When you create a “logical” Azure SQL Server (I say logical because we are not really physically creating anything) there is a setting that is ticked ON by default which is called “Allow Azure services to access server”.
The question is, what does it mean? (See the highlighted section below)
I don’t like this setting ON as the default, it means “enabling this feature would allow any traffic from resources/services hosted in Azure (not just your Azure subscription) to access the database.” (Yes it really does – from an official Microsoft source: https://blogs.msdn.microsoft.com/azureedu/2016/04/11/what-should-i-know-when-setting-up-my-azure-sql-database-paas/)
Let me try and explain this with an example. I have this setting set to ON (Also NO firewall rules in place).
I logon to an Azure VM with SSMS (SQL Server Management Studio) installed and try to connect to the database. Will it work? Yes, I will login straightaway. That is what happens when you set this to ON. Obviously I have a valid login to authenticate to the database.
Now I am not saying this is right or wrong but it’s definitely not how I like to set things up. I’d like a little more control. I usually turn this setting OFF. What do you think will happen now when I connect via SSMS now?
I will be denied.
I get a firewall message telling me to create a rule now. I do exactly that and then I can logon. The rule name is called Azure VM with a specific IP address.
That’s how the settings’ behaviour changes between ON/OFF and using SSMS as the connection tool when on another resource like an Azure VM.