Azure SQL Auditing to a storage account destination behind a Virtual Network or a Firewall

Published May 13 2020 10:57 AM 2,911 Views

We are pleased to announce that Auditing for Azure SQL Database and Azure Synapse Analytics supports writing database events to an Azure Storage account behind a virtual network and firewall.

We have been listening to customers around the need to store Azure SQL audit log in a secure location, and we are excited to announce that writing database events via Azure SQL Audit to a Storage Account destination behind VNET and Firewall is now generally available. This newly supported capability is delivered to you seamlessly and doesn’t require additional configurations and setting, keeping Auditing deployment simple and easy.

To save audit logs to a Storage Account that is behind a VNet of Firewall:


  1. Open your Azure SQL Server or Azure SQL Database, and select Auditing under Security:



2. Click on Storage details and select the storage account behind a VNet or Firewall you want to send the SQL logs. When selecting the Storage Account, ensure you see the message:


You have selected a storage account that is behind a firewall or in a virtual network. Using this storage account will enable the setting 'Allow trusted Microsoft services to access this storage account' and will create a server managed identity with the 'storage blob data contributor' RBAC-role assigned. Click here for more information.





3. Select OK and wait for the confirmation on your Azure notifications.


To learn more, visit Azure SQL Auditing and Write audit to a storage account behind VNet and firewall.

Version history
Last update:
‎Nov 09 2020 09:40 AM
Updated by: