Some days ago, we received a question from a customer that has a firewall rule on from selected networks on the Azure SQL Server and they found when they use telnet to connect to servername.database.windows.net on port 1433 from other locations that are not allowed in their firewall. I would like to explain why.
Basically, it is explained on this Azure SQL Database gateway IP addresses. A Azure SQL Database server is an abstraction, a logical container that defines a grouping of databases. It does not represent a SQL Server instance listening in a public address and represent a single connection endpoint for all the databases.
For example if you ping a server's FQDN, like [servername.database.windows.net] you get the public gateway IP. If you ping any other SQL DB server in the same region, you would get one of the other possible IPs for the gateway in that Azure region.
These IPs are shared by all the SQL DB servers in the same region. It's a gateway that receives all incoming connections and redirects them to the SQL instance running the requested database in the right database cluster.
Enjoy!
Microsoft
