Q. What are my options for limiting access to my Azure SQL Database instance?

A. Azure SQL Database instances have their own firewall that enables you to configure who can access the Internet facing endpoint (note that if you access from another Azure resource the actual connection stays on the Azure backbone). There are two types of configuration for the firewall:

  • IPs accessing the service from the Internet
  • All Azure services (i.e. any service that runs on the Azure fabric from any tenant)

For example you may not want any public IP access and instead only enable access from the Azure services.

If you wanted to further lock down so that access is only allowed from a certain virtual network for example then this would be possible with the following approach:

If you implemented a virtual appliance as the edge for the virtual network then configured User Defined Routes so all Internet traffic flows via it and then gave the virtual appliance a set public IP, you could then on the SQL firewall just specify the IP of the virtual appliance public IP. More work but would work and secures the Azure SQL Database instance so that only your virtual network joined machines could use it.