When you create a “logical” Azure SQL Server (I say logical because we are not really physically creating anything) there is a setting that is ticked ON by default which is called “Allow Azure services to access server”.

The question is, what does it mean? (See the highlighted section below)

I don’t like this setting ON as the default, it means “enabling this feature would allow any traffic from resources/services hosted in Azure (not just your Azure subscription) to access the database.” (Yes it really does – from an official Microsoft source: https://blogs.msdn.microsoft.com/azureedu/2016/04/11/what-should-i-know-when-setting-up-my-azure-sql-database-paas/)

Let me try and explain this with an example. I have this setting set to ON (Also NO firewall rules in place).

I logon to an Azure VM with SSMS (SQL Server Management Studio) installed and try to connect to the database. Will it work? Yes, I will login straightaway. That is what happens when you set this to ON. Obviously I have a valid login to authenticate to the database.

Now I am not saying this is right or wrong but it’s definitely not how I like to set things up. I’d like a little more control. I usually turn this setting OFF. What do you think will happen now when I connect via SSMS now?

I will be denied.

I get a firewall message telling me to create a rule now. I do exactly that and then I can logon. The rule name is called Azure VM with a specific IP address.

That’s how the settings’ behaviour changes between ON/OFF and using SSMS as the connection tool when on another resource like an Azure VM.