Connecting to SQL Azure from Azure VM - internal IP or public VIP

Question

I have an SQL Azure database and Azure Virtual Machine with an application connecting to the database.

• They are in the same datacenter and under the same Azure subscription.

• I added public virtual IP of the virtual machine to the list of allowed IP addresses in the server configure page of management portal.

• Windows Azure Services are marked "Yes" in the "Allowed Services" section.

When trying to connect, I receive exception: "Client with IP address 'x.x.x.x' is not allowed to access the server.", where x.x.x.x is the internal IP of the VM. I am hesitant to use internal IP in an allowed IP rule. Shouldn't SQL Azure see public IP of the VM during connection?

Answer 1

I am hesitant to use internal IP in an allowed IP rule. Shouldn't SQL Azure see public IP of the VM during connection?

The calls are being made through the internal network so never actually leave the data centre. Why not add a rule as follows to only allow internal calls by opening the following IP range on the Azure Database:

10.0.0.0 to 10.0.0.255

In the above case you don't need to worry about a transient IP on your VM.

Answer 2

Perhaps try looking at the azure cmdlets that allow you to manage firewall rules by script. You could add a start up job to update a specific rule with the new IP the vm should it change do to a migration or reboot.

Specificially these powershell cmdlets:

• New-SqlAzureFirewallRule - Adds a new Sql Azure firewall rule to a server.
• Get-SqlAzureFirewallRules - Returns the firewall rules for the specified Sql Azure server.
• Remove-SqlAzureFirewallRule - Removes an existing Sql Azure fireall rule.

Sql Azure Cmdlets