I have a VM running SQL in the cloud. Typically I would set up inbound rules on the SQL ports in Azure and on the VM's firewall, but my clients do not have static IP addresses to use in the rules.
How can I go about securing my VM when I don't know exactly which IPs will be connecting? I can use non-default ports and strong passwords (sql authentication) but this seems not secure enough.
Should I try to get a CIDR range from each client's ISP?
This is a pretty good use-case for a bastion host:
https://en.wikipedia.org/wiki/Bastion_host
There are many different implementations, but basically you allow clients to connect in to your bastion host, and from there you only allow connections to your SQL server or RDP, or ssh, or whatever it is you need.
In this case you would ONLY allow SQL traffic inbound to your DB server, from your bastion host. Then you could control connections inbound to your bastion host however you see fit. This also allows you a single point to log connections coming through it. This can be incredibly useful especially if you are sending your bastion host logs to whatever siem you are using.
