Documentation
Start typing to search…

SQL Server

Configuring your SQL Server destination.

Prerequisites

  • If your SQL Server database is protected by security groups or other firewall settings, you will need the data syncing service's static IP available to complete Step 1.
  • Confirm that your SQL Server database is configured to allow TCP/IP connections.
📘

Network allowlisting

Cloud Hosted (US): 35.192.85.117/32

Cloud Hosted (EU): 104.199.49.149/32

If private-cloud or self-hosted, contact support for the static egress IP.

Step 1: Allow access

Create a rule in a security group or firewall settings to whitelist:

  • incoming connections to your host and port (usually 1433) from the static IP.
  • outgoing connections from ports 1024 to 65535 to the static IP.
📘

Optional: SSH tunneling

If your database is not accessible from the public internet, SSH tunneling through a bastion host is supported. Allow inbound SSH (port 22) from the static egress IP on the bastion host, create an SSH user with the service's public key in ~/.ssh/authorized_keys (contact support for the key), and grant the bastion host's IP access to the database port in place of the static egress IP. Provide the bastion host address, port, and username in the destination configuration.

Step 2: Create writer user

Create a database user to perform the writing of the source data.

  1. Open a connection to your SQL Server database.
  2. Create a user for the data transfer by executing the following SQL command. The <database> should be the target destination database.
USE <database>;
CREATE LOGIN <username> WITH PASSWORD = '<password>';
CREATE USER <username> FOR LOGIN <username>;
  1. Grant user CREATE TABLE privileges on the database.
GRANT CREATE TABLE TO <username>;
🚧

Understanding the CREATE TABLE permission in SQL Server

The CREATE TABLE permission is a database level permission that allows for the creation of new tables in a given database. The user must also have the ALTER permission granted on a given schema in order to create new tables in that schema (see the next step for details).

  1. Grant user CREATE SCHEMA privileges on the database if the schema does not exist.
GRANT CREATE SCHEMA TO <username>;
🚧

If the SCHEMA already exists

By default, the service creates a new schema based on the destination configuration. If you prefer to create the schema yourself before connecting the destination, you must ensure that the writer user has the proper permissions on the schema, using:

GRANT SELECT, INSERT, UPDATE, DELETE, ALTER ON SCHEMA :: <schema> TO <username>;

If the SCHEMA already exists, the user does not need the GRANT CREATE SCHEMA permission.

Step 3: Add your destination

Use the following details to complete the connection setup: host name, database name, port, your chosen schema name, username, and password.

🚧

Credential character limitations

For user credentials containing special characters, please avoid using the following characters: @, [, ], /, ?, #, ", \\, +, space, &, : as these characters can break connection string parsing.

Permissions checklist

  • Network:
    • Inbound rule allows TCP 1433 from the static egress IP
    • Outbound rule allows ephemeral ports 1024-65535 to the static egress IP
  • SQL Server:
    • CREATE TABLE on the target database
    • If schema is created by the service: CREATE SCHEMA on the database
    • If schema is pre-created: SELECT, INSERT, UPDATE, DELETE, ALTER on the target schema
    • TCP/IP connections are enabled
  • Optional:
    • If connecting via SSH tunnel: bastion host allows inbound SSH from static egress IP, SSH user created with service public key, bastion IP granted access to database port

FAQ

Q: How is the SQL Server connection secured?

A: The connection uses a dedicated, least-privileged SQL login scoped to the destination database and schema. Network access can be restricted to the static egress IP. For databases not accessible from the public internet, SSH tunneling through a bastion host is supported.

Q: Which special characters should I avoid in credentials?

A: Avoid these characters in usernames and passwords because they can break connection string parsing: @, [, ], /, ?, #, ", \\, +, space, &, :.

Q: Which SQL Server flavors are supported?

A: Generic on-premises SQL Server, Azure SQL Database, and Azure Synapse are supported. For Azure dedicated SQL pools, we recommend using the Azure Blob Storage destination type and loading from Azure Data Lake Storage Gen2.

Updated about 2 hours ago