To help protect your data, the Windows Azure SQL Database firewall prevents all access to your
SQL Database server until you specify which computers have permission. The firewall
grants access based on the originating IP address of each request. The SQL Database
firewall can be managed via Windows Azure Platform Management Portal or directly
in the master database with the provided stored procedures. Besides having
access to SQL Database’s server-side firewall, you must also configure your client
side firewall to have outbound ports to access SQL Database.
The following diagram illustrates the SQL Database access:
In the diagram:
Use Windows Azure Platform Management Portal to configure
the SQL Database firewall settings to allow connections from your computer(s) and
/or Windows Azure services.
To configure SQL Database firewall using Windows Azure Platform Management
Note: every firewall rule must have a unique name and are not case
Note: it can take as much as five minutes before a new SQL Database firewall
configuration to take effect.
For more information on configuring SQL Database firewall, see How to Configure SQL Database Firewall at
You can create and update firewall rules using the SQL Database Management API. For more information and samples, see Creating Firewall Rules for Servers.
SQL Database allows you to change the server-side firewall rules by executing
Transact-SQL on the master database with a connection to SQL Database. Only the
server-level principal login, while connected to the master database, can
configure firewall settings for your SQL Database Server.
Here are the system extended stored procedures:
Here are some samples:
--create a firewall rule for a single IP address
exec sp_set_firewall_rule N'DevComputer','188.8.131.52','184.108.40.206'
--create a firewall rule for Microsoft services and Windows Azure services
exec sp_set_firewall_rule N'MicrosoftServices','0.0.0.0','0.0.0.0'
--delete a firewall rule
exec sp_delete_firewall_rule N'DevComputer'
--get a list of the firewall rules
select * from sys.firewall_rules
Network firewall and other security devices may prevent
computers on the customer networks from establishing outbound connection to SQL
Azure. Customers must configure their environment to allow outbound TCP
connections over port TCP/1433 to enable applications and tools to connect to
Some networks allow all return traffic for any connection
initiated internally, but other more restrictive networks also restrict return
traffic to explicit access control lists. Customers may also need to explicitly
allow return traffic from SQL Database IPs back into their network, depending on
how strict their policies are. In other words, if a customer allows
outbound TCP/1433 traffic to SQL Database IPs, they also need to allow the return
traffic coming from SQL Database IPs (source port of TCP/1433) back into their
It may be more convenient for customers to allow TCP/1433 connections to the
range of Microsoft’s public network addresses instead of a specific SQL Database
location. This will allow for greater flexibility; as SQL Database adds more
locations, the need to revisit customer access control lists will be reduced.
For example, the tabular Data Stream (TDS) protocol endpoint for the SQL Database North Central
US data center is data.ch1-1.database.windows.net, with an IP address of
220.127.116.11. Performing a lookup of http://ws.arin.net/whois/?queryinput=18.104.22.168 reveals
Microsoft’s entire scope for this IP is 22.214.171.124/16.
The following is an example ACL setting to allow connections
to the entire range of possible IP addresses for Microsoft SQL Database Service.
Inbound ACL (outgoing traffic): permit tcp any gt 1023 host <SQL Database IP> 1433
Outbound ACL (return traffic): permit tcp host <SQL Database IP> 1433 any gt 1023 established
The use of the “established” tag for outbound ACLs, such as in the examples
below, will return traffic for customer sites to connections established within
the customer site. In other words, traffic will not be allowed unless the
connections are initiated within the customer site.
Important: Inbound connections are not required or
Proxy servers may need to be adjusted to allow the outbound
TDS protocol over port 1433. Client-side proxy software such as Microsoft ISA
client may be needed to allow client computers to use proxy servers for outbound
Optional: If you have on-premises SQL Servers that need to
communicate with SQL Database for data
synchronization or other reasons you must ensure that
your servers have an internet routable IPs.
You can now configure firewall rules at the server as well as database level. For more information , see msdn.microsoft.com/.../ee621782.aspx.