Check the current OFR configuration of the SQL Server using a GET request on
https://management.azure.com/subscriptions/%7b%7bsubId%7d%7d/resourceGroups/%7b%7bsqlRg%7d%7d/providers/Microsoft.Sql/servers/%7b%7bsqlServer%7d%7d?api-version=2021-02-01-preview
where
{{subId}} = Subscription ID
{{sqlRg}} = Resource Group hosting the SQL server
{{sqlServer}} = name of the SQL server
It should show that the restrictOutboundNetworkAccess is disabled.
- auditallowstorage
- auditdenystorage
Export database to both storage accounts. The export should be successful for both accounts.
https://management.azure.com/subscriptions/{{subId}}/resourceGroups/{{sqlRg}}/providers/Microsoft.Sql/servers/{{sqlServer}}?api-version=2021-02-01-preview
with JSON body as
{ "properties" :
{"restrictOutboundNetworkAccess": "Enabled"},
"location": "<sql_server_region>"
}
where
{{subId}} = Subscription ID
{{sqlRg}} = Resource Group hosting the SQL server
{{sqlServer}} = name of the SQL server
<server_region> = region where the SQL server is hosted
Expected result: API request is successful and returns a 202 Accepted code.
Verify that the restrictOutboundNetworkAccess property is now set to Enabled by issuing a GET request on
https://management.azure.com/subscriptions/{{subId}}/resourceGroups/{{sqlRg}}/providers/Microsoft.Sql/servers/{{sqlServer}}/outboundfirewallrules?api-version=2021-02-01-preview
Get-AzSqlServerOutboundFirewallRule -ServerName <sql_server_name> -ResourceGroupName <resource_group_name>
where
<resource_group_name> = Resource Group hosting the SQL server
<sql_server_name> = name of the SQL server
Expected result: Command executes successfully and shows that no outbound firewall rules exist.
Create OFR only for storage account auditallowstorage using this PUT request:
https://management.azure.com/subscriptions/{{subId}}/resourceGroups/{{sqlRg}}/providers/Microsoft.Sql/servers/{{sqlServer}}/outboundfirewallrules/{{saName}}.blob.core.windows.net?api-version=2021-02-01-preview
where
{{subId}} = Subscription ID
{{sqlRg}} = Resource Group hosting the SQL server
{{sqlServer}} = name of the SQL server
{{saName}} = Storage Account name for which OFR is created. In this case, its auditallowstorage
Expected result: The API request executes successfully and returns a 202 Accepted code.
Verify that OFR was successfully created for storage account using this Powershell command:
Get-AzSqlServerOutboundFirewallRule -ServerName <sql_server_name> -ResourceGroupName <resource_group_name>
where
<resource_group_name> = Resource Group hosting the SQL server
<sql_server_name> = name of the SQL server
It should show the list of the allowed FQDN (Fully Qualified Domain Name). In this case, its auditallowstorage
Expected result: The command gets executed successfully and shows the FQDN of the allowed storage account.
Export database to storage account auditallowstorage. This should be successful
Expected result: DB successfully exported to storage account auditallowstorage.
Export database to storage auditdenystorage should still fail
Expected result: DB export to auditdenystorage should still fail with the error message: The operation was not allowed because of the outbound firewall rule configuration for "<storage account FQDN>"
Execute the following PowerShell command:
Remove-AzSqlServerOutboundFirewallRule -ServerName <sql_server_name> -ResourceGroupName <resource_group_name> -AllowedFQDN <sa_name>.blob.core.windows.net
where
<resource_group_name> = Resource Group hosting the SQL server
<sql_server_name> = name of the SQL server
<sa_name> = Storage Account Name
Expected result: Command should execute successfully and list the FQDN for which OFR was removed
1. Issue the following PUT request using SQL API
https://management.azure.com/subscriptions/{{subId}}/resourceGroups/{{sqlRg}}/providers/Microsoft.Sql/servers/{{sqlServer}}?api-version=2021-02-01-preview
with JSON body as
{ "properties" :
{"restrictOutboundNetworkAccess": "Disabled"},
"location": "<sql_server_region>"
}
where
{{subId}} = Subscription ID
{{sqlRg}} = Resource Group hosting the SQL server
{{sqlServer}} = name of the SQL server
<server_region> = region where the SQL server is hosted
Expected result: The API request executes successfully and returns a 202 Accepted code.
2. Verify that the restrictOutboundNetworkAccess property is disabled on the SQL server by issuing the following GET request on
https://management.azure.com/subscriptions/{{subId}}/resourceGroups/{{sqlRg}}/providers/Microsoft.Sql/servers/{{sqlServer}}?api-version=2021-02-01-preview
where
{{subId}} = Subscription ID
{{sqlRg}} = Resource Group hosting the SQL server
{{sqlServer}} = name of the SQL server
Expected result: The API request executes successfully, returns a 200 OK code and the restrictOutboundNetworkAccess property is disabled.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.