I deployed a managed Azure SQL Database via the az CLI with server-level firewall rules and least-privilege contained users. Scripting the provisioning made a secured PaaS database repeatable and reviewable instead of click-driven.

Objective & Context

Azure SQL is a managed PaaS database; security depends on firewall scoping and login least privilege, not host hardening. This lab provisions a logical server and database, restricts network access, and creates non-admin application users, aligning to CIS Azure data recommendations.

Environment & Prerequisites

  • Azure subscription with the az CLI authenticated.
  • A resource group and naming convention.
  • Client IP for the firewall allow rule.

Step-by-Step Execution

1. Create the logical server and database

az sql server create -g rg -n tyf-sql --admin-user adm --admin-password '****' && az sql db create -g rg -s tyf-sql -n appdb --service-objective S0

2. Restrict network access

az sql server firewall-rule create -g rg -s tyf-sql -n client --start-ip-address 203.0.113.10 --end-ip-address 203.0.113.10

3. Create a least-privilege user

CREATE USER app WITH PASSWORD='****'; ALTER ROLE db_datareader ADD MEMBER app;
Database appdb provisioned (S0). Firewall rule 'client' created.

Validation & Testing

Connect from the allowed IP with the app login and confirm read access works while writes are denied; connect from a non-allowed IP and confirm it is blocked. Pass criteria: firewall enforces source IP and the app user holds only granted roles.

Advanced: Troubleshooting
  • Cannot connect: add the client IP firewall rule and confirm "Allow Azure services" only if intended.
  • Over-privileged login: avoid using the server admin for apps; create scoped users.
  • Throttling: the service objective (DTU/vCore) may be undersized for the workload.

Key Results

  • Provisioned a secured Azure SQL database from a repeatable CLI script.
  • Restricted network access to a single explicit source IP.
  • Granted the app login read-only, removing admin over-privilege.
  • Made the deployment reviewable and reproducible versus portal clicks.