We help IT Professionals succeed at work.

Configure Azure SQL DB firewall with various users accessing database

I have discovered a dilemma with our azure SQL database. Under firewall settings I am supposed to specify IP addresses that can access the database. We are using a VB6 app, which is not central to any specific location. Is it OK to open up the firewall so that various locations can access it? Or is this too much of a security risk? Has anyone ever run into this problem?
Comment
Watch Question

Ron MalmsteadInformation Services Manager

Commented:
When you connect and login to Azure database, using either Visual Studio or SQL Server Management Studio... It will prompt to add the IP address or IP address range...to the firewall automatically, provided the user has permissions.

The users can download and install the SQL Server Management Studio for free...and login using their credentials to add their own IP addresses...they won't have to do it again unless their IP address changes.

Author

Commented:
So hopefully my question was not confusing. The users that are accessing the database will be at various dynamic IP addresses.  How do I handle that issue when the IP address keeps changing or if the user is at an unknown location.
Ron MalmsteadInformation Services Manager

Commented:
Right...but though they have a dynamic IP...it doesn't change that often.  If they find themselves blocked because of an IP change...again...all they have to do is open SQL Server Management studio...and login to the database...it will immediately say...do you want to add your ip to the firewall...and click yes.

I would personally rather them deal with this minor inconvenience rather than open up the DB to the entire internet.

Author

Commented:
Each person does not have the privilege to access the DB thru SSMS.  They are only using an application.  We don't want them accessing the DB directly thru SSMS
Information Services Manager
Commented:
Sorry I misread...I made an assumption these were developers rather than users.

In that case your options are...
Open up the database firewall to allow all addresses.
..or make them use a proxy...or vpn gateway from a single IP...or use Azure VPN services.

If you don't have the ability to modify the program or the ability to implement any of the latter suggestions..then you don't have much choice in the matter for remote users to be able to connect, you would have to open the firewall.

This setup is inherently insecure however.
Ron MalmsteadInformation Services Manager

Commented:
Would it be possible for you to set up a Terminal Services Remote desktop server and have them remote into a server with a static IP?

That would solve the problem also...and you only have to allow one IP.

I believe you can get this on Azure as well.

Author

Commented:
That's an idea worth considering