How to enable Outbound firewall rules for Azure SQL Databases
Published Jan 28 2022 04:25 PM 3,989 Views
Microsoft

Today i have come across a very interested feature currently in preview "Outbound firewall rule for Azure SQL Databases". It basically helps us in limiting network traffic from the Azure SQL logical server to a customer defined list of Azure Storage accounts and Azure SQL logical servers. If we try to make an attempt to access storage accounts or SQL Databases not in this list, will be denied. Now, lets see how we can enable this.

 

How to enable?

 

a) Inside Firewalls and virtual networks for your Azure SQL Database and select Configure outbound networking restrictions.

sakshigupta_1-1643267617073.png

 

 

sakshigupta_2-1643267677984.png

 

b) Once this is enabled, if we try to export the database to any storage account, it would fail with following error.

sakshigupta_3-1643267795037.png

 

c) Now lets add the storage account by clicking in add domain.

sakshigupta_4-1643267895770.png

sakshigupta_5-1643267969553.png

d) Once the storage account is added, we can export the database again by selecting the same storage account and it should be successful this time.

 

sakshigupta_6-1643268415472.png

e) Once done, export should be successful.

 

sakshigupta_7-1643268489582.png

 

We can perform all the task by running the below powershell.


#For Powershell, execute the following command to enable restrictOutboundNetworkAccess property on the SQL server:


Set-AzSqlServer -ServerName <server_name> -ResourceGroupName <resource_group> -RestrictOutboundNetworkAccess "Enabled"  #where<server_name> = name of the SQL server<resource_group> = name of the resource group


#Check the current list of Outbound Firewall Rules on the SQL server:


Get-AzSqlServerOutboundFirewallRule -ServerName <server_name> -ResourceGroupName <resource_group> #<server_name> = name of the SQL server<resource_group> = name of the resource group

 

#Export database again to both of the storage accounts


#Add a new Outbound Firewall Rule on the server using the command:


New-AzSqlServerOutboundFirewallRule -ServerName <server_name> -ResourceGroupName <resource_group> -AllowedFQDN <sa_name>.blob.core.windows.net

where<resource_group> = Resource Group hosting the SQL server #<server_name> = name of the SQL server

#<sa_name> = Storage Account Name

 

#List the OFRs on the server using the following command:


Get-AzSqlServerOutboundFirewallRule -ServerName <server_name> -ResourceGroupName <resource_group>

 

#Export database to storage account auditallowstorage. This should be successful.

 

Reference Article:- https://docs.microsoft.com/en-us/azure/azure-sql/database/outbound-firewall-rule-overview

 

 

 

 

 

 

 

1 Comment
Co-Authors
Version history
Last update:
‎Jan 26 2022 11:34 PM
Updated by: