แก้ไข

แชร์ผ่าน


Manage firewall rules for Azure Database for MySQL - Flexible Server using Azure CLI

Azure Database for MySQL flexible server supports two mutually exclusive network connectivity methods to connect to your flexible server. The two options are:

  • Public access (allowed IP addresses)
  • Private access (VNet Integration)

In this article, we focus on the creation of an Azure Database for MySQL flexible server instance with Public access (allowed IP addresses) using Azure CLI. This article provides an overview of Azure CLI commands you can use to create, update, delete, list, and show firewall rules after creating a server. With Public access (allowed IP addresses), the connections to the Azure Database for MySQL flexible server instance are restricted to allowed IP addresses only. The client IP addresses need to be allowed in the firewall rules. To learn more about it, refer to Public access (allowed IP addresses). The firewall rules can be defined at the time of server creation (recommended) but can be added later as well.

Launch Azure Cloud Shell

The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.

To open the Cloud Shell, just select Try it from the upper right corner of a code block. You can also open Cloud Shell in a separate browser tab by going to https://shell.azure.com/bash. Select Copy to copy the blocks of code, paste it into the Cloud Shell, and select Enter to run it.

If you prefer to install and use the CLI locally, this quickstart requires Azure CLI version 2.0 or later. Run az --version to find the version. If you need to install or upgrade, see Install Azure CLI.

Prerequisites

You must sign in to your account using the az login command. Note the ID property, which refers to Subscription ID for your Azure account.

az login

Select the specific subscription under your account using the az account set command. Note the ID value from the az login output to use as the value for the subscription argument in the command. If you have multiple subscriptions, choose the appropriate subscription in which the resource should be billed. To get all your subscriptions, use az account list.

az account set --subscription <subscription id>

Create firewall rule during flexible server using Azure CLI

You can use the az mysql flexible-server --public access command to create the Azure Database for MySQL flexible server instance with Public access (allowed IP addresses) and configure the firewall rules while creating the server. You can use the -public-access switch to provide the allowed IP addresses that can connect to the server. You can provide single or range of IP addresses to be included in the allowed list of IPs. IP address range must be dash-separated and doesn't contain any spaces. There are various options to create an Azure Database for MySQL flexible server instance using Azure CLI, as shown in the following examples.

Refer to the Azure CLI reference documentation for the complete list of configurable CLI parameters. For example, you can optionally specify the resource group in the following commands.

  • Create an Azure Database for MySQL flexible server instance with public access and add the client IP address to have access to the server.

    az mysql flexible-server create --public-access <my_client_ip>
    
  • Create an Azure Database for MySQL flexible server instance with public access and add the range of IP address to have access to this server.

    az mysql flexible-server create --public-access <start_ip_address-end_ip_address>
    
  • Create an Azure Database for MySQL flexible server instance with public access and allow applications from Azure IP addresses to connect to your server.

    az mysql flexible-server create --public-access 0.0.0.0
    

    Important

    This option configures the firewall to allow public access from Azure services and resources within Azure to this server, including connections from the subscriptions of other customers. When selecting this option, ensure your login and user permissions limit access to only authorized users.

  • Create an Azure Database for MySQL flexible server instance with public access and allow all IP address.

    az mysql flexible-server create --public-access all
    

    Note

    The above command creates a firewall rule with start IP address=0.0.0.0, end IP address=255.255.255.255 and no IP addresses are blocked. Any host on the Internet can access this server. It is strongly recommended to use this rule only temporarily and only on test servers that do not contain sensitive data.

  • Create an Azure Database for MySQL flexible server instance with public access and with no IP address.

    az mysql flexible-server create --public-access none
    

    Note

    We don't recommend creating a server without any firewall rules. If you don't add any firewall rules, no client can connect to the server.

Create and manage firewall rule after server creation

The az mysql flexible-server firewall-rule command is used from the Azure CLI to create, delete, list, show, and update firewall rules.

Commands:

  • create: Create an Azure Database for MySQL flexible server firewall rule.
  • list: List the Azure Database for MySQL flexible server firewall rules.
  • update: Update an Azure Database for MySQL flexible server firewall rule.
  • show: Show the details of an Azure Database for MySQL flexible server firewall rule.
  • delete: Delete an Azure Database for MySQL flexible server firewall rule.

Refer to the Azure CLI reference documentation for the complete list of configurable CLI parameters. For example, in the following commands, you can optionally specify the resource group.

Create a firewall rule

Use the az mysql flexible-server firewall-rule create command to create new firewall rule on the server. To allow access to a range of IP addresses, provide the IP address as the Start and End IP addresses, as in this example.

az mysql flexible-server firewall-rule create --resource-group testGroup --name mydemoserver --start-ip-address 13.83.152.0 --end-ip-address 13.83.152.15

To allow access for a single IP address, provide the single IP address, as in this example.

az mysql flexible-server firewall-rule create --resource-group testGroup --name mydemoserver --start-ip-address 1.1.1.1

To allow applications from Azure IP addresses to connect to your Azure Database for MySQL flexible server instance, provide the IP address 0.0.0.0 as the Start IP, as in this example.

az mysql flexible-server firewall-rule create --resource-group testGroup --name mydemoserver --start-ip-address 0.0.0.0

Important

This option configures the firewall to allow public access from Azure services and resources within Azure to this server, including connections from the subscriptions of other customers. When selecting this option, make sure your login and user permissions limit access to only authorized users.

Upon success, each create command output lists the details of the firewall rule you've created in JSON format (by default). If there's a failure, the result shows an error message text instead.

List firewall rules

Use the az mysql flexible-server firewall-rule list command to list the existing server firewall rules on the server. The server name attribute is specified in the -name switch.

az mysql flexible-server firewall-rule list --name mydemoserver

The output lists the rules, if any, in JSON format (by default). You can use the -output table switch to output the results in a more readable table format.

az mysql flexible-server firewall-rule list --name mydemoserver --output table

Update a firewall rule

Use the az mysql flexible-server firewall-rule update command to update an existing firewall rule on the server. Provide the name of the existing firewall rule as input, and the start IP address and end IP address attributes to update.

az mysql flexible-server firewall-rule update --name mydemoserver --rule-name FirewallRule1 --start-ip-address 13.83.152.0 --end-ip-address 13.83.152.1

Upon success, the command output lists the details of the firewall rule you've updated in JSON format (by default). If there's a failure, the output shows an error message text instead.

Note

If the firewall rule doesn't exist, the update command creates the rule.

Show firewall rule details

Use the az mysql flexible-server firewall-rule show command to show the existing firewall rule details from the server. Provide the name of the existing firewall rule as input.

az mysql flexible-server firewall-rule show --name mydemoserver --rule-name FirewallRule1

Upon success, the command output lists the details of the firewall rule you've specified in JSON format (by default). If there's a failure, the output shows an error message text instead.

Delete a firewall rule

Use the az mysql flexible-server firewall-rule delete command to delete an existing firewall rule from the server. Provide the name of the current firewall rule.

az mysql flexible-server firewall-rule delete --name mydemoserver --rule-name FirewallRule1

Upon success, there's no output. Upon failure, an error message text is displayed.