Do you want to know how to get Azure SQL Firewall Service working with Amazon VPC? This article has some great tips to help you out.
Customers deploy Azure SQL Database or other services in an Amazon VPC environment. They should be able to access those services through the firewall rules created automatically at the time of deployment.
When creating a firewall rule for VPC, you have the option to use the VPC Security Groups or a list of IP Addresses. If you choose to use the Security Group option, it creates a rule that allows access from any IP addresses in the VPC Security Group. That is why we recommend creating security groups with specific IP addresses as members. And then using those rules when deploying Azure SQL Database in Amazon VPC.
Azure SQL Firewall Service
Azure SQL Firewall Service lets you create rules based on source service tags instead of source IP addresses. This functionality can create rules that allow access from specific VPC security groups, which are typical as source service tags. When an instance of Azure SQL Database is in Amazon EC2, it is a set of default tags. These include tags for the service tier (Standard, Premium, etc.), region, and Availability Set.
Azure SQL Firewall Service Tags
You can see these tags by choosing Tags > View All. By tagging your Azure SQL Database instances with appropriate values for these tags, you can create firewall rules. Further, that allows access to specific instances using the source service tag instead of the source IP address. For example, you can create a firewall rule that allows access from all instances. Availability Set across all regions to all other instances tagged with “WebTier” in any availability set across all regions. You can also use this functionality with other Microsoft services on AWS like SQL Server Stretch Database or SQL Database Managed Instance.
What is Azure SQL Firewall Service?
Azure SQL Firewall Service is a service to help protect your Azure SQL Database from malicious attacks. It protects the server from incoming traffic, and when used in conjunction with the new AlwaysOn availability mode, it can also protect your data from unauthorized user access. The service is entirely in the cloud and doesn’t require any additional hardware or software to deploy. It does not require any changes to your existing firewall rules or system configuration.
How does Azure SQL Firewall Service work?
Azure Firewall Service works by creating firewall rules in the Amazon EC2 instances hosting your Azure SQL Database. It creates rules that allow traffic from other instances in the same Availability Set and from Azure SQL Database to access it. In addition, it opens up all external ports to the server instance. When used with AlwaysOn Availability Groups, it also opens up external ports to the primary replica group and to the secondary replica groups. These firewall rules are created automatically when you deploy your database in VPC or Azure Stack.
This also creates a rule that allows access from any IP address in the VPC Security Group to the server instance. There is a specific option when creating this rule that allows you to allow access based on the source service tag instead of the source IP address.