Restrict the IP address range to a subset rather than the full region when using the redirect policy
Restrict the IP address range to a subset rather than the full region when using the redirect policy. In the documentation (https://docs.microsoft.com/en-us/azure/sql-database/sql-database-connectivity-architecture#connection-policy) it states that when using the redirect policy that "clients must allow outbound firewall rules to all Azure IP addresses in the region using Network Security Groups (NSG) with service tags) for ports 11000-11999, not just the Azure SQL Database gateway IP addresses on port 1433". Customer wants to reduce this from all IP address in the region to a smaller subset.
Andrew Falk commented
My observation is only the 1433 port needs to allowed to the entire region. The high ports are focused to the Sql.Region tags. But this was an isolated test in the SouthCentral region and not conclusive. In any case this should be an easy fix by just updating the ranges in the service tags.