to provide encrypted communication over the Internet between the PC and the VNet. The latency for a point-to-site VPN is less predictable, since the traffic traverses the Internet.
Site-to-site VPN:
Established between your VPN device and an Azure VPN Gateway.
Connection is an IPSec/IKE VPN that provides encrypted communication over the Internet between your on-premises device and the Azure VPN gateway.
The latency for a site-to-site connection is less predictable, since the traffic traverses the Internet.
Azure ExpressRoute:
Established between your network and Azure, through an ExpressRoute partner.
This connection is private. Traffic does not traverse the Internet.
On-Premises Data Gateway
Acts as a bridge between Azure PaaS and on-prem resources. Works with connectors for Logic Apps, Power Apps, Flow & Power BI:
When you connect to SQL azure database,it connects through port 1433 by default and you can't change it..
You have to enable outbound rule to allow traffic for SSMS to connect with Azure
Related
I am drawing network architecture for my solution based on Azure. One of the ask is to list the network protocols used for inter-resource communication (e.g. Azure Storage to Data Factory). I tried to get a comprehensive view in Azure documentation but couldn't reach to get what I wanted.
May I take your help to understand the network protocols used in the following scenarios?
Azure VNET to VNET
Communication between Azure PaaS services (since PaaS services are web pages, are they by default use HTTPS)?
Azure VM to PaaS service like Azure SQL
Azure VNET to VNET
• When communication between two virtual networks happen in Azure, the network protocols used in this scenario depend on the type of resources deployed in it, i.e., hosted in that virtual network. By default, only TCP, UDP and ICMP TCP/IP protocols are allowed within the virtual networks for communication purposes. DHCP via unicast (over UDP port 68 and 67) and UDP source port 65330, Multicast, Broadcast, IP-in-IP encapsulated packets and Generic Routing Encapsulation (GRE) packets are blocked within VNETs.
Communication between Azure PaaS services (since PaaS services are web pages, are they by default use HTTPS)?
• Communication between Azure PaaS services also depends on the type of communication that happen between them through the underlying resources and services that they offer. Also, mostly the communication between Azure PaaS services is TCP HTTPS protected by TLS 1.2 encryption level security certificates ensuring the security of the communication channel and protected by default Microsoft FQDN for the services.
Azure VM to PaaS service like Azure SQL
• The communication protocol between the Azure VM and Azure SQL is purely over TCP/IP over a specified and dedicated port for SQL transactions like 1433.
Please suggest if we can access on-premises MS SQL Server Database from Azure Web App behind ASE.
My understanding is that we just need to get sql port opened on firewall for connectivity from ASE subnet to on-premises subnet.
You could but there are other ways like Hybrid connections:
Within App Service, Hybrid Connections can be used to access application resources in other networks. It provides access from your app to an application endpoint. It does not enable an alternate capability to access your application. As used in App Service, each Hybrid Connection correlates to a single TCP host and port combination. This means that the Hybrid Connection endpoint can be on any operating system and any application, provided you are accessing a TCP listening port. The Hybrid Connections feature does not know or care what the application protocol is, or what you are accessing. It is simply providing network access.
https://learn.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections
Other choice is VPN or Expressroute
https://learn.microsoft.com/en-us/azure/app-service/environment/network-info
I have an application that different clients will connect to on Azure. Each of my customers needs to connect to their Corresponding own Server ONLY in Azure from their local networks.
What kind of connection (P2S,S2S) can i create from each of my customers PC to connect ONLY with their Server in Azure?
According to your scenario, I think P2S is better for you.
Site-to-Site configurations are between your on-premises location and Azure. This means that you can connect from any of your computers
located on your premises to any virtual machine or role instance
within your virtual network, depending on how you choose to configure
routing. This type of connection relies on an IPsec VPN appliance
(hardware or soft appliance), which must be deployed at the edge of
your network. To create this type of connection, you must have the
required VPN hardware and an externally facing IPv4 address.
If my understanding is correct, your customers clients are not in one location, they have different private IP. Based on my knowledge, you could not use S2S VPN.
Point-to-Site configurations let you connect from a single computer
from anywhere to anything located in your virtual network.
P2S VPN does not require a VPN device. It is better for your scenario.
More information about difference between a Site-to-Site connection and Point-to-Site please refer to this link.
Is it possible to connect a Microsoft Azure Web Site to a SQL Server Database hosted on-premises and, if so, what the steps that I need to follow?
Let any request in coming from you Azure Web Site IP and targeting TCP port 1433 through your firewall . Then change your connectionString on your Azure Web Site to point to the public gateway used on premsie.
As #qux mentioned, you need to allow for inbound traffic on port 1433. With Azure Web Sites, you won't have a dedicated outbound IP address, so you'll need to rely on a secure SQL Server configuration.
If you shift to Cloud Services (web role / worker role), then you will have an IP address to filter against. Same thing with Virtual Machines.
You can also set up a VPN (and there are many VPN appliances certified with Azure).
We have a existing application to be migrated to the windows azure.
Currently, it will access another web services in other network, and the firewall in front of the web service, it will trust the IP of it and open the port only for that application.
Which IP should I trust after migrated to Windows Azure? or other approach suggested?
Thanks a lot.
Currently Windows Azure does not offer a fixed IP address, so any IP based filter would be subject to potential risk if the IP address should change (which it can without notice).
I would recommend you explore either leveraging the service bus to create a peer-to-peer connection between the services, or possibly Azure Connect (an ipsec based VPN style connection).