Edit

Share via

Network Security Perimeter for Azure SQL Database and Azure Synapse Analytics

  • Article

Applies to: Azure SQL Database Azure Synapse Analytics (dedicated SQL pools only)

Network Security Perimeter (preview) secures both inbound and outbound network traffic between Azure SQL Database and other Platform as a Service (PaaS) resources (for example, Azure Storage and Azure Key Vault). Any attempts made to communicate with Azure resources that aren't inside the perimeter is blocked.

Important

  • This article applies to both Azure SQL Database and dedicated SQL pool (formerly SQL DW) in Azure Synapse Analytics. These settings apply to all SQL Database and dedicated SQL pool (formerly SQL DW) databases associated with the server. For simplicity, the term 'database' refers to both databases in Azure SQL Database and Azure Synapse Analytics. Likewise, any references to 'server' is referring to the logical SQL server that hosts Azure SQL Database and dedicated SQL pool (formerly SQL DW) in Azure Synapse Analytics. This article does not apply to Azure SQL Managed Instance or dedicated SQL pools in Azure Synapse Analytics workspaces.

Getting Started

  1. In the Azure portal, search for Network Security Perimeter in the resource list and then select Create.

    Screenshot of creating a network security perimeter in the Azure portal.

  2. Provide a Name and Region and choose the subscription.

  3. Under the Resources section, select the Add button and navigate to the SQL Database you want to associate with the perimeter.

  4. Add an Inbound access rule. The source type can be either an IP address, a subscription, or other network security perimeters.

  5. Add an Outbound access rule to allow resources inside the perimeter to connect to resources outside the perimeter

If you already have an existing Azure SQL Database and are looking to add security perimeter, use the following steps:

  1. In the Azure portal, search for the existing Network Security Perimeter.

  2. Select Associated Resources from the Settings menu.

  3. Select the Add button and select Associate resources with an existing profile.

    Screenshot of associated resources for network security perimeter in the Azure portal.

  4. Select your Profile from the dropdown and select Add.

    Screenshot of adding an associated resource for network security perimeter in the Azure portal.

  5. Search for your SQL Database resource, Select the required resource, and select Associate.

Using SQL Database with a Network Security Perimeter

By default, Network Security Perimeter uses Learning Mode, which can be used to log all traffic to and from SQL Database. The network traffic can be logged to a Log Analytics Workspace or Azure Storage account using Diagnostic logging for Azure Network Security Perimeter. Finally, Network Security Perimeter can be switched to Enforced mode. In Enforced mode, any access denied shows the following error:

Error 42118
Login failed because the network security perimeter denied inbound access.

Related content