Implementing Azure SQL Server Firewall Rules with Bicep and Azure Verified Modules

When managing Azure resources, ensuring your SQL server is secure from unauthorized access is a priority. One way to secure your Azure SQL server is by implementing firewall rules. In this post, I’ll guide you through using Bicep and the Azure Verified Modules from GitHub to set up firewall rules for an Azure SQL server.

Example Bicep:

@description('Deploy Azure SQL Server')
 module createsqlServer '../sql/server/main.bicep' = {
   scope: resourceGroup(rgSQL)
   name: 'sqlServer-${environmentName}'
   params: {
     name: 'sql-demoserver'
     administratorLogin: administratorLogin
     administratorLoginPassword: administratorLoginPassword
     managedIdentities: {
       systemAssigned: false
       userAssignedResourceIds: [
         createManagedIdentity.outputs.resourceId
       ]
     }
     primaryUserAssignedIdentityId: createManagedIdentity.outputs.resourceId
     location: location
     tags: tags
     databases: [
        {
          name: 'demidb1'
          skuName: 'ElasticPool'
          skuTier: 'GeneralPurpose'
          capacity: 0
          maxLogSizeBytes: 34359738368
          compatibilityLevel: 120
          elasticPoolId: createSqlServerElasticPool.outputs.resourceId
        }
     ]
     firewallRules: [
      {
        name: ''
        startIpAddress: 'enter ip address here'
        endIpAddress: 'enter ip address here'
      }
      {
       name: ''
       startIpAddress: ''
       endIpAddress: ''
      }
   ]
   }
 }

This Bicep file defines 2 simple rule that allows traffic from certain defined IP addresses. Be sure to adjust the startIpAddress and endIpAddress to fit your security requirements. This example doesn’t show the code for the creation of the elasticPool or the Managed Identity.

This example serves as a foundational guide to get you started with automated deployment of firewall rules using Infrastructure as Code (IaC) practices with Bicep.