Azure-docs: Firewall configuration diagram

Created on 16 Jun 2020  ·  5Comments  ·  Source: MicrosoftDocs/azure-docs

I think that the diagram should be updated to a new one where the user contributor role can ignore firewall rule settings.

  1. [DATABASE-LEVEL FIREWALL RULES] Client IP Address in Range?
    Yes -> Connected / No -> 2.
  2. [SERVER-LEVEL FIREWALL RULES] Client IP Address in Range?
    Yes -> Connected / No -> 3.
  3. [USER ROLE] User has Contributor role (or other role assignment)?
    Yes -> Connected / No -> Access Denied

If this make sense, of course. I'm not so sure about this but what i'm sure is that if a user has "Contributor" role, the user has the possibility to access azure sql database throught any Internet IP Address

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

Pri1 cxp doc-enhancement securitsubsvc sql-databassvc triaged
Source
picture cesarswarowsky

All 5 comments

@cesarswarowsky Thank you for the feedback but I am not clear if you are requesting a flow chart for Azure Roles or making a product request to allow for role based connectivity control? The flow chart as it currently is published demonstrates the flow for database-level IP control versus server-level IP control.

Mike-Ubezzi-MSFT picture Mike-Ubezzi-MSFT on 17 Jun 2020
👍1

To clarify, there's no role that would allow you to ignore the firewall rules. There are certain Azure AD roles that would allow you to modify the firewall rules, and add your client IP, but in order to connect to Azure SQL Database, you will need a rule that would allow your client IP.

VanMSFT picture VanMSFT on 17 Jun 2020
👍1

@Mike-Ubezzi-MSFT what I was trying to say is that it could have a quote about what @VanMSFT just explained to me above (thanks, @VanMSFT for clarification 👍 ): "_There are certain Azure AD roles that would allow you to modify the firewall rules, and add your client IP, but in order to connect to Azure SQL Database, you will need a rule that would allow your client IP_ " It might help some IT Admins to understand how to solve problems with external dinamic IP addresses. I haven't found a topic talking about this.

For example: in the organization where I work, a collaborator has his external IP changed every day. In order for him to continue accessing the Azure SQL database, I have to update the Azure SQL Server Firewall rule with his new IP. So I recently discovered through testing that if I define his user as a "contributor" to the resource, the moment he logs in with him user account, him external IP will automatically be added to the Azure SQL Server Firewall rule, right?

By the way, I apologize for misunderstanding or if I am causing any inconvenience with this.

cesarswarowsky picture cesarswarowsky on 17 Jun 2020
👍1

@cesarswarowsky - Thanks for the feedback! It's not an inconvenience. While going through the doc, I also noticed that we're missing what permissions allow users to add firewall rules to Azure SQL. I have updated the doc with a permission section. Thank you, and we appreciate your contribution to our docs!

VanMSFT picture VanMSFT on 17 Jun 2020
👍1

@cesarswarowsky We will now proceed to close this thread. If there are further questions regarding this matter, please comment and we will gladly continue the discussion.

Mike-Ubezzi-MSFT picture Mike-Ubezzi-MSFT on 22 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

AronT-TLV picture AronT-TLV  ·  3Comments
behnam89 picture behnam89  ·  3Comments
bityob picture bityob  ·  3Comments
varma31 picture varma31  ·  3Comments
jharbieh picture jharbieh  ·  3Comments