We have a whole bunch of clients that each have a database on Azure in North Europe.
Since last week, some of them - typically, the ones that strictly control their firewalls and what addresses can be reached through Port 1433 - have started reporting connectivity issues.
We've looked at this page https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-architecture?view=azuresql to try and find out what addresses they should allow.
When I ping some of our servers, I get the results I expect: Reply from 13.74.104.113: Destination host unreachable.
(never mind the error, it just confirms IP Addresses as listed under Gateway for North Europe, and any site for which we get this response or same for IP address 52.138.224.1 as listed in the above site for North Europe are not reporting issues)
But when I ping [oneofoursites].database.windows.net for one of the sites that has reported connectivity issues I get responses like Reply from 52.146.133.130 and Reply from 52.146.133.131.
The IP addresses that "play nice" are for cr4.northeurope1-a.control.database.windows.net and for cr7... The ones that cause problems are for cr14 and cr15.
Are we misreading the information in the link above? I see also, in the Gateway IP address subnets column:
13.69.233.136/29, 13.74.105.192/29, 52.138.229.72/29, 52.146.133.128/27
I see the "52.146.133...." in 52.146.133.128/27 .... but we aren't sure what this means? We can't figure it out from trawling through the page or by following other links from this page, and we lack the insight to know whether the page is not up to date or whether we're "doing something wrong", so if someone could point us in the right direction, we would really appreciate it.
Logins for SQL Database can land on any of the Gateway IP address subnets in a region. For consistent connectivity to SQL Database, allow network traffic to and from all the Gateway IP address subnets in a region. In this scenario, all the subnets for the North Europe Region: 13.69.233.136/29, 13.74.105.192/29, 52.138.229.72/29, 52.146.133.128/27.
If above information does not help, it is recommended that you raise a support case as allowing listing traffic from customers infrastructure is something that is very subjective based on the architecture.