Network security group to allow inbound 1433 connections not working as expected in SQL Virtual Machine

Question

Network security group to allow inbound 1433 connections not working as expected in SQL Virtual Machine

Cameron Collver 20

Hi all,

I'm using the following to deploy a SQL Server virtual machine. This machine allows mixed type authentication and allows external connections.

imageReference {
	publisher: 'microsoftsqlserver'
	offer: 'sql2022-ws2022'
	sku: 'standard-gen2'
	version: 'latest'
}

I have another machine in the same subnet that hosts a .NET 4.8 application that is attempting to connect to this database. However, I'm unable to connect. I've tried the following security group on the SQL VM, but this does not seem to open up anything.

resource nsg 'Microsoft.Network/networkSecurityGroups@2023-09-01' = {
  name: 'sql-access-nsg'
  location: location
  properties: {
    securityRules: [
      {
        name: 'AllowSQL'         
		properties: {          
			description: 'Allow SQL Server access'           
			protocol: 'Tcp'
        	sourcePortRange: '*'         
			destinationPortRange: '1433'           
			sourceAddressPrefix: '10.0.0.5'
          	destinationAddressPrefix: '10.0.0.4'
          	access: 'Allow'
          	priority: 100
          	direction: 'Inbound'
        }
      }
    ]
  }
}

The only thing that confirms the fact that I'm able to connect to the SQL VM is adding a network firewall rule to open up all traffic on 1443.

New-NetFirewallRule -DisplayName "SQL Server" -Direction Inbound -Protocol TCP -LocalPort 1433 -Action Allow

What's funny is that I can connect over 80/443 on this SQL VM just fine even without a NSG defined.

Both of these VMs are on a peered VPN network, but using netstat -an on the SQL machine I can see that the incoming connection after enabling the above firewall rule shows as 10.0.0.5. The connecting machine also has a public IP which has its own NSG applied to allow HTTP/HTTPS and that works as expected.

Maybe I'm missing some documentation here, or things are a bit more strict in these SQL VMs. Any guidance is appreciated.

Thanks!

Saraswathi Devadula 11,325 Reputation points Microsoft External Staff Moderator

2025-08-11T04:47:39.2166667+00:00

Hello Cameron Collver

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Accepted answer

0 additional answers

Your answer

Saraswathi Devadula 11,325 Reputation points Microsoft External Staff Moderator

2025-08-11T04:47:39.2166667+00:00

Hello Cameron Collver

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Answer 1

Hi Cameron,

By default, since both VMs are in same subnet you do not need NSG for them to communicate. On the SQL Server VM, you need to allow incoming TCP 1433 on the Windows firewall, which you can do with New-NetFirewallRule.

As a general concept, it helps to think there are usually firewalls at different points and layers between resources. In the case of the Virtual Network, the default NSG rules permit the traffic between VMs, so unless you changed that you are okay there. Next is the target VM itself, which has its own firewall (Windows Defender Firewall with Advanced Security), which needs to allow the connection from the .NET app VM.

Of course the above is simplified explanation. Does the above answer your questions/concerns?

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP

Share via

Network security group to allow inbound 1433 connections not working as expected in SQL Virtual Machine

0 additional answers

Your answer