Connectivity settings

Applies to: Azure SQL Database SQL database in Fabric

This article introduces settings that control connectivity to the server for Azure SQL Database and SQL database in Microsoft Fabric.

• For more information on various components that direct network traffic and connection policies, see connectivity architecture.
• This article does not apply to Azure SQL Managed Instance, instead see Connect your application to Azure SQL Managed Instance.
• This article does not apply to Azure Synapse Analytics.
  • For settings that control connectivity to dedicated SQL pools in Azure Synapse Analytics, see Azure Synapse Analytics connectivity settings.
  • For connection strings to Azure Synapse Analytics pools, see Connect to Synapse SQL.
  • See Azure Synapse Analytics IP firewall rules for guidance on how to configure IP firewall rules for Azure Synapse Analytics with workspaces.

Networking and connectivity

You can change these settings in your logical server.

Change public network access

It's possible to change the public network access for your Azure SQL Database via the Azure portal, Azure PowerShell, and the Azure CLI.

# Get the Public Network Access property
(Get-AzSqlServer -ServerName sql-server-name -ResourceGroupName sql-server-group).PublicNetworkAccess

# Update Public Network Access to Disabled
$SecureString = ConvertTo-SecureString "password" -AsPlainText -Force

Set-AzSqlServer -ServerName sql-server-name -ResourceGroupName sql-server-group -SqlAdministratorPassword $SecureString -PublicNetworkAccess "Disabled"

# Get current setting for Public Network Access
az sql server show -n sql-server-name -g sql-server-group --query "publicNetworkAccess"

# Update setting for Public Network Access
az sql server update -n sql-server-name -g sql-server-group --set publicNetworkAccess="Disabled"

Deny public network access

The default for the Public network access setting is Disable. Customers can choose to connect to a database by using either public endpoints (with IP-based server-level firewall rules or with virtual-network firewall rules), or private endpoints (by using Azure Private Link), as outlined in the network access overview.

When Public network access is set to Disable, only connections from private endpoints are allowed. All connections from public endpoints will be denied with an error message similar to:

Error 47073
An instance-specific error occurred while establishing a connection to SQL Server.
The public network interface on this server is not accessible.
To connect to this server, use the Private Endpoint from inside your virtual network.

When Public network access is set to Disable, any attempts to add, remove, or edit any firewall rules will be denied with an error message similar to:

Error 42101
Unable to create or modify firewall rules when public network interface for the server is disabled.
To manage server or database level firewall rules, please enable the public network interface.

Ensure that Public network access is set to Selected networks to be able to add, remove, or edit any firewall rules for Azure SQL Database.

Minimum TLS version

The minimum Transport Layer Security (TLS) version setting allows customers to choose which version of TLS their SQL database uses. TLS is a cryptographic protocol used to secure client-server communications over a network. This ensures that sensitive information, such as authentication credentials and database queries, is safe from interception and tampering. It's possible to change the minimum TLS version by using the Azure portal, Azure PowerShell, and the Azure CLI.

Currently, Azure SQL Database supports TLS 1.2 and 1.3. Setting a minimum TLS version ensures that newer TLS versions are supported. For example, choosing a TLS version 1.2 means only connections with TLS 1.2 and 1.3 are accepted, and connections with TLS 1.1 or lower are rejected. After you test to confirm that your applications support it, we recommend setting the minimal TLS version to 1.3. This version includes fixes for vulnerabilities in previous versions and is the highest version of TLS that's supported in Azure SQL Database.

Configure minimum TLS version

You can configure the minimum TLS version for client connections by using the Azure portal, Azure PowerShell, or the Azure CLI.

For customers with applications that rely on older versions of TLS, we recommend setting the minimal TLS version according to the requirements of your applications. If application requirements are unknown or workloads rely on older drivers that are no longer maintained, we recommend not setting any minimal TLS version.

For more information, see TLS considerations for SQL Database connectivity.

After you set the minimal TLS version, customers who are using a TLS version lower than the minimum TLS version of the server will fail to authenticate, with the following error:

Error 47072
Login failed with invalid TLS version

$serverParams = @{
    ServerName = "sql-server-name"
    ResourceGroupName = "sql-server-group"
}

(Get-AzSqlServer @serverParams).MinimalTlsVersion

$serverParams = @{
    ServerName = "sql-server-name"
    ResourceGroupName = "sql-server-group"
    SqlAdministratorPassword = (ConvertTo-SecureString "strong_password_here_password" -AsPlainText -Force)
    MinimalTlsVersion = "1.2"
}
Set-AzSqlServer @serverParams

# Get current setting for Minimal TLS Version
az sql server show -n sql-server-name -g sql-server-group --query "minimalTlsVersion"

# Update setting for Minimal TLS Version
az sql server update -n sql-server-name -g sql-server-group --set minimalTlsVersion="1.2"

Identify client connections

You can use the Azure portal and SQL audit logs to identify clients that are connecting using TLS 1.0 and 1.0.

In the Azure portal, go to Metrics under Monitoring for your database resource, and then filter by Successful connections, and TLS versions = 1.0 and 1.1:

You can also query sys.fn_get_audit_file directly within your database to view the client_tls_version_name in the audit file, looking for events named audit_event.

Change the connection policy

Connection policy determines how customers connect. We highly recommend the Redirect connection policy over the Proxy connection policy for the lowest latency and highest throughput.

It's possible to change the connection policy by using the Azure portal, Azure PowerShell, and the Azure CLI.

# Get SQL Server ID
$sqlserverid = (Get-AzSqlServer -ServerName sql-server-name -ResourceGroupName sql-server-group).ResourceId

# Set URI
$id = "$sqlserverid/connectionPolicies/Default"

# Get current connection policy
$resourceParams = @{
    ResourceId = $id
    ApiVersion = "2014-04-01"
    Verbose = $true
}
(Get-AzResource @resourceParams).Properties.ConnectionType

# Update connection policy
$updateParams = @{
    ResourceId = $id
    Properties = @{
        connectionType = "Proxy"
    }
    Force = $true
}
Set-AzResource @updateParams

# Get SQL Server ID
sqlserverid=$(az sql server show -n sql-server-name -g sql-server-group --query 'id' -o tsv)

# Set URI
ids="$sqlserverid/connectionPolicies/Default"

# Get current connection policy
az resource show --ids $ids

# Update connection policy
az resource update --ids $ids --set properties.connectionType=Proxy

# Get SQL Server ID and set URI
FOR /F "tokens=*" %g IN ('az sql server show --resource-group myResourceGroup-571418053 --name server-538465606 --query "id" -o tsv') do (SET sqlserverid=%g/connectionPolicies/Default)

# Get current connection policy
az resource show --ids %sqlserverid%

# Update connection policy
az resource update --ids %sqlserverid% --set properties.connectionType=Proxy

Upcoming TLS 1.0 and 1.1 retirement changes FAQ

Azure has announced that support for older TLS versions (TLS 1.0, and 1.1) ends August 31, 2025. For more information, see TLS 1.0 and 1.1 deprecation.

Starting November 2024, you'll no longer be able to set the minimal TLS version for Azure SQL Database and Azure SQL Managed Instance client connections below TLS 1.2.

Why is TLS 1.0 and 1.1 being retired?

TLS versions 1.0 and 1.1 are outdated and no longer meet modern security standards. They're being retired to:

• Reduce exposure to known vulnerabilities.
• Align with industry best practices and compliance requirements.
• Ensure clients are using stronger encryption protocols like TLS 1.2 or TLS 1.3.

What happens if TLS 1.0 and 1.1 are used after August 31, 2025?

After August 31, 2025, TLS 1.0 and 1.1 will no longer be supported, and connections using TLS 1.0 and 1.1 will likely fail. It's critical to transition to a minimum of TLS 1.2 or higher before the deadline.

How can I check if my SQL Database, SQL Managed Instance, Cosmos DB, or MySQL instances are using TLS 1.0/1.1?

• To identify clients that are connecting to your Azure SQL Database using TLS 1.0 and 1.1, SQL audit logs must be enabled. With auditing enabled, you can view client connections.

• To identify clients that are connecting to your Azure SQL Managed Instance using TLS 1.0 and 1.1, auditing must be enabled. With auditing enabled, you can consume audit logs with Azure Storage, Event Hubs, or Azure Monitor Logs to view client connections.

• To verify the minimum TLS version of your Azure Cosmos DB, get the current value of the minimalTlsVersion property using Azure CLI or Azure PowerShell.

• To verify the minimum TLS version configured for your Azure Database for MySQL Server, check the value of the tls_version server parameter using the MySQL command-line interface to understand what protocols are configured.

Why was my service flagged if I’ve already configured TLS 1.2?

Services might be incorrectly flagged due to:

• Intermittent fallback to older TLS versions by legacy clients.
• Misconfigured client libraries or connection strings that don’t enforce TLS 1.2.
• Telemetry lag or false positives in detection logic.

What should I do if I received a retirement notice in error?

If your server or database is already configured with minimum TLS 1.2, or configured with no minimum TLS (the default setting in SQL Database and SQL Managed Instance minimalTLSVersion that maps to 0) and connecting with 1.2, no action is required.

What happens if my application or client library doesn’t support TLS 1.2?

Connections will fail once TLS 1.0/1.1 are disabled. You must upgrade your client libraries, drivers, or frameworks to versions that support TLS 1.2.

What if my server is configured with no minimum TLS version?

Servers configured with no minimum TLS version and connecting with TLS 1.0/1.1 should be upgraded to minimum TLS version 1.2. For servers configured with no minimum TLS version and connecting with 1.2, no action is required. For servers configured with no minimum TLS version and using encrypted connections, no action is required.

How will I be notified about TLS retirement for my resources?

Email reminders will continue leading up to the retirement of TLS 1.0 and 1.1 in August.

Can I request an exception or extension if I can’t meet the August 31, 2025 deadline?

The retirement of TLS 1.0 and 1.1 by August 31 is an Azure-wide deadline. If you can't update your database resources to use minimal TLS version 1.2 by the retirement deadline and require support for your scenario, submit a request to Azure Databases explaining your migration blocker.

Who can I contact if I need help with validating or with updating my TLS settings?

If you need help with validating or with updating your TLS settings, contact Microsoft Q&A or open a support ticket using the Azure portal if you have a support plan.

Related content

• Connectivity architecture