Connecting Azure SQL
Connect an Azure SQL Database to FreshGuard for monitoring.
Azure SQL requires a Starter plan or higher. Starter+
Authentication Methods
FreshGuard supports two authentication methods for Azure SQL. Choose based on how your Azure SQL server is configured.
SQL Authentication (default)
Use this when SQL logins are enabled on the server.
| Field | Description | Example |
|---|---|---|
| Server | Azure SQL server name | myserver.database.windows.net |
| Port | Port (default 1433) | 1433 |
| Database | Database name | analytics |
| Username | SQL login name | freshguard_reader |
| Password | Login password | — |
| Encrypt | Require encrypted connection | true |
Entra Service Principal
Use this when your Azure SQL server is in Entra-only mode (SQL authentication disabled). You will need an Entra app registration — see the Azure SQL: Read-Only Login guide for setup instructions.
| Field | Description | Example |
|---|---|---|
| Server | Azure SQL server name | myserver.database.windows.net |
| Port | Port (default 1433) | 1433 |
| Database | Database name | analytics |
| Auth type | Authentication method | Entra Service Principal |
| Tenant ID | Directory (tenant) ID | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| Client ID | Application (client) ID | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| Client Secret | Secret value | — |
| Encrypt | Require encrypted connection | true |
Setup Steps
- In the FreshGuard dashboard, go to Sources and click Add Source.
- Select Azure SQL.
- Enter your server name (including
.database.windows.net) and database name. - Select your authentication method and fill in the corresponding credentials.
- Leave Encrypt enabled — Azure SQL requires encrypted connections.
- Click Test Connection to verify access.
- Save.
Info
Azure SQL always requires encrypted connections. The Encrypt setting defaults to true and should not be disabled.
Firewall Configuration
Azure SQL uses a server-level firewall. You must allow FreshGuard’s outgoing IP addresses:
- In your FreshGuard dashboard, go to Settings → Network to find FreshGuard’s current outgoing IPs.
- In the Azure Portal, navigate to your SQL server.
- Go to Networking (under Security).
- Under Firewall rules, add a rule for each IP address.
Common Issues
Connection Refused
- Verify the firewall rules include FreshGuard’s IP addresses.
- Confirm the server name is correct (it must end with
.database.windows.net). - Check that the database is online and not paused (serverless tier may auto-pause).
Authentication Failed
SQL authentication: Ensure the login exists on the server (master database) and a corresponding user has been created in the target database with db_datareader access.
Entra Service Principal: Ensure a contained database user was created with CREATE USER [...] FROM EXTERNAL PROVIDER in the target database. Verify the Tenant ID, Client ID, and Client Secret are correct, and that the client secret has not expired.
Database Paused (Serverless)
If your Azure SQL database uses the serverless compute tier, it may auto-pause after inactivity. FreshGuard will trigger an automatic resume, but the first connection may be slower.
Recommended Setup
Create a dedicated read-only login for FreshGuard. See the Azure SQL: Read-Only Login guide for the exact T-SQL commands.