If you need to connect to an Azure SQL Database from an App Service and are getting a ‘Client with IP address ‘XXX’ is not allowed to access the server.’ error you need to amend the server firewall settings in one of two ways…
1 – Allow access for ALL Azure resources
Switch the ‘Allow Azure services and resources to access this server‘ button on in the server firewall settings page. This allows all resources in the Azure boundary to access the server (not the DB).
2 – Allow access for certain IPs
Add IP based rules for the App Services outbound IP addresses in the DB server firewall settings page.
Each app will have a set number of outbound IPs at any time and the specific IP is selected randomly at runtime so you need to grant access to all outbound IP addresses listed. To find the addresses go to your App Service in the portal and navigate to Settings -> Properties…
According to Microsoft the set of outbound IP addresses for your app changes when you perform one of the following actions:
Delete an app and recreate it in a different resource group (deployment unit may change).
Delete the last app in a resource group and region combination and recreate it (deployment unit may change).
Scale your app between the lower tiers (Basic, Standard, and Premium) and the Premium V2 tier (IP addresses may be added to or subtracted from the set).
The ‘Outbound IP addresses’ section above shows the current IP addresses based on your current tier but ‘Additional Output IP Addresses’ shows all possible outbound IPs regardless of tier. Therefore when you’re adding your IP whitelist, I recommend using the additional list just in case you change SKU in the future.
Don’t forget to save your changes…