Confusion around "Allow access to Azure services" option

[andyce1010]

Hello,

According to the flow diagram, it looks like once you have "enabled access from azure services", then you still need to add firewall rules to the DB or server, to allow the azure services to connect. However the Information note that follow ("This option configures the firewall to allow all connections from Azure including connections from the subscriptions of other customers. When selecting this option, make sure your login and user permissions limit access to only authorized users.") makes it sound like azure services will bypass the firewall.

In practice I have found that azure services (I tested using a container instance) do indeed bypass the firewall. I can connect after enabling access from azure services, without adding any firewall rules.

Maybe the diagram should be updated to make this more obvious. Or is there a plan to make these firewall rules apply to azure connections too?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 79891897-a11e-6e20-9d41-e4fbbb84311e
• Version Independent ID: c8317b35-e80a-7f5d-51bf-7a26b2279595
• Content: Azure SQL Database and Data Warehouse firewall rules
• Content Source: articles/sql-database/sql-database-firewall-configure.md
• Service: sql-database
• GitHub Login: @CarlRabeler
• Microsoft Alias: carlrab

[Alberto-Vega]

@andyce1010 Thanks for the feedback! We are currently investigating and will update you shortly.

[Alberto-Vega]

@andyce1010 Thanks for the feedback! I have assigned the issue to the content author to evaluate and update as appropriate.

[CarlRabeler]

investigating...

[CarlRabeler]

This appears to be a bug and a CSS case should be opened. No further action at this point in terms of changing the docs. @andyce1010 @Alberto-Vega-MSFT

[Alberto-Vega]

@andyce1010 if you don't have a Support plan, email AzCommunity@microsoft.com, and we will enable a one-time Support ticket for you. Please remember to include your Subscription ID, and a link to this issue.

[andyce1010]

Ok thanks, I'll do that.

Just to clarify, are you saying that a firewall rule should be required, even when the "enabled access from azure services" option is enabled?

If that's the case, then is the information note I quoted above wrong?

[CarlRabeler]

@andyce1010 To the best of my knowledge, the information note is correct and a firewall rule is not required from an Azure resource to another Azure resource

[andyce1010]

Ah ok, thanks. In that case it's the flow diagram that's incorrect, as that shows Azure connections being subject to the database and server firewall rules.

[CarlRabeler]

@andyce1010 I answered too quickly. When you create an Azure SQL server and DB using the Azure portal and click the checkbox for allowing Azure services, a firewall rule with an IP address of 0.0.0.0 is created. When you create your server and DB using an API, such as PowerShell, you have to create this firewall rule for this IP address yourself - as there is no checkbox. Sorry for the confusion. As such, the diagram is correct. I confused myself because, when I use the Azure portal and use the allow azure services checkbox, no other firewall rule is needed.
Does this clarify?

[CarlRabeler]

#please-close

[andyce1010]

Yes, thanks for the clarification.

[CarlRabeler]

#please-close