SQL connection policy controls how a client’s network traffic reaches Azure SQL Database after it connects to the gateway. Proxy keeps traffic flowing through the Azure SQL gateway. Redirect uses the gateway to establish the session, then sends traffic directly to the database cluster. Default chooses behavior based on where the client originates. The setting matters because it changes latency, throughput, and firewall requirements. It is not a login setting and does not replace firewall rules, private endpoints, or connection strings. It is a routing choice for database connectivity.
Microsoft Learn explains that Azure SQL Database connection policy determines whether client traffic is proxied through the gateway or redirected to the database cluster after connection. Default behavior uses Redirect for clients inside Azure and Proxy for clients outside Azure, while Redirect is recommended for lower latency and higher throughput.
In Azure architecture, SQL connection policy sits in the connectivity path for Azure SQL Database logical servers. Clients reach the public gateway on port 1433, and the effective policy determines whether subsequent traffic stays proxied through the gateway or redirects to the database cluster. The setting is managed on the logical server, not on each database. It interacts with client location, outbound firewall rules, service tags, private networking design, connection retries, application drivers, and network diagnostics. Azure CLI exposes direct show and update commands for connection policy.
Why it matters
SQL connection policy matters because a database can be healthy while applications still suffer from avoidable network latency or blocked outbound traffic. Redirect usually gives lower latency and higher throughput, especially for clients running in Azure, but it can fail if corporate firewalls or network rules allow only the gateway path. Proxy may be simpler for locked-down external clients but can add gateway hops. Choosing the wrong policy creates symptoms that look like database slowness, driver bugs, or intermittent login failures. Good operators treat connection policy as part of application architecture, test it from real client locations, and document firewall expectations before changing production.
⌁
Where you see it
Signals, screens, and Azure surfaces where this term usually becomes operational.
Signal 01
The Azure SQL logical server Networking or Connectivity settings show whether connection policy is Default, Proxy, or Redirect for that server. during production networking reviews.
Signal 02
Azure CLI conn-policy output displays the configured connection type, making it useful evidence during latency investigations, network reviews, and deployment drift checks. across environments and releases.
Signal 03
Application driver logs, packet captures, Network Watcher tests, and firewall records reveal whether clients are staying on the gateway path or being redirected after login.
✦
When this becomes relevant
Specific situations where this term helps solve real Azure design, operations, migration, security, reliability, cost, or governance problems.
Reduce latency for Azure-hosted applications by using Redirect when outbound network rules support the direct cluster path.
Keep external corporate clients on Proxy when their firewall model only permits gateway-based Azure SQL traffic.
Diagnose intermittent connection failures after a network change by checking whether Redirect traffic is being blocked.
Standardize connection policy for new logical servers so deployment environments do not drift silently.
Prove whether an application performance issue is network routing related before increasing database capacity.
◆
Real-world case studies
Different enterprise-style examples that show the term being used to hit measurable objectives.
Case study 01
Fintech API removes gateway latency from payment checks
Scenario, objectives, solution, measured impact, and takeaway.
📌Scenario
A fintech API running on Azure App Service queried Azure SQL for payment-risk scores. The database had spare CPU, but p95 API latency kept breaching the partner SLA.
🎯Business/Technical Objectives
Lower p95 payment-check latency without increasing database capacity.
Prove whether traffic routing, not SQL CPU, caused the slowdown.
Keep the network change reversible during the settlement window.
Document policy and firewall requirements for future servers.
✅Solution Using SQL connection policy
The platform team inspected the SQL connection policy with Azure CLI and confirmed the server was using Proxy for a workload hosted inside Azure. Network engineers validated that App Service outbound paths and corporate controls could support Redirect. During a scheduled window, the team changed the logical server to Redirect, recycled application connection pools, and ran payment-check tests from the real App Service plan. Azure Monitor metrics confirmed the database had not changed service objectives, while application telemetry compared p95 and p99 latency before and after the policy update. A rollback command to Proxy was prepared but not needed.
📈Results & Business Impact
Payment-check p95 latency fell from 420 milliseconds to 260 milliseconds.
The team avoided a planned database scale-up that would have increased monthly cost by 22 percent.
Connection-policy evidence was added to the standard SQL server deployment checklist.
No settlement-window errors occurred after connection pools were recycled.
💡Key Takeaway for Glossary Readers
SQL connection policy can solve a real performance problem when the workload runs inside Azure and the network is ready for Redirect.
Case study 02
Architecture studio keeps partner workstations connected
Scenario, objectives, solution, measured impact, and takeaway.
📌Scenario
An architecture studio gave outside design partners access to project databases. After a server template changed to Redirect, several partner offices could no longer connect through locked-down firewalls.
🎯Business/Technical Objectives
Restore partner access without weakening database authentication.
Identify which offices could not allow redirected traffic.
Avoid changing application connection strings for every partner.
Create a template exception for externally accessed SQL servers.
✅Solution Using SQL connection policy
Operations used Azure CLI to show that the affected logical server had Redirect configured. Network logs from partner offices showed that only gateway traffic on port 1433 was permitted. Because the workload was low volume and mostly external, the team updated the server to Proxy during a controlled support window. Firewall rules and Microsoft Entra authentication remained unchanged, so the fix stayed focused on routing behavior. The team then split server templates: internal analytics servers kept Redirect, while partner-facing project databases used Proxy unless partner network testing proved Redirect was supported. A connection test was added to onboarding for new design partners.
📈Results & Business Impact
Partner connection success returned from 68 percent to 99 percent by the next business day.
Help desk tickets about database connectivity dropped from 37 in one week to 3 the next week.
No broad firewall exception was created for partner offices.
Future server deployments now require a documented client-location classification.
💡Key Takeaway for Glossary Readers
Proxy can be the right connection policy when external clients have restrictive firewalls and throughput needs are modest.
Case study 03
Energy analytics team stops chasing false database bottlenecks
Scenario, objectives, solution, measured impact, and takeaway.
📌Scenario
An energy analytics team ran forecasting jobs from Azure VMs to Azure SQL. Jobs sometimes exceeded the nightly window, and DBAs were blamed for slow queries despite low database utilization.
🎯Business/Technical Objectives
Separate network routing latency from database engine performance.
Reduce nightly forecast runtime before the market-opening deadline.
Standardize policy for analytics servers created by infrastructure code.
Give operations a repeatable test for future regions.
✅Solution Using SQL connection policy
The team compared connection policy, VM region, firewall rules, and SQL metrics across the forecasting environments. Azure CLI showed that older servers used Default while a newly created server had been pinned to Proxy by a copied template. Network Watcher tests and application telemetry showed higher round-trip time on the proxied path. The team changed the analytics logical servers to Redirect, confirmed outbound rules, and updated the infrastructure template. They also added a pipeline check that runs az sql server conn-policy show after server creation and fails deployments when the policy does not match the workload classification.
📈Results & Business Impact
Nightly forecast runtime dropped from 5.8 hours to 4.1 hours without changing SQL SKU.
Two planned performance-tuning sprints were redirected to higher-value query improvements.
New analytics servers now pass a connection-policy validation gate before release.
Incident reviews stopped treating every long batch as a database CPU problem.
💡Key Takeaway for Glossary Readers
Connection policy belongs in infrastructure standards because routing drift can masquerade as SQL performance trouble.
Why use Azure CLI for this?
With ten years of Azure work behind me, I prefer Azure CLI for connection policy because it is a real server setting that needs repeatable proof. Portal clicks are fine once, but CLI can show the current policy, change it during an approved window, export evidence, and test connectivity from representative Azure resources. That is critical when network, database, and application teams disagree about whether latency is caused by SQL, the gateway, or a firewall. CLI also lets a pipeline validate that a newly created logical server uses the expected policy before apps depend on it. The command output is simple, scriptable, and much harder to misread than screenshots.
CLI use cases
Show the current SQL server connection policy during a connectivity or latency incident.
Update the policy to Default, Proxy, or Redirect during an approved network change window.
Export connection policy across servers to find drift between dev, staging, and production.
List firewall rules and server metadata before deciding whether Redirect can work safely.
Run Network Watcher connectivity tests from an Azure VM or subnet used by the application.
Before you run CLI
Confirm tenant, subscription, resource group, logical server, region, and the client locations affected by the policy.
Coordinate with network owners before switching to Redirect because outbound rules may need to allow the redirected path.
Treat policy updates as production-impacting for applications with active connection pools or strict firewalls.
Capture the current policy and a rollback command before making the change.
Use JSON output for evidence and test from real clients, not only from your workstation.
What output tells you
The connection type shows whether the server is configured for Default, Proxy, or Redirect behavior.
Server metadata confirms the policy belongs to the intended logical server, resource group, and subscription.
Firewall-rule output shows whether server-level ingress is allowed, but it does not prove Redirect egress is open.
Network test output helps distinguish port reachability problems from SQL authentication or database engine issues.
Timestamps and scripted exports provide evidence for change review, rollback, and post-incident analysis.
Mapped Azure CLI commands
Azure SQL connection policy operations
direct-network-operations
az sql server conn-policy show --server <server> --resource-group <resource-group>
az sql server conn-policydiscoverDatabases
az sql server conn-policy update --server <server> --resource-group <resource-group> --connection-type Redirect
az sql server conn-policyconfigureDatabases
az sql server conn-policy update --server <server> --resource-group <resource-group> --connection-type Proxy
az sql server conn-policyconfigureDatabases
az sql server firewall-rule list --server <server> --resource-group <resource-group>
az sql server firewall-rulediscoverDatabases
az network watcher test-connectivity --source-resource <vm-resource-id> --dest-address <server>.database.windows.net --dest-port 1433
az network watcherdiscoverDatabases
Architecture context
Architecturally, SQL connection policy belongs in the network and data-platform boundary. I decide it after mapping where clients run: App Service, AKS, VMs, on-premises networks, partner networks, or developer laptops. Redirect is usually preferred for Azure-hosted clients because it removes the gateway from the steady-state traffic path, but it requires outbound connectivity to the redirected destination range. Proxy can be safer for restrictive external networks that only allow traffic through the gateway. The design should include driver behavior, retry settings, firewall rules, private endpoint strategy, and test paths from every major client segment. Never change it blind during an incident.
Security
Security impact is direct at the network-exposure layer, although connection policy does not authenticate users by itself. Redirect and Proxy change where traffic must be allowed, which affects firewall, egress control, and monitoring design. A relaxed outbound rule created to make Redirect work can expand attack surface if it is not scoped carefully. Private endpoints, server firewalls, Microsoft Entra authentication, and least privilege still matter. Operators should review who can update the connection policy, alert on changes, and document why a server uses Proxy, Redirect, or Default. Network teams need the policy value so they can inspect or restrict the right path.
Cost
Cost impact is indirect. Connection policy itself is not a billed SKU, but poor routing can create operational cost through slower applications, longer batch windows, unnecessary database scale-up, and network troubleshooting hours. Redirect can improve throughput and latency enough to delay capacity purchases for some workloads. Proxy may be acceptable for low-volume external clients but expensive in human time if teams mistake gateway-latency symptoms for database CPU pressure. There may also be network appliance or firewall costs when organizations inspect or allow redirected traffic. FinOps reviews should compare application latency and database scale decisions with the chosen policy and actual client paths.
Reliability
Reliability impact is direct because an unsupported policy/network combination can break connections even when Azure SQL is available. Redirect may improve normal performance, but clients behind strict firewalls can fail after the gateway hands off traffic. Proxy can reduce network surprises for external clients but may become a throughput or latency bottleneck for high-volume applications. Reliable operations require testing from actual client locations, using connection retries, monitoring failed connections, and recording the policy in runbooks. Before failover, migration, or new server creation, validate that the expected policy and outbound rules travel with the design. Do not rely on assumptions from a different environment.
Performance
Performance impact is direct. Microsoft recommends Redirect for the lowest latency and highest throughput because traffic can bypass the gateway after the initial connection. Proxy keeps packets flowing through the gateway, which can add latency and affect throughput for chatty or high-volume applications. The best answer still depends on client location and network rules. Test with the actual application driver, connection pooling, retry behavior, and representative concurrency. Measure p95 or p99 request time, not only a single connection test. If Redirect is blocked by egress controls, performance becomes irrelevant because connections may fail before users see any improvement. Measure under realistic load.
Operations
Operators manage SQL connection policy by showing the current server setting, coordinating firewall or egress changes, testing from representative clients, and documenting whether Default, Proxy, or Redirect is expected. Troubleshooting often begins with separating authentication errors from network routing errors. Teams use CLI output, connection tests, driver logs, and database metrics to decide whether failures happen before login, at gateway handoff, or during steady-state traffic. A change should include a rollback command and a known application test, not just a portal save. In regulated environments, connection policy changes should be tracked like any other production network change. Review drift across all environments.
Common mistakes
Switching to Redirect without confirming outbound firewall rules from every real client segment.
Assuming connection policy fixes login failures caused by credentials, firewall rules, or private endpoint DNS.
Changing the policy during an incident without a rollback command and an application-level test.
Using developer laptop tests to represent App Service, AKS, VM, and on-premises client behavior.
Treating Default as obvious instead of documenting whether the effective path is Proxy or Redirect for each client.