Azure MySQL Firewall - CLI Configuration

Managing Firewall Rules with Azure CLI

Azure CLI provides a powerful and flexible way to manage network security for your Azure Database for MySQL server, including configuring firewall rules.

Prerequisites

An Azure account with an active subscription.
An Azure Database for MySQL server created in your subscription.
Azure CLI installed and logged in to your account. If not installed, you can find instructions here.

Viewing Existing Firewall Rules

You can list all existing firewall rules for your MySQL server using the following command:

                az mysql server firewall-rule list --resource-group <YourResourceGroupName> --server <YourServerName>
            

Creating a New Firewall Rule

To allow access from a specific IP address or a range of IP addresses, you can create a new firewall rule. This is crucial for restricting access to your database.

Allowing a Single IP Address

This command allows access from the specified start IP address to your server.

                az mysql server firewall-rule create --resource-group <YourResourceGroupName> --server <YourServerName> --name <RuleName> --start-ip-address <YourStartIPAddress> --end-ip-address <YourEndIPAddress>
            

Example:

                az mysql server firewall-rule create --resource-group myResourceGroup --server mydemoserver --name AllowMyLocalIP --start-ip-address 203.0.113.5 --end-ip-address 203.0.113.5
            

Allowing an IP Address Range

Specify a start and end IP address to define a range for which access will be permitted.

                az mysql server firewall-rule create --resource-group <YourResourceGroupName> --server <YourServerName> --name <RuleName> --start-ip-address <YourStartIPAddress> --end-ip-address <YourEndIPAddress>
            

Example:

                az mysql server firewall-rule create --resource-group myResourceGroup --server mydemoserver --name AllowOfficeNetwork --start-ip-address 192.168.1.0 --end-ip-address 192.168.1.254
            

Allowing All Azure Services

To allow all Azure services to connect to your server, use the following command:

                az mysql server firewall-rule create --resource-group <YourResourceGroupName> --server <YourServerName> --name AllowAllWindowsAzureIps --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0
            

Important: Allowing all Azure services provides broad access. It is recommended to use specific IP addresses or VNet service endpoints for enhanced security.

Updating a Firewall Rule

You can modify an existing firewall rule by updating its IP address range.

                az mysql server firewall-rule update --resource-group <YourResourceGroupName> --server <YourServerName> --name <RuleName> --start-ip-address <NewStartIPAddress> --end-ip-address <NewEndIPAddress>
            

Deleting a Firewall Rule

To remove a firewall rule, use the delete command. This is useful for revoking access that is no longer needed.

                az mysql server firewall-rule delete --resource-group <YourResourceGroupName> --server <YourServerName> --name <RuleName>
            

Example:

                az mysql server firewall-rule delete --resource-group myResourceGroup --server mydemoserver --name AllowMyLocalIP
            

Explore Full Azure CLI Documentation

Azure MySQL Firewall Configuration

Managing Firewall Rules with Azure CLI

Prerequisites

Viewing Existing Firewall Rules

Creating a New Firewall Rule

Allowing a Single IP Address

Allowing an IP Address Range

Allowing All Azure Services

Updating a Firewall Rule

Deleting a Firewall Rule