Import database bacpac firewall issue

Question

We have a sql server firewall setup with no IP access and "Allow Azure Services" flag also set to off.

I understand this means no azure services and no external clients will be able to access the sql server and database.

however, when i try Import Database option on sql server, with bacpac stored in azure storage, we get a strange error of an IP that needs to be given access in sql server firewall. The error reads.

 Client with IP address 65.52.129.125 is not allowed to access the server.  

While our azure infra is in West Europe, there is no mention of what this IP belongs to and what is the purpose of it.

The same error of course also occurs from Infra as a code approach and CI-CD Pipelines. and I think adding an IP without any information is risky.

Has anyone faced this before? or if anyone knows , what is azure database import using underneath for which this IP needs access and will it always be the same?

Answer 1

65.52.129.0 - 65.52.129.255 is an IP address range owned by Microsoft Corporation and located in Netherlands.

Please read the following explanation about why you should enable Azure Services access on the firewall at least while doing export/import operations. When you finish import/export operations, then disable Azure Services access.

"The IP address space used for outbound connections from the Import/Export Service infrastructure to the target logical server is not documented, and is subject to change at any time. Therefore, given that connections to the target Azure SQL Database server are gated by server firewall, the only fully reliable way to ensure that the Import/Export service will be able to connect is to enable the firewall rule that allows access from all Azure services (or, equivalently, from the 0.0.0.0 IP address). Obviously, opening the firewall to a large IP address space is a network security risk. Security conscious organizations will want to mitigate this risk by disabling this firewall rule as soon as the import operation completes successfully..." Source is here.