Configure Azure Firewall application rules with SQL FQDNs

You can now configure Azure Firewall application rules with SQL FQDNs. This allows you to limit access from your virtual networks to only the specified SQL server instances.

With SQL FQDNs, you can filter traffic:

  • From your VNets to an Azure SQL Database or Azure Synapse Analytics. For example: Only allow access to sql-server1.database.windows.net.
  • From on-premises to Azure SQL Managed Instances or SQL IaaS running in your VNets.
  • From spoke-to-spoke to Azure SQL Managed Instances or SQL IaaS running in your VNets.

SQL FQDN filtering is supported in proxy-mode only (port 1433). If you use SQL in the default redirect mode, you can filter access using the SQL service tag as part of network rules. If you use non-default ports for SQL IaaS traffic, you can configure those ports in the firewall application rules.

Configure using Azure CLI

  1. Deploy an Azure Firewall using Azure CLI.

  2. If you filter traffic to Azure SQL Database, Azure Synapse Analytics, or SQL Managed Instance, ensure the SQL connectivity mode is set to Proxy. To learn how to switch SQL connectivity mode, see Azure SQL Connectivity Settings.

    Note

    SQL proxy mode can result in more latency compared to redirect. If you want to continue using redirect mode, which is the default for clients connecting within Azure, you can filter access using the SQL service tag in firewall network rules.

  3. Create a new rule collection with an application rule using SQL FQDN to allow access to a SQL server:

     az extension add -n azure-firewall
    
     az network firewall application-rule create \ 
     -g FWRG \
     --f azfirewall \ 
     --c sqlRuleCollection \
     --priority 1000 \
     --action Allow \
     --name sqlRule \
     --protocols mssql=1433 \
     --source-addresses 10.0.0.0/24 \
     --target-fqdns sql-serv1.database.windows.net
    

Configure using Azure PowerShell

  1. Deploy an Azure Firewall using Azure PowerShell.

  2. If you filter traffic to Azure SQL Database, Azure Synapse Analytics, or SQL Managed Instance, ensure the SQL connectivity mode is set to Proxy. To learn how to switch SQL connectivity mode, see Azure SQL Connectivity Settings.

    Note

    SQL proxy mode can result in more latency compared to redirect. If you want to continue using redirect mode, which is the default for clients connecting within Azure, you can filter access using the SQL service tag in firewall network rules.

  3. Create a new rule collection with an application rule using SQL FQDN to allow access to a SQL server:

    $AzFw = Get-AzFirewall -Name "azfirewall" -ResourceGroupName "FWRG"
    
    $sqlRule = @{
       Name          = "sqlRule"
       Protocol      = "mssql:1433" 
       TargetFqdn    = "sql-serv1.database.windows.net"
       SourceAddress = "10.0.0.0/24"
    }
    
    $rule = New-AzFirewallApplicationRule @sqlRule
    
    $sqlRuleCollection = @{
       Name       = "sqlRuleCollection" 
       Priority   = 1000 
       Rule       = $rule
       ActionType = "Allow"
    }
    
    $ruleCollection = New-AzFirewallApplicationRuleCollection @sqlRuleCollection
    
    $Azfw.ApplicationRuleCollections.Add($ruleCollection)    
    Set-AzFirewall -AzureFirewall $AzFw    
    

Configure using the Azure portal

  1. Deploy an Azure Firewall using Azure CLI.

  2. If you filter traffic to Azure SQL Database, Azure Synapse Analytics, or SQL Managed Instance, ensure the SQL connectivity mode is set to Proxy. To learn how to switch SQL connectivity mode, see Azure SQL Connectivity Settings.

    Note

    SQL proxy mode can result in more latency compared to redirect. If you want to continue using redirect mode, which is the default for clients connecting within Azure, you can filter access using the SQL service tag in firewall network rules.

  3. Add the application rule with the appropriate protocol, port, and SQL FQDN and then select Save. application rule with SQL FQDN

  4. Access SQL from a virtual machine in a VNet that filters the traffic through the firewall.

  5. Validate that Azure Firewall logs show the traffic is allowed.

Next steps

To learn about SQL proxy and redirect modes, see Azure SQL Database connectivity architecture.