| title | description | services | ms.service | ms.subservice | ms.custom | ms.devlang | ms.topic | author | ms.author | ms.reviewer | manager | ms.date |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
Azure SQL Database connectivity architecture | Microsoft Docs |
This document explains the Azure SQL Database connectivity architecture from within Azure or from outside of Azure. |
sql-database |
sql-database |
development |
conceptual |
srdan-bozovic-msft |
srbozovi |
carlrab |
craigg |
11/02/2018 |
This article explains the Azure SQL Database connectivity architecture and explains how the different components function to direct traffic to your instance of Azure SQL Database. These Azure SQL Database connectivity components function to direct network traffic to the Azure database with clients connecting from within Azure and with clients connecting from outside of Azure. This article also provides script samples to change how connectivity occurs, and the considerations related to changing the default connectivity settings.
The following diagram provides a high-level overview of the Azure SQL Database connectivity architecture.
The following steps describe how a connection is established to an Azure SQL database through the Azure SQL Database software load-balancer (SLB) and the Azure SQL Database gateway.
- Clients connect to the SLB, which has a public IP address and listens on port 1433.
- The SLB forwards traffic to the Azure SQL Database gateway.
- The gateway, depending on the effective connection policy, redirects or proxies the traffic to the correct proxy middleware.
- The proxy middleware forwards the traffic to the appropriate Azure SQL database.
Important
Each of these components has distributed denial of service (DDoS) protection built-in at the network and the app layer.
Azure SQL Database supports the following three options for the connection policy setting of a SQL Database server:
- Redirect (recommended): Clients establish connections directly to the node hosting the database. To enable connectivity, the clients must allow outbound firewall rules to all Azure IP addresses in the region (try this using Network Security Groups (NSG) with service tags), not just the Azure SQL Database Gateway IP addresses. Because packets go directly to the database, latency and throughput have improved performance.
- Proxy: In this mode, all connections are proxied via the Azure SQL Database gateways. To enable connectivity, the client must have outbound firewall rules that allow only the Azure SQL Database Gateway IP addresses (usually two IP addresses per region). Choosing this mode can result in higher latency and lower throughput, depending on nature of the workload. We highly recommend the Redirect connection policy over the Proxy connection policy for the lowest latency and highest throughput.
- Default: This is the connection policy in effect on all servers after creation unless you explicitly alter the connection policy to either Proxy or Redirect. The effective policy depends on whether connections originate from within Azure (Redirect) or outside of Azure (Proxy).
If you are connecting from within Azure on a server created after November 10, 2018, your connections have a connection policy of Redirect by default. A policy of Redirect means that connections after the TCP session is established to the Azure SQL database, the client session is then redirected to the proxy middleware with a change to the destination virtual IP from that of the Azure SQL Database gateway to that of the proxy middleware. Thereafter, all subsequent packets flow directly via the proxy middleware, bypassing the Azure SQL Database gateway. The following diagram illustrates this traffic flow.
Important
If you created SQL Database Server before November 10, 2018 your connection policy was set explicitly to Proxy. When using service endpoints, we highly recommend changing your connection policy to Redirect to enable better performance. If you change your connection policy to Redirect, it will not be sufficient to allow outbound on your NSG to Azure SQL Database gateway IPs listed below, you must allow outbound to all Azure SQL Database IPs. This can be accomplished with the help of NSG (Network Security Groups) Service Tags. For more information, see Service Tags.
If you are connecting from outside Azure, your connections have a connection policy of Proxy by default. A policy of Proxy means that the TCP session is established via the Azure SQL Database gateway and all subsequent packets flow via the gateway. The following diagram illustrates this traffic flow.
To connect to an Azure SQL database from on-premises resources, you need to allow outbound network traffic to the Azure SQL Database gateway for your Azure region. Your connections only go via the gateway when connecting in Proxy mode, which is the default when connecting from on-premises resources.
The following table lists the primary and secondary IPs of the Azure SQL Database gateway for all data regions. For some regions, there are two IP addresses. In these regions, the primary IP address is the current IP address of the gateway and the second IP address is a failover IP address. The failover address is the address to which we might move your server to keep the service availability high. For these regions, we recommend that you allow outbound to both the IP addresses. The second IP address is owned by Microsoft and does not listen in on any services until it is activated by Azure SQL Database to accept connections.
| Region Name | Primary IP address | Secondary IP address |
|---|---|---|
| Australia East | 191.238.66.109 | 13.75.149.87 |
| Australia South East | 191.239.192.109 | 13.73.109.251 |
| Brazil South | 104.41.11.5 | |
| Canada Central | 40.85.224.249 | |
| Canada East | 40.86.226.166 | |
| Central US | 23.99.160.139 | 13.67.215.62 |
| China East 1 | 139.219.130.35 | |
| China East 2 | 40.73.82.1 | |
| China North 1 | 139.219.15.17 | |
| China North 2 | 40.73.50.0 | |
| East Asia | 191.234.2.139 | 52.175.33.150 |
| East US 1 | 191.238.6.43 | 40.121.158.30 |
| East US 2 | 191.239.224.107 | 40.79.84.180 * |
| France Central | 40.79.137.0 | 40.79.129.1 |
| Germany Central | 51.4.144.100 | |
| Germany North East | 51.5.144.179 | |
| India Central | 104.211.96.159 | |
| India South | 104.211.224.146 | |
| India West | 104.211.160.80 | |
| Japan East | 191.237.240.43 | 13.78.61.196 |
| Japan West | 191.238.68.11 | 104.214.148.156 |
| Korea Central | 52.231.32.42 | |
| Korea South | 52.231.200.86 | |
| North Central US | 23.98.55.75 | 23.96.178.199 |
| North Europe | 191.235.193.75 | 40.113.93.91 |
| South Central US | 23.98.162.75 | 13.66.62.124 |
| South East Asia | 23.100.117.95 | 104.43.15.0 |
| UK North | 13.87.97.210 | |
| UK South 1 | 51.140.184.11 | |
| UK South 2 | 13.87.34.7 | |
| UK West | 51.141.8.11 | |
| West Central US | 13.78.145.25 | |
| West Europe | 191.237.232.75 | 40.68.37.158 |
| West US 1 | 23.99.34.75 | 104.42.238.205 |
| West US 2 | 13.66.226.202 | |
* NOTE: East US 2 has also a tertiary IP address of 52.167.104.0.
To change the Azure SQL Database connection policy for an Azure SQL Database server, use the conn-policy command.
- If your connection policy is set to Proxy, all network packets flow via the Azure SQL Database gateway. For this setting, you need to allow outbound to only the Azure SQL Database gateway IP. Using a setting of Proxy has more latency than a setting of Redirect.
- If your connection policy is setting Redirect, all network packets flow directly to the middleware proxy. For this setting, you need to allow outbound to multiple IPs.
Important
This script requires the Azure PowerShell module.
The following PowerShell script shows how to change the connection policy.
Connect-AzureRmAccount
Select-AzureRmSubscription -SubscriptionName <Subscription Name>
# Azure Active Directory ID
$tenantId = "<Azure Active Directory GUID>"
$authUrl = "https://login.microsoftonline.com/$tenantId"
# Subscription ID
$subscriptionId = "<Subscription GUID>"
# Create an App Registration in Azure Active Directory. Ensure the application type is set to NATIVE
# Under Required Permissions, add the API: Windows Azure Service Management API
# Specify the redirect URL for the app registration
$uri = "<NATIVE APP - REDIRECT URI>"
# Specify the application id for the app registration
$clientId = "<NATIVE APP - APPLICATION ID>"
# Logical SQL Server Name
$serverName = "<LOGICAL DATABASE SERVER - NAME>"
# Resource Group where the SQL Server is located
$resourceGroupName= "<LOGICAL DATABASE SERVER - RESOURCE GROUP NAME>"
# Login and acquire a bearer token
$AuthContext = [Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext]$authUrl
$result = $AuthContext.AcquireToken(
"https://management.core.windows.net/",
$clientId,
[Uri]$uri,
[Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior]::Auto
)
$authHeader = @{
'Content-Type'='application\json; '
'Authorization'=$result.CreateAuthorizationHeader()
}
#Get current connection Policy
Invoke-RestMethod -Uri "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Sql/servers/$serverName/connectionPolicies/Default?api-version=2014-04-01-preview" -Method GET -Headers $authHeader
#Set connection policy to Proxy
$connectionType="Proxy" <#Redirect / Default are other options#>
$body = @{properties=@{connectionType=$connectionType}} | ConvertTo-Json
# Apply Changes
Invoke-RestMethod -Uri "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Sql/servers/$serverName/connectionPolicies/Default?api-version=2014-04-01-preview" -Method PUT -Headers $authHeader -Body $body -ContentType "application/json"Important
This script requires the Azure CLI.
The following CLI script shows how to change the connection policy.
<pre>
# Get SQL Server ID
sqlserverid=$(az sql server show -n <b>sql-server-name</b> -g <b>sql-server-group</b> --query 'id' -o tsv)
# Set URI
id="$sqlserverid/connectionPolicies/Default"
# Get current connection policy
az resource show --ids $id
# Update connection policy
az resource update --ids $id --set properties.connectionType=Proxy
</pre>
- For information on how to change the Azure SQL Database connection policy for an Azure SQL Database server, see conn-policy.
- For information about Azure SQL Database connection behavior for clients that use ADO.NET 4.5 or a later version, see Ports beyond 1433 for ADO.NET 4.5.
- For general application development overview information, see SQL Database Application Development Overview.