Apparently one must explicitly specify (whitelist) the IP addresses that will be allowed access to a SQL Azure DB. I want, though, to have N-gazillion* users that will access these tables for data specific to them.
delusions of grandeur/megalomania
Will these need to first provide me with their IP address so that I can add it as a valid entry, or is there a programmatic way to do it, or some other workaround?
It would be advisable to have some sort of middle ware access the db and not your clients directly.
However if you want any IP to be able to connect to the db just add this entry to the firewall list:
Azure Portal -> Databases -> Servers -> Configure and add the following rule:
How will your users be accessing the DB, via a Web App (front end) or directly (I assume you won't give users direct access to your DB?), if its via a Web App (presentation layer) then all you need todo is grant access to this IP address of the presentation layer/service layer (and if hosted in Azure its beside it).
SQL DB Azure has two types of access restrictions (more info here) "Windows Azure SQL Database Firewall"
Server-level firewall rules:
Database-level firewall rules
You could either open up all IP address 0.0.0.0 - 255.255.255.255 (not very secure) or come up with more finer grained policies based on the above Database firewall rules.
The only way is to do it is via SQL query. Azure shows only Firewall Server rules to be visible only on the portal but on database level the only way is via SQL.
-- Enable Allconnections.
EXECUTE sp_set_database_firewall_rule N'Allow All', '0.0.0.0', '255.255.255.255';
Login to azure Portal
select your database subscription
click on Tools
Now there is option 'Open in VisualStudio' (click on it)
You can see "Configure Firewall" click on it.
Add you new IP.
Done :)
If you let them talk directly to your database (for example via SSMS) you need to enter their IP (or you can just whitelist the whole range). Usually they will use your database via your own API, then it's not needed to whitelist their IP addresses.
Related
I have a application running on a AKS Container and would like to use the Azure Cosmos DB for storage. How can i set this up?
I think i just need to specify the ip address from which the requests are originating on the k8s cluster so that the cosmosdb will allow access.
Should this traffic go over the internet or is it possible to set up a connection between the vnets?
To connect to CosmosDB easiest way is to just use SDK provided by Microsoft in your app. You just provide your app a connection string to your database, here is a simple quickstart example. You don't have to open any network traffic on CosmosDB side if you use default configuration, but of course if you wish you can lock access to only selected networks. So if your containers have internet access they can also access your database.
To address your second concern to not go over internet you can get more information here.
To allow access from existing virtual network using portal you need to go to the cosmosdb resource into firewall tab and add existing network, you should see something like this:
We have a sql server firewall setup with no IP access and "Allow Azure Services" flag also set to off.
I understand this means no azure services and no external clients will be able to access the sql server and database.
however, when i try Import Database option on sql server, with bacpac stored in azure storage, we get a strange error of an IP that needs to be given access in sql server firewall. The error reads.
Client with IP address 65.52.129.125 is not allowed to access the server.
While our azure infra is in West Europe, there is no mention of what this IP belongs to and what is the purpose of it.
The same error of course also occurs from Infra as a code approach and CI-CD Pipelines. and I think adding an IP without any information is risky.
Has anyone faced this before? or if anyone knows , what is azure database import using underneath for which this IP needs access and will it always be the same?
65.52.129.0 - 65.52.129.255 is an IP address range owned by Microsoft Corporation and located in Netherlands.
Please read the following explanation about why you should enable Azure Services access on the firewall at least while doing export/import operations. When you finish import/export operations, then disable Azure Services access.
"The IP address space used for outbound connections from the Import/Export Service infrastructure to the target logical server is not documented, and is subject to change at any time. Therefore, given that connections to the target Azure SQL Database server are gated by server firewall, the only fully reliable way to ensure that the Import/Export service will be able to connect is to enable the firewall rule that allows access from all Azure services (or, equivalently, from the 0.0.0.0 IP address). Obviously, opening the firewall to a large IP address space is a network security risk. Security conscious organizations will want to mitigate this risk by disabling this firewall rule as soon as the import operation completes successfully..."
Source is here.
I'm trying to manage firewall settings for my SQL Server database. But there is no firewall option in database settings. The goal of this operation is to allow my IP.
I have a free trial subscription.
The firewall settings are on the "SqlServer." When creating a new Azure SQL db instance a SQL server is also created.
Go to Browse>SQL Servers> pick the server that the database is on.
THe Settings on the SQL Server blade will have a Firewall option.
Hope that helps
Just posted this screengrab for a different (unrelated) question, but: You'll find the firewall settings on the Server blade for your given SQL Database:
Here, you'll be able to add your IP (or IP ranges).
Note that you can easily get to the server blade from your database blade, by clicking the linked server name:
If I create a VNet named mySiteToSitevNet and configure it for Site-To-Site connectivity. I create a Virtual Machine assign it to use mySiteToSiteVNet as its network. I Install SQL Server on it.
Do i get Public IP to connect to that SQL Server from my WebApp which does not have VNet associated to it?
If not, how do I make my WebApp connect to that SQL Server and use the database?
There are 2 options:
Since you already have a Sign to Site VPN then you can VPN in from your website's box to enable it to access the SQL and that's the most secure way.
If for some reason you don’t want to VPN in, first you need to figure out why you don’t want to do this. If there’s a really good reason to not VPN in, then continue with setting up direct Internet access to the SQL Server.
To open an endpoint browse to the VM in the Azure portal. Open the properties of the VM in the Azure Portal, then click the “All Settings” option. Then select “Endpoints”. It’ll look something like this.
If you see a “SQL Server” endpoint with 0 ACL Rules then the work is half done (shown above). If there are ACL rules then you should be finished unless you need to add more ACL Rules.
If there is no SQL Server endpoint click the “Add” button at the top of the Endpoints blade. Name the endpoint “SQL Server”, select the protocol TCP, then set the ports to 1433 (or whatever TCP ports you want to use, but 1433 is the default). Select to setup access rules for whoever needs access and block any subnets that don’t need access and then OK back to the VM’s properties.
At this point you can connect to the SQL Server instance through whichever method you’ve setup. If you are using either VPN option you can just connect to the Virtual Machine’s network name. If you are going through the public endpoint (again this is REALLY NOT recommended) you’ll need to connect to the machines full DNS name.
Any VM deployed in a Virtual network can also be exposed through public Internet, so the answer to your question is Yes, it can be given a instance lvel public IP address (https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-instance-level-public-ip/) or port behind the public load balancer (https://azure.microsoft.com/en-us/documentation/services/load-balancer/)
Is setting firewall rule for SQL Azure server on specific IP address (or range) is favored on setting the 0.0.0.0 firewall “Allow Microsoft Services access to this server” rule in term of security ?
As far as I know 0.0.0.0 allow all access from Azure local IPs (but of course to actually connect to the database the specific server name and login username/password will need to be offered).
Using 0.0.0.0 makes the configuration more easy since there is no need to track the role instances IPs in order to enable SQL Azure server connections but it does open some risks.
I would like to hear you opinion.
Thanks!
The 0.0.0.0 setting is used internally by Microsoft to allow their services to connect to your SQL instance. Of course, in theory your SQL database is open to any Windows Azure machine out there but it's not like the potential connection surface is the entire world.
Firstly,
Allowed Windows Azure Services - Will allow only azure services to access the database.
Secondly,
To be able to access the database server from any other endpoint, you need to add firewall rules to allow those specific IP ranges. If you want to connect from a machine with ip, 132.99.xx.xx you need to add a rule with start IP and end IP as 132.99.xx.xx
It is always a good practice to add the ranges which are necessary, to avoid any chances of attack
Hope this helps!