MicrosoftDocs
diff --git a/‎articles/sql-database/media/sql-database-get-started-portal/manage-connectivity-settings.png
95.8 KB b/‎articles/sql-database/media/sql-database-get-started-portal/manage-connectivity-settings.png
95.8 KB
diff --git a/‎articles/sql-database/sql-database-connectivity-settings.md
Lines changed: 67 additions & 5 deletions b/‎articles/sql-database/sql-database-connectivity-settings.md
Lines changed: 67 additions & 5 deletions
@@ -13,7 +13,7 @@ ms.date: 03/09/2020
 
 # Azure SQL Connectivity Settings
 > [!NOTE]
-> This article applies to Azure SQL server, and to both SQL Database and SQL Data Warehouse databases that are created on the Azure SQL server. For simplicity, SQL Database is used when referring to both SQL Database and SQL Data Warehouse.
+> This article applies to the logical SQL server in Azure used for both Azure SQL Database and SQL Data Warehouse databases that are created on the logical server. For simplicity, SQL Database is used when referring to both SQL Database and SQL Data Warehouse.
 
 > [!IMPORTANT]
 > This article does *not* apply to **Azure SQL Database Managed Instance**
@@ -23,22 +23,26 @@ This article introduces settings that control connectivity to Azure SQL Database
 > [!NOTE]
 > Once these settings are applied, they **take effect immediately** and may result in connection loss for your clients if they do not meet the requirements for each setting.
 
-The connectivity settings are accessible from the **Firewalls and virtual networks** blade as shown in the screenshot below:
+The connectivity settings are accessible from the **Firewalls and virtual networks** screen as shown in the following screenshot:
 
  ![Screenshot of connectivity settings][1]
 
 
 ## Deny public network access
-In the Azure portal, when the **Deny public network access** setting is set to **Yes**, only connections via private endpoints are allowed. When this setting is set to **No**, clients can connect using the private or public endpoint.
 
-After setting **Deny public network access** to **Yes**, login attempts from clients using public endpoint will fail with the following error:
+Customers can connect to SQL Database using  public endpoints (IP-based firewall rules, VNET based firewall rules) or private endpoints (using Private Link) as outlined in the [network access overview](sql-database-networkaccess-overview.md). 
+
+When **Deny public network access** setting is set to **Yes**, only connections via private endpoints are allowed and all connections via public endpoints are denied with an error message similar to:  
 
 ```output
 Error 47073
-An instance-specific error occurred while establishing a connection to SQL Server. The public network interface on this server is not accessible. To connect to this server, use the Private Endpoint from inside your virtual network.
+An instance-specific error occurred while establishing a connection to SQL Server. 
+The public network interface on this server is not accessible. 
+To connect to this server, use the Private Endpoint from inside your virtual network.
 ```
 
 ## Change Public Network Access via PowerShell
+
 [!INCLUDE [updated-for-az](../../includes/updated-for-az.md)]
 > [!IMPORTANT]
 > The PowerShell Azure Resource Manager module is still supported by Azure SQL Database, but all future development is for the Az.Sql module. For these cmdlets, see [AzureRM.Sql](https://docs.microsoft.com/powershell/module/AzureRM.Sql/). The arguments for the commands in the Az module and in the AzureRm modules are substantially identical. The following script requires the [Azure PowerShell module](/powershell/azure/install-az-ps).
@@ -56,10 +60,12 @@ Set-AzSqlServer -ServerName sql-server-name -ResourceGroupName sql-server-group
 ```
 
 ## Change Public Network Access via CLI
+
 > [!IMPORTANT]
 > All scripts in this section requires [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli).
 
 ### Azure CLI in a bash shell
+
 The following CLI script shows how to change the **Public Network Access** in a bash shell:
 
 ```azurecli-interactive
@@ -72,11 +78,64 @@ az sql server update -n sql-server-name -g sql-server-group --set publicNetworkA
 
 ```
 
+## Minimal TLS Version 
+
+The Minimal [Transport Layer Security (TLS)](https://support.microsoft.com/help/3135244/tls-1-2-support-for-microsoft-sql-server) Version setting allows customers to control the version of TLS used by their Azure SQL Database.
+
+At present we support TLS 1.0, 1.1 and 1.2. Setting a Minimal TLS Version ensures that subsequent, newer TLS versions are supported. For example,  e.g.,  choosing  a TLS version greater than 1.1. means only connections with TLS 1.1 and 1.2 are accepted and TLS 1.0 is rejected. After testing to confirm your applications supports the it, we recommend setting minimal TLS version to 1.2 since it includes fixes for vulnerabilities found in previous versions and is the highest version of TLS supported in Azure SQL Database.
+
+For customers with applications that rely on older versions of TLS, we recommend setting the Minimal TLS Version per the requirements of your applications. For customers that rely on applications to connect using an unencrypted connection, we recommend not setting any Minimal TLS Version. 
+
+For more information, see [TLS considerations for SQL Database connectivity](sql-database-connect-query.md#tls-considerations-for-sql-database-connectivity).
+
+After setting the Minimal TLS Version, login attempts from clients that are using a TLS version lower than the Minimal TLS Version of the server will fail with following error:
+
+```output
+Error 47072
+Login failed with invalid TLS version
+```
+
+## Set minimal TLS version via PowerShell
+
+[!INCLUDE [updated-for-az](../../includes/updated-for-az.md)]
+> [!IMPORTANT]
+> The PowerShell Azure Resource Manager module is still supported by Azure SQL Database, but all future development is for the Az.Sql module. For these cmdlets, see [AzureRM.Sql](https://docs.microsoft.com/powershell/module/AzureRM.Sql/). The arguments for the commands in the Az module and in the AzureRm modules are substantially identical. The following script requires the [Azure PowerShell module](/powershell/azure/install-az-ps).
+
+The following PowerShell script shows how to `Get` and `Set` the **Minimal TLS Version** property at the logical server level:
+
+```powershell
+#Get the Public Network Access property
+(Get-AzSqlServer -ServerName sql-server-name -ResourceGroupName sql-server-group).PublicNetworkAccess
+
+# Update Public Network Access to Disabled
+$SecureString = ConvertTo-SecureString "password" -AsPlainText -Force
+
+Set-AzSqlServer -ServerName sql-server-name -ResourceGroupName sql-server-group -SqlAdministratorPassword $SecureString  -MinimalTlsVersion "1.2"
+```
+
+## Set Minimal TLS Version via Azure CLI
+
+> [!IMPORTANT]
+> All scripts in this section requires [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli).
+
+### Azure CLI in a bash shell
+
+The following CLI script shows how to change the **Minimal TLS Version** setting in a bash shell:
+
+```azurecli-interactive
+# Get current setting for Minimal TLS Version
+az sql server show -n sql-server-name -g sql-server-group --query "minimalTlsVersion"
+
+# Update setting for Minimal TLS Version
+az sql server update -n sql-server-name -g sql-server-group --set minimalTlsVersion="1.2"
+```
 
 ## Connection policy
+
 [Connection policy](sql-database-connectivity-architecture.md#connection-policy) determines how clients connect to Azure SQL Server. 
 
 ## Change Connection policy via PowerShell
+
 [!INCLUDE [updated-for-az](../../includes/updated-for-az.md)]
 > [!IMPORTANT]
 > The PowerShell Azure Resource Manager module is still supported by Azure SQL Database, but all future development is for the Az.Sql module. For these cmdlets, see [AzureRM.Sql](https://docs.microsoft.com/powershell/module/AzureRM.Sql/). The arguments for the commands in the Az module and in the AzureRm modules are substantially identical. The following script requires the [Azure PowerShell module](/powershell/azure/install-az-ps).
@@ -98,6 +157,7 @@ Set-AzResource -ResourceId $id -Properties @{"connectionType" = "Proxy"} -f
 ```
 
 ## Change Connection policy via Azure CLI
+
 > [!IMPORTANT]
 > All scripts in this section requires [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli).
 
@@ -119,6 +179,7 @@ az resource update --ids $ids --set properties.connectionType=Proxy
 ```
 
 ### Azure CLI from a Windows command prompt
+
 The following CLI script shows how to change the connection policy from a Windows command prompt (with Azure CLI installed).
 
 ```azurecli
@@ -133,6 +194,7 @@ az resource update --ids %sqlserverid% --set properties.connectionType=Proxy
 ```
 
 ## Next steps
+
 - For an overview of how connectivity works in Azure SQL Database, refer to [Azure SQL Connectivity Architecture](sql-database-connectivity-architecture.md)
 - For information on how to change the Azure SQL Database connection policy for an Azure SQL Database server, see [conn-policy](https://docs.microsoft.com/cli/azure/sql/server/conn-policy).