> ## Documentation Index
> Fetch the complete documentation index at: https://docs.anomalyarmor.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft SQL Server

> Connect AnomalyArmor to SQL Server databases including Azure SQL Database and on-premise instances

<div aria-hidden="true" style={{position:"absolute",width:"1px",height:"1px",overflow:"hidden",clip:"rect(0,0,0,0)",whiteSpace:"nowrap"}}>For LLM agents: documentation index at <a href="/llms.txt" tabIndex={-1}>/llms.txt</a>, full text at <a href="/llms-full.txt" tabIndex={-1}>/llms-full.txt</a>. Append .md to any page URL for plain markdown.</div>
Connect AnomalyArmor to any Microsoft SQL Server database. This guide covers on-premise SQL Server, Azure SQL Database, and Amazon RDS for SQL Server.

## Supported Versions & Platforms

| Platform                   | Minimum Version | Notes                   |
| -------------------------- | --------------- | ----------------------- |
| SQL Server                 | 2012+           | On-premise or any cloud |
| SQL Server 2019            | Recommended     | Best compatibility      |
| SQL Server 2022            | Latest          | Fully supported         |
| Azure SQL Database         | Any             | All service tiers       |
| Azure SQL Managed Instance | Any             | All service tiers       |
| Amazon RDS SQL Server      | 2012+           | All instance classes    |

<Warning>
  SQL Server 2008 and earlier are not supported. Please upgrade to SQL Server 2012+ for compatibility.
</Warning>

## Connection Settings

| Field               | Description            | Example                 |
| ------------------- | ---------------------- | ----------------------- |
| **Connection Name** | Friendly identifier    | `Production SQL Server` |
| **Host**            | Hostname or IP address | `db.example.com`        |
| **Port**            | Database port          | `1433`                  |
| **Database**        | Database name          | `myapp_production`      |
| **Username**        | SQL Server user        | `anomalyarmor`          |
| **Password**        | User password          | `********`              |
| **SSL Mode**        | SSL configuration      | `require`               |

### Authentication Methods

| Method                        | Supported | Notes                      |
| ----------------------------- | --------- | -------------------------- |
| **SQL Server Authentication** | Yes       | Username and password      |
| **Windows Authentication**    | No        | Not currently supported    |
| **Azure Active Directory**    | No        | Planned for future release |

<Note>
  SQL Server Authentication (username/password) is required. Windows Authentication and Azure AD are planned for future releases.
</Note>

## Creating a Read-Only User

Create a dedicated user with minimal permissions:

```sql theme={null}
-- Create a login at the server level
CREATE LOGIN anomalyarmor WITH PASSWORD = 'YourSecurePassword123!';

-- Switch to your database
USE your_database;

-- Create a user for the login
CREATE USER anomalyarmor FOR LOGIN anomalyarmor;

-- Grant SELECT on schemas (repeat for each schema you want to monitor)
GRANT SELECT ON SCHEMA::dbo TO anomalyarmor;
GRANT SELECT ON SCHEMA::production TO anomalyarmor;

-- Grant VIEW DEFINITION for schema introspection
GRANT VIEW DEFINITION TO anomalyarmor;
```

### Verifying Permissions

Test that the user can access metadata:

```sql theme={null}
-- Should return tables
SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES
WHERE TABLE_SCHEMA = 'dbo';

-- Should return columns
SELECT COLUMN_NAME, DATA_TYPE FROM INFORMATION_SCHEMA.COLUMNS
WHERE TABLE_SCHEMA = 'dbo';
```

## Provider-Specific Instructions

<Tabs>
  <Tab title="Azure SQL Database">
    ### Azure SQL Database

    **Connection Details**:

    * **Host**: `yourserver.database.windows.net`
    * **Port**: `1433`
    * **SSL Mode**: Encryption is always enabled (TLS 1.2+)

    **Firewall Configuration**:

    1. Go to **Azure Portal > SQL databases > Your database > Set server firewall**
    2. Add a rule for each AnomalyArmor IP address (see Settings > Security)
    3. Or enable "Allow Azure services" if AnomalyArmor runs in Azure

    ```
    Firewall Rules
    ──────────────
    Rule name       │ Start IP       │ End IP
    AnomalyArmor-1  │ 34.xxx.xxx.xxx │ 34.xxx.xxx.xxx
    AnomalyArmor-2  │ 34.xxx.xxx.xxx │ 34.xxx.xxx.xxx
    ```

    **Service Tiers**:
    All tiers are supported:

    * Basic, Standard, Premium (DTU-based)
    * General Purpose, Business Critical, Hyperscale (vCore-based)
    * Serverless

    <Warning>
      Azure SQL Database enforces encrypted connections. The SSL mode setting is informational - Azure will always use TLS 1.2+.
    </Warning>
  </Tab>

  <Tab title="Azure SQL Managed Instance">
    ### Azure SQL Managed Instance

    **Connection Details**:

    * **Host**: `yourinstance.abc123.database.windows.net`
    * **Port**: `1433` (default) or `3342` (public endpoint)
    * **SSL Mode**: `require`

    **Connectivity Options**:

    | Method               | Description                         |
    | -------------------- | ----------------------------------- |
    | **VNet Integration** | Connect through Azure VNet peering  |
    | **Public Endpoint**  | Enable public endpoint on port 3342 |

    **Public Endpoint Setup**:

    1. Go to **Azure Portal > SQL managed instances > Your instance > Security > Networking**
    2. Enable **Public endpoint**
    3. Add AnomalyArmor IPs to **Deny public access** exceptions

    <Note>
      For VNet-based connectivity, contact us about Enterprise VPC peering options.
    </Note>
  </Tab>

  <Tab title="Amazon RDS">
    ### Amazon RDS for SQL Server

    **Connection Details**:

    * **Host**: Your RDS endpoint (e.g., `mydb.abc123.us-east-1.rds.amazonaws.com`)
    * **Port**: `1433` (default)
    * **SSL Mode**: `require`

    **Security Group Configuration**:

    1. Go to **AWS Console > RDS > Your Instance > Security Groups**
    2. Edit inbound rules
    3. Add rule:
       * Type: `MS SQL`
       * Port: `1433`
       * Source: AnomalyArmor IPs (see Settings > Security)

    ```
    Security Group: sg-abc123
    ────────────────────────────────────────────────────────
    Inbound Rules
    MS SQL │ TCP │ 1433 │ 34.xxx.xxx.xxx/32 │ AnomalyArmor
    MS SQL │ TCP │ 1433 │ 34.xxx.xxx.xxx/32 │ AnomalyArmor
    ```

    **RDS SQL Server Editions**:
    All editions are supported:

    * Express Edition
    * Web Edition
    * Standard Edition
    * Enterprise Edition

    <Note>
      RDS instances in private subnets require NAT Gateway or VPC peering for AnomalyArmor access.
    </Note>
  </Tab>

  <Tab title="On-Premise">
    ### On-Premise SQL Server

    **Connection Details**:

    * **Host**: Your server's hostname or IP
    * **Port**: `1433` (or custom port)
    * **SSL Mode**: Depends on your setup

    **Firewall Configuration**:

    Allow inbound connections from AnomalyArmor IPs:

    ```powershell theme={null}
    # Windows Firewall example
    New-NetFirewallRule -DisplayName "AnomalyArmor SQL" `
      -Direction Inbound -LocalPort 1433 -Protocol TCP `
      -RemoteAddress 34.xxx.xxx.xxx -Action Allow
    ```

    **SQL Server Configuration**:

    Ensure TCP/IP is enabled:

    1. Open **SQL Server Configuration Manager**
    2. Go to **SQL Server Network Configuration > Protocols**
    3. Enable **TCP/IP**
    4. Set TCP Port to `1433` (or your preferred port)
    5. Restart SQL Server service

    **Mixed Mode Authentication**:

    SQL Server Authentication must be enabled:

    1. Connect in SSMS as administrator
    2. Right-click server > **Properties > Security**
    3. Select **SQL Server and Windows Authentication mode**
    4. Restart SQL Server service

    **SSL/TLS Configuration** (recommended):

    1. Install a valid SSL certificate on the server
    2. In SQL Server Configuration Manager, go to **SQL Server Network Configuration > Protocols > Properties**
    3. Set **Force Encryption** to Yes
  </Tab>
</Tabs>

## What We Query

AnomalyArmor runs these types of queries:

```sql theme={null}
-- Tables and views
SELECT TABLE_SCHEMA, TABLE_NAME, TABLE_TYPE
FROM INFORMATION_SCHEMA.TABLES
WHERE TABLE_SCHEMA NOT IN ('sys', 'INFORMATION_SCHEMA');

-- Columns
SELECT COLUMN_NAME, DATA_TYPE, IS_NULLABLE, COLUMN_DEFAULT
FROM INFORMATION_SCHEMA.COLUMNS;

-- Freshness (for timestamp columns)
SELECT MAX(your_timestamp_column) FROM your_table;
```

**Impact**: Minimal. These are lightweight metadata queries using standard INFORMATION\_SCHEMA views.

## Excluded Schemas

AnomalyArmor automatically excludes system schemas:

* `sys` - SQL Server system objects
* `INFORMATION_SCHEMA` - ANSI standard metadata views

All user-created schemas are included by default.

## Troubleshooting

<AccordionGroup>
  <Accordion title="Login failed for user">
    **Error**: `Login failed for user 'anomalyarmor'`

    **Causes**:

    * Wrong username or password
    * SQL Server Authentication not enabled
    * User doesn't have access to the specified database

    **Solutions**:

    1. Verify username and password are correct
    2. Check SQL Server is in Mixed Mode authentication
    3. Ensure the login exists: `SELECT name FROM sys.server_principals WHERE name = 'anomalyarmor'`
    4. Ensure the user has database access
  </Accordion>

  <Accordion title="Cannot open database">
    **Error**: `Cannot open database 'mydb' requested by the login`

    **Causes**:

    * Database name is incorrect
    * User doesn't have access to the database
    * Database doesn't exist

    **Solutions**:

    1. Verify database name (case-sensitive on some configurations)
    2. Check user permissions: `SELECT name FROM sys.database_principals WHERE name = 'anomalyarmor'`
    3. Grant access: `USE mydb; CREATE USER anomalyarmor FOR LOGIN anomalyarmor;`
  </Accordion>

  <Accordion title="Connection refused or timeout">
    **Error**: `Cannot connect to SQL Server` or connection timeout

    **Causes**:

    * Firewall blocking the connection
    * Wrong hostname or port
    * SQL Server not listening on TCP/IP
    * SQL Server Browser service not running (named instances)

    **Solutions**:

    1. Verify AnomalyArmor IPs are allowlisted
    2. Check firewall rules
    3. Ensure TCP/IP protocol is enabled in SQL Server Configuration Manager
    4. For named instances, ensure SQL Server Browser is running or specify the port
    5. Test connectivity: `Test-NetConnection hostname -Port 1433`
  </Accordion>

  <Accordion title="Azure SQL firewall error">
    **Error**: `Cannot connect - firewall rule` or error 40615

    **Causes**:

    * AnomalyArmor IP not in Azure SQL firewall rules
    * Public access is disabled

    **Solutions**:

    1. Go to Azure Portal > SQL databases > Set server firewall
    2. Add AnomalyArmor IP addresses to firewall rules
    3. Ensure "Deny public network access" is Off
  </Accordion>

  <Accordion title="Windows Authentication required">
    **Error**: Error 18470 or "Windows authentication is required"

    **Causes**:

    * Server is configured for Windows Authentication only
    * SQL Server Authentication is disabled

    **Solutions**:

    1. Enable Mixed Mode authentication in SQL Server properties
    2. Restart SQL Server service
    3. AnomalyArmor currently requires SQL Server Authentication
  </Accordion>

  <Accordion title="No tables found in discovery">
    **Causes**:

    * User lacks SELECT permission on schemas
    * User lacks VIEW DEFINITION permission
    * All tables are in excluded schemas

    **Solutions**:

    1. Grant schema access: `GRANT SELECT ON SCHEMA::dbo TO anomalyarmor;`
    2. Grant view definition: `GRANT VIEW DEFINITION TO anomalyarmor;`
    3. Test query: `SELECT * FROM INFORMATION_SCHEMA.TABLES;`
  </Accordion>
</AccordionGroup>

## Common Questions

### Which SQL Server versions and services does AnomalyArmor support?

SQL Server 2012+, Azure SQL Database (Single and Elastic Pool), Azure SQL Managed Instance, and Amazon RDS for SQL Server. SQL Server 2008 and earlier are not supported due to missing information-schema features.

### Do I need a SQL login or Windows authentication for Azure SQL?

SQL login (username + password) is the recommended path for Azure SQL Database. Azure AD authentication is supported on Enterprise plans. Windows authentication is not supported for managed Azure SQL; for on-premise SQL Server, SQL auth is still the simplest setup.

### What permissions does AnomalyArmor need on SQL Server?

Minimal read: grant the connection's login `CONNECT` to the database, `VIEW DEFINITION` on the schemas to monitor (so information\_schema returns your tables), and `SELECT` on those tables. No `ALTER`, `INSERT`, or `sysadmin` needed.

### Does AnomalyArmor support Always Encrypted columns in SQL Server?

AnomalyArmor doesn't decrypt Always Encrypted columns - nor does it need to. Schema drift and freshness work against encrypted columns because we only read metadata and aggregate over non-encrypted timestamp columns. If a column is Always Encrypted, we see its presence and type; its values stay encrypted end-to-end.

## Next Steps

<CardGroup cols={2}>
  <Card title="Run Discovery" icon="magnifying-glass" href="/quickstart/run-first-discovery">
    Scan your SQL Server database
  </Card>

  <Card title="Set Up Alerts" icon="bell" href="/quickstart/set-up-first-alert">
    Get notified of schema changes
  </Card>
</CardGroup>
