Restricting access to a Azure SQL Database using a specific Instance Level Public IP

I am working on a Azure project  to migrate a distributed application from on-premises to cloud. Part of the customer infrastructure is based on a clustered SQL Server, and we decided to leverage on Azure SQL Database for this scope. Post Objective The purpose of this post is to show you a very simplified version of the architecture that we have implemented, focusing on the method we have used to secure the traffic between Azure Virtual Machines and Azure SQL Database. Considerations Azure SQL Database cannot be part of a Azure Virtual Network, so it cannot inherit the configuration from Azure IaaS services, like Network Security Groups, site to site VPNs, or others. This means that the connection between Azure SQL Database and Azure IaaS services must go through a public internet connection. Azure SQL Database has its own firewall, that can be enabled at server level or database level. This can help us because we could restrict access to the DB to a specific IP range. The image below describes how the Azure SQL Database firewall works. Additional information on Azure SQL Database firewall could be found here : https://azure.microsoft.com/en-us/documentation/articles/sql-database-firewall-configu Azure SQL Database firewall has an option that enables the connection from Azure Services, e.g. a Virtual Machine. This point requires an additional comment, because enabling access to all Azure Services potentially enables access from all Azure Services, even those that are not part of the same infrastructure. To avoid this, we could decide to only accept connections from a Static Public IP. Azure gives us this flexibility through Instance Level Public IP (ILPIP), that gives us the possibility to assign a Public IP to a specific Virtual Machine. To learn more about how ILPIP works, you could see the image below or visit this page: https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-instance-level-public-ip/ Solution adopted Well, the solution here is pretty easy, I have just associated a ILPIP to the Virtual Machine and configured the Azure SQL DB Firewall in order to accept connections only from the ILPIP (see image above) . Configuration steps 1 – provision an Azure SQL Database to deploy an Azure SQL Database, you can follow this tutorial : https://azure.microsoft.com/en-us/documentation/articles/sql-database-get-started/ You could stop at step 4 of the tutorial, because we are adding a few details in the screenshot below the point number 1 is related to Azure services. Setting this option to ON, all Azure services would be enabled to access our database server, of course with the required credentials. So I have set this option to OFF, which means that any attempt to access the DB from a VM in Azure with produce the message-box below 2 – Enable the ILPIP Now we need to enable the ILPIP for the Virtual Machine, and this can be also achieved using the Azure Portal (the red arrow in the image below), during the provisioning phase. Please consider that ILPIPs have a cost, details could be found here: https://azure.microsoft.com/en-us/pricing/details/ip-addresses/  3 – Test the connection And that’s it, after adding the ILPIP to the Azure SQL Database firewall, the connection will work. To learn more about Azure SQL Database I recommend visiting this page: https://azure.microsoft.com/en-us/documentation/services/sql-database/. Ciao! Francesco @francedit