To help protect your data, the Windows Azure SQL Database firewall prevents all access to your SQL Database server until you specify which computers have permission. The firewall
grants access based on the originating IP address of each request. The SQL Database
firewall can be managed via Windows Azure Platform Management Portal or directly in the master database with the provided stored procedures. Besides having access to SQL Database’s server-side firewall, you must also configure your client
side firewall to have outbound ports to access SQL Database.
The following diagram illustrates the SQL Database access:
In the diagram:
Use Windows Azure Platform Management Portal to configure the SQL Database firewall settings to allow connections from your computer(s) and
/or Windows Azure services.
To configure SQL Database firewall using Windows Azure Platform Management
Note: Every firewall rule must have a unique name. The name is not case sensitive.
Note: It can take as much as five minutes before a new SQL Database firewall
configuration will take effect.
For more information on configuring SQL Database firewall, see How to Configure SQL Database Firewall at
You can create and update firewall rules using the SQL Database Management API. For more information and samples, see
Creating Firewall Rules for Servers.
SQL Database allows you to change the server-side firewall rules by executing
Transact-SQL on the master database with a connection to SQL Database. Only the
server-level principal login, while connected to the master database, can
configure firewall settings for your SQL Database Server.
Here are the system extended stored procedures:
Here are some samples:
--create a firewall rule for a single IP address
exec sp_set_firewall_rule N'DevComputer','188.8.131.52','184.108.40.206'
--create a firewall rule for Microsoft services and Windows Azure services
exec sp_set_firewall_rule N'MicrosoftServices','0.0.0.0','0.0.0.0'
--delete a firewall rule
exec sp_delete_firewall_rule N'DevComputer'
--get a list of the firewall rules
select * from sys.firewall_rules
Network firewall and other security devices may prevent computers on the customer networks from establishing outbound connection to SQL Azure. Customers must configure their environment to allow outbound TCP connections over port TCP/1433 to enable applications
and tools to connect to SQL Database.
Some networks allow all return traffic for any connection initiated internally, but other more restrictive networks also restrict return traffic to explicit access control lists. Customers may also need to explicitly allow return traffic from SQL Database
IPs back into their network, depending on
how strict their policies are. In other words, if a customer allows
outbound TCP/1433 traffic to SQL Database IPs, they also need to allow the return
traffic coming from SQL Database IPs (source port of TCP/1433) back into their
It may be more convenient for customers to allow TCP/1433 connections to the range of Microsoft’s public network addresses instead of a specific SQL Database
location. This will allow for greater flexibility; as SQL Database adds more
locations, the need to revisit customer access control lists will be reduced.
For example, the tabular Data Stream (TDS) protocol endpoint for the SQL Database North Central
US data center is data.ch1-1.database.windows.net, with an IP address of
220.127.116.11. Performing a lookup of
http://ws.arin.net/whois/?queryinput=18.104.22.168 reveals Microsoft’s entire scope for this IP is 22.214.171.124/16.
The following is an example ACL setting to allow connections to the entire range of possible IP addresses for Microsoft SQL Database Service.
Inbound ACL (outgoing traffic): permit tcp any gt 1023 host <SQL Database IP> 1433
Outbound ACL (return traffic): permit tcp host <SQL Database IP> 1433 any gt 1023 established
The use of the “established” tag for outbound ACLs, such as in the examples below, will return traffic for customer sites to connections established within the customer site. In other words, traffic will not be allowed unless the connections are initiated
within the customer site.
Important: Inbound connections are not required or recommended.
Proxy servers may need to be adjusted to allow the outbound TDS protocol over port 1433. Client-side proxy software such as Microsoft ISA client may be needed to allow client computers to use proxy servers for outbound connections.
Optional: If you have on-premises SQL Servers that need to communicate with SQL Database for
data synchronization or other reasons you must ensure that your servers have an internet routable IPs.