Configure Azure SQL DB firewall with various users accessing database

I have discovered a dilemma with our azure SQL database. Under firewall settings I am supposed to specify IP addresses that can access the database. We are using a VB6 app, which is not central to any specific location. Is it OK to open up the firewall so that various locations can access it? Or is this too much of a security risk? Has anyone ever run into this problem?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ron MalmsteadInformation Services ManagerCommented:
When you connect and login to Azure database, using either Visual Studio or SQL Server Management Studio... It will prompt to add the IP address or IP address the firewall automatically, provided the user has permissions.

The users can download and install the SQL Server Management Studio for free...and login using their credentials to add their own IP addresses...they won't have to do it again unless their IP address changes.
al4629740Author Commented:
So hopefully my question was not confusing. The users that are accessing the database will be at various dynamic IP addresses.  How do I handle that issue when the IP address keeps changing or if the user is at an unknown location.
Ron MalmsteadInformation Services ManagerCommented:
Right...but though they have a dynamic doesn't change that often.  If they find themselves blocked because of an IP change...again...all they have to do is open SQL Server Management studio...and login to the will immediately you want to add your ip to the firewall...and click yes.

I would personally rather them deal with this minor inconvenience rather than open up the DB to the entire internet.
Angular Fundamentals

Learn the fundamentals of Angular 2, a JavaScript framework for developing dynamic single page applications.

al4629740Author Commented:
Each person does not have the privilege to access the DB thru SSMS.  They are only using an application.  We don't want them accessing the DB directly thru SSMS
Ron MalmsteadInformation Services ManagerCommented:
Sorry I misread...I made an assumption these were developers rather than users.

In that case your options are...
Open up the database firewall to allow all addresses.
..or make them use a proxy...or vpn gateway from a single IP...or use Azure VPN services.

If you don't have the ability to modify the program or the ability to implement any of the latter suggestions..then you don't have much choice in the matter for remote users to be able to connect, you would have to open the firewall.

This setup is inherently insecure however.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ron MalmsteadInformation Services ManagerCommented:
Would it be possible for you to set up a Terminal Services Remote desktop server and have them remote into a server with a static IP?

That would solve the problem also...and you only have to allow one IP.

I believe you can get this on Azure as well.
al4629740Author Commented:
That's an idea worth considering
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SQL Server

From novice to tech pro — start learning today.