Lesson Learned #125: Azure Storage Firewall and BCP

This post has been republished via RSS; it originally appeared at: Azure Database Support Blog articles.

We received some questions from our customers that they want to enable the firewall of their Azure Storage Account that they are using to import data using BCP. 


In this article we are going to explain how it is possible to do it. 


First of all, we need information about the advantages/disadvantages when we enable Azure Storage Account firewall:







  • If we used BCP command from a Virtual Machine  we are going to have an Access Denied error message even if we check Allow trusted Microsoft services to access this storage account or adding the IP in the public firewall.

What is the solution:


  • Added this storage account in the VNET of the Virtual Machine and BCP will work.
  • If you run the BCP command from OnPremises, you need to the IP in the firewall exceptions and BCP will work. 

How to configure:


  • In order to have the best performance, my suggestion is to run BCP from the machine running in Azure.
  • Create an Azure Storage Account with File Share Option enabled. 
  • Enable Azure Storage Account Firewall, adding the VNET/SUBNET of this Azure Virtual Machine. 
  • Mount the file share either OnPremises or in your Azure Virtual Machine, running the following commands:  
    • net use drivename: \\myfileshare.file.core.windows.net\mybcpfiles /u:Azure\myfileshare PrimaryKeyValue.


  • And from this point we could run BCP command using this drivername having the Azure Storage firewall enabled. 




REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.