> ## Documentation Index
> Fetch the complete documentation index at: https://docs.prequel.co/llms.txt
> Use this file to discover all available pages before exploring further.

# SQL Server

> Configuring your SQL Server destination.

## Prerequisites

* If your SQL Server database is protected by security groups or other firewall settings, you will need our static IP available to complete Step 1.
* Confirm that your SQL Server database is configured to allow TCP/IP connections.

<Note>
  **Network allowlisting**

  Cloud Hosted (US): `35.192.85.117/32`

  Cloud Hosted (EU): `104.199.49.149/32`

  If private-cloud or self-hosted, contact support for the static egress IP.
</Note>

<Steps>
  <Step title="Allow access">
    Create a rule in a security group or firewall settings to whitelist:

    * incoming connections to your host and port (usually `1433`) from the static IP.
    * outgoing connections from ports `1024` to `65535` to the static IP.
  </Step>

  <Step title="Create writer user">
    Create a database user to perform the writing of the source data.

    1. Open a connection to your SQL Server database.
    2. Create a user for the data transfer by executing the following SQL command. The `<database>` should be the target destination database.

    ```sql title="Create writer user" icon="database" expandable theme={null}
    USE <database>;
    CREATE LOGIN <username> WITH PASSWORD = '<password>';
    CREATE USER <username> FOR LOGIN <username>;
    ```

    3. Grant user `CREATE TABLE` privileges on the database.

    ```sql title="Grant CREATE TABLE" icon="database" theme={null}
    GRANT CREATE TABLE TO <username>;
    ```

    <Warning>
      **Understanding the `CREATE TABLE` permission in SQL Server**

      The `CREATE TABLE` permission is a database level permission that allows for the creation of new tables in a given database. The user must also have the `ALTER` permission granted on a given schema in order to create new tables in that schema (see the next step for details).
    </Warning>

    4. Grant user `CREATE SCHEMA` privileges on the database *if the schema does not exist*.

    ```sql title="Grant CREATE SCHEMA" icon="database" theme={null}
    GRANT CREATE SCHEMA TO <username>;
    ```

    <Warning>
      **If the `SCHEMA` already exists**

      By default, the service creates a new schema based on the destination configuration. If you prefer to create the schema yourself before connecting the destination, you must ensure that the writer user has the proper permissions on the schema, using:

      ```sql title="Grant schema privileges" icon="database" theme={null}
      GRANT SELECT, INSERT, UPDATE, DELETE, ALTER ON SCHEMA :: <schema> TO <username>;
      ```

      If the `SCHEMA` already exists, the user does not need the `GRANT CREATE SCHEMA` permission.
    </Warning>
  </Step>

  <Step title="Add your destination">
    Use the following details to complete the connection setup: **host name**, **database name**, **port**, your chosen **schema name**, **username**, and **password**.

    <Warning>
      **Credential character limitations**

      For user credentials containing special characters, please avoid using the following characters: `@`, `[`, `]`, `/`, `?`, `#`, `"`, `\\`, `+`, space, `&`, `:`, `;`, `%`, `=` as these characters can break connection string parsing.
    </Warning>
  </Step>
</Steps>

## Permissions checklist

* Network:
  * Inbound rule allows TCP `1433` from the static egress IP
  * Outbound rule allows ephemeral ports `1024-65535` to the static egress IP
* SQL Server:
  * `CREATE TABLE` on the target database
  * If schema is created by the service: `CREATE SCHEMA` on the database
  * If schema is pre-created: `SELECT, INSERT, UPDATE, DELETE, ALTER` on the target schema
  * TCP/IP connections are enabled
* Optional:
  * If connecting via SSH tunnel: bastion host allows inbound SSH from static egress IP, SSH user created with service public key, bastion IP granted access to database port

## FAQ

<AccordionGroup>
  <Accordion title="How is the SQL Server connection secured?">
    The connection uses a dedicated, least-privileged SQL login scoped to the destination database and schema. Network access can be restricted to the static egress IP. For databases not accessible from the public internet, SSH tunneling through a bastion host is supported.
  </Accordion>

  <Accordion title="Which special characters should I avoid in credentials?">
    Avoid these characters in usernames and passwords because they can break connection string parsing: `@`, `[`, `]`, `/`, `?`, `#`, `"`, `\\`, `+`, space, `&`, `:`, `;`, `%`, `=`.
  </Accordion>

  <Accordion title="Which SQL Server flavors are supported?">
    Generic on-premises SQL Server, Azure SQL Database, and Azure Synapse are supported. For Azure dedicated SQL pools, we recommend using the Azure Blob Storage destination type and loading from Azure Data Lake Storage Gen2.
  </Accordion>
</AccordionGroup>
