Blog Post

Azure Database Support Blog
2 MIN READ

How to enable Outbound firewall rules for Azure SQL Databases

sakshigupta's avatar
sakshigupta
Icon for Microsoft rankMicrosoft
Jan 28, 2022

Today i have come across a very interested feature currently in preview "Outbound firewall rule for Azure SQL Databases". It basically helps us in limiting network traffic from the Azure SQL logical server to a customer defined list of Azure Storage accounts and Azure SQL logical servers. If we try to make an attempt to access storage accounts or SQL Databases not in this list, will be denied. Now, lets see how we can enable this.

 

How to enable?

 

a) Inside Firewalls and virtual networks for your Azure SQL Database and select Configure outbound networking restrictions.

 

 

 

b) Once this is enabled, if we try to export the database to any storage account, it would fail with following error.

 

c) Now lets add the storage account by clicking in add domain.

d) Once the storage account is added, we can export the database again by selecting the same storage account and it should be successful this time.

 

e) Once done, export should be successful.

 

 

We can perform all the task by running the below powershell.


#For Powershell, execute the following command to enable restrictOutboundNetworkAccess property on the SQL server:


Set-AzSqlServer -ServerName <server_name> -ResourceGroupName <resource_group> -RestrictOutboundNetworkAccess "Enabled"  #where<server_name> = name of the SQL server<resource_group> = name of the resource group


#Check the current list of Outbound Firewall Rules on the SQL server:


Get-AzSqlServerOutboundFirewallRule -ServerName <server_name> -ResourceGroupName <resource_group> #<server_name> = name of the SQL server<resource_group> = name of the resource group

 

#Export database again to both of the storage accounts


#Add a new Outbound Firewall Rule on the server using the command:


New-AzSqlServerOutboundFirewallRule -ServerName <server_name> -ResourceGroupName <resource_group> -AllowedFQDN <sa_name>.blob.core.windows.net

where<resource_group> = Resource Group hosting the SQL server #<server_name> = name of the SQL server

#<sa_name> = Storage Account Name

 

#List the OFRs on the server using the following command:


Get-AzSqlServerOutboundFirewallRule -ServerName <server_name> -ResourceGroupName <resource_group>

 

#Export database to storage account auditallowstorage. This should be successful.

 

Reference Article:- https://docs.microsoft.com/en-us/azure/azure-sql/database/outbound-firewall-rule-overview

 

 

 

 

 

 

 

Updated Jan 27, 2022
Version 1.0
  • krishnapranavpk's avatar
    krishnapranavpk
    Copper Contributor

    Hello, is the outbound restrictions only applicable to restrict communication to Azure Storage accounts and Azure SQL logical servers or we can restrict other hosted web applications, etc.,?