A configuration for SQL Server to prevent outgoing access to networked (off-machine) SQL Server instances from cloud VMs, while allowing management machines to access these instances.
SQL Server configuration for customer VMs
- All SQL instances to be the default SQL instance on each machine (no named instances)
- All SQL instances to use only TCP protocol (disable named pipes, and shared memory)
- All SQL instances use port 1433 (already the case with template VMs)
- All SQL instances do not run the SQL Browser Service (already the case with template VMs)
- Management machines with SQL Server would not implement any special firewall rules aside from their current rule to allow incoming SQL requests.
Windows firewall configuration for VMs
Windows firewall properties for Domain, Private, and Public profiles
- Inbound connections : block by default
- Outbound connections allow by default
Create the following Windows firewall rules to block outgoing SQL requests:
- Management machines with SQL Server would not implement these rules
- DENY TCP remote port 1433,1434, any local port, any network profile, any program
- DENY UDP remote port 1433,1434, any local port, any network profile, any program
Create the following Windows firewall rules to allow incoming SQL requests:
- ALLOW TCP local port 1433 any remote port, any network profile, any program
- ALLOW UDP local port 1433, any remote port, any network profile, any program
Use group policy to prevent users other than domain admins from changing firewall settings.
An alternate solution is to put a single firewall on the network between all machines and configure rules accordingly. This would make central management easier, but complicate the configuration.