Today i have come across a very interested feature currently in preview "Outbound firewall rule for Azure SQL Databases". It basically helps us in limiting network traffic from the Azure SQL logical server to a customer defined list of Azure Storage accounts and Azure SQL logical servers. If we try to make an attempt to access storage accounts or SQL Databases not in this list, will be denied. Now, lets see how we can enable this.
How to enable?
a) Inside Firewalls and virtual networks for your Azure SQL Database and select Configure outbound networking restrictions.
b) Once this is enabled, if we try to export the database to any storage account, it would fail with following error.
c) Now lets add the storage account by clicking in add domain.
d) Once the storage account is added, we can export the database again by selecting the same storage account and it should be successful this time.
e) Once done, export should be successful.
We can perform all the task by running the below powershell.
#For Powershell, execute the following command to enable restrictOutboundNetworkAccess property on the SQL server:
Set-AzSqlServer -ServerName <server_name> -ResourceGroupName <resource_group> -RestrictOutboundNetworkAccess "Enabled" #where<server_name> = name of the SQL server<resource_group> = name of the resource group
#Check the current list of Outbound Firewall Rules on the SQL server:
Get-AzSqlServerOutboundFirewallRule -ServerName <server_name> -ResourceGroupName <resource_group> #<server_name> = name of the SQL server<resource_group> = name of the resource group
#Export database again to both of the storage accounts
#Add a new Outbound Firewall Rule on the server using the command:
New-AzSqlServerOutboundFirewallRule -ServerName <server_name> -ResourceGroupName <resource_group> -AllowedFQDN <sa_name>.blob.core.windows.net
where<resource_group> = Resource Group hosting the SQL server #<server_name> = name of the SQL server
#<sa_name> = Storage Account Name
#List the OFRs on the server using the following command:
Get-AzSqlServerOutboundFirewallRule -ServerName <server_name> -ResourceGroupName <resource_group>
#Export database to storage account auditallowstorage. This should be successful.
Reference Article:- https://docs.microsoft.com/en-us/azure/azure-sql/database/outbound-firewall-rule-overview