Azure SQL Database Setup Guide link
Updated November 16, 2023
Follow these instructions to replicate your Azure SQL database to your destination via Fivetran.
To connect your SQL Server database to Fivetran, you need:
- SQL Server version 2012 or above
- An Azure account with a DB Owner, SQL Server Contributor, or SQL Security Manager role
- ALTER ANY USER permissions in your database server
- Your database host's IP (e.g.,
126.96.36.199) or domain (e.g.,
- Your database's port (usually
- (If you want to connect using SSH) An SSH server
IMPORTANT: We do not support single-user mode.
Choose authentication method link
First, decide whether to authenticate with Azure Active Directory or with a username and password.
Authenticate with Azure Active Directory Betalink
IMPORTANT: You must have a properly configured Active Directory enabled within your Azure account to authenticate with Azure Active Directory. Follow Azure's Active Directory for Azure SQL setup instructions to properly enable Active Directory Authentication on your Azure SQL Database. You must have an AD admin user role to authorize Fivetran's access.
Azure Active Directory allows you to authenticate Fivetran using OAuth-style authentication. You can easily limit permissions and revoke Fivetran's access at any time, while also not sharing any user or password credential information with Fivetran.
In your connector setup form, choose the Connect via Azure Active Directory authentication method.
In Azure Active Directory, click the Properties button.
Find and copy your tenant ID.
Enter the Tenant ID in your connector setup form, then click Authorize.
In your Azure SQL database, create a user using the following command. Even though you don't share user or password information with Fivetran, the database eventually requires a user to issue queries. The
<PRINCIPAL-NAME>must either match your Active Directory user's User Principal Name or be a Group Principal Name assigned to that user.
CREATE USER [<PRINCIPAL-NAME>] FROM EXTERNAL PROVIDER;content_copy
Authenticate with username and passwordlink
With this method, you provide Fivetran with a username and associated password for a properly-configured user on the database. You'll create this user later in this setup guide.
Choose connection method link
Next, decide whether to connect your SQL Server database directly or using an SSH tunnel.
Connect directly (TLS required)link
IMPORTANT: You must have TLS enabled on your database to connect directly to Fivetran. Follow Azure's TLS setup instructions to enable TLS on your database.
Fivetran connects directly to your database instance. This is the simplest connection method.
To connect directly, create a firewall rule to allow access to Fivetran's IPs for your database's region.
Connect using SSH (TLS optional)link
Fivetran connects to a separate server in your network that provides an SSH tunnel to your database. You must connect through SSH if your database is in an inaccessible subnet on a virtual network.
To connect using SSH, create a firewall rule to allow access to your SSH tunnel server's IP address.
Before you proceed to the next step, you must follow our SSH connection instructions to give Fivetran access to your SSH tunnel. If you want Fivetran to tunnel SSH over TLS, follow Azure's TLS setup instructions to enable TLS on your database.
Connect using Azure Private Link Betalink
IMPORTANT: You must have a Business Critical plan to use Azure Private Link.
Azure Private Link allows Virtual Networks (VNets) and Azure-hosted or on-premises services to communicate with one another without exposing traffic to the public internet. Learn more in Microsoft's Azure Private Link documentation.
Follow our Azure PrivateLink setup guide to configure Private Link for your database.
Configure a server firewall to grant Fivetran's data processing servers access to your database.
Log in to the Azure console.
On the Azure main page, select SQL databases.
Click on the SQL database that you want to connect to Fivetran.
On the database overview page, find the server name and make a note of it. You will need it to configure Fivetran.
Click Set server firewall.
On the Firewall settings page, add a new firewall rule with a memorable name (for example,
Fivetran). What you enter in the IP fields depends on whether you're connecting directly or using an SSH tunnel.
- If you're connecting directly, enter Fivetran's IPs for your database's region.
- If you're connecting using an SSH tunnel, enter your SSH tunnel server's IP address and set the Connection Policy to Proxy.
Create user link
If you're authenticating Fivetran with a username and password, create a database user for Fivetran's exclusive use.
IMPORTANT: If you are authenticating with Azure Active Directory, skip ahead to Grant user permissions.
Open a connection to your Azure SQL database.
Add a container database user for Fivetran by running the following command. Replace
<database>with the name of your database,
<username>with the username of your choice, and
<password>with a password of your choice:
USE [<database>]; CREATE USER <username> WITH PASSWORD = '<password>';content_copy
Grant user permissionslink
Once you've created the Fivetran user, grant it SELECT permission for the database, schemas, tables, or specific columns you want Fivetran to sync. You can grant access to everything in a given database:
GRANT SELECT on DATABASE::[<database>] to [<username>];content_copy
or all tables in a given schema:
GRANT SELECT on SCHEMA::[<schema>] to [<username>];content_copy
or a specific table:
GRANT SELECT ONcontent_copy . TO ;
or a set of specific columns in a table:
GRANT SELECT ON ...) TO ;content_copy . ( , ,
or all but a set of specific columns in a table:
GRANT SELECT ON <username>; DENY SELECT ON . ( , , ...) TO ;content_copy . TO
or add a managed database-level role:
ALTER ROLE <role-name> add member [<username>];content_copy
Enable incremental updateslink
For incremental updates, we use one of the following tracking mechanisms:
These mechanisms let Fivetran copy only the rows that have changed since the last data sync so we don't have to copy the whole table every time. Learn more in our updating data documentation.
Choose to enable change tracking, change data capture, or Fivetran Teleport Sync.
Enable change tracking at the database level:
ALTER DATABASE [<database>] SET CHANGE_TRACKING = ON;content_copy
Enable CT for each table you want to integrate:
ALTER TABLE [<schema>].[<table>] ENABLE CHANGE_TRACKING;content_copy
Grant the Fivetran user
VIEW CHANGE TRACKINGpermission for each of the tables that have change tracking enabled:
GRANT VIEW CHANGE TRACKING ON [<schema>].[<table>] TO <username>;content_copy
Change data capturelink
Enable change data capture at the database level:
USE [<database>]; EXEC sys.sp_cdc_enable_db;content_copy
Enable CDC for each table you want to integrate:
EXEC sys.sp_cdc_enable_table @source_schema = , @source_name = , @role_name = ;content_copy
NOTE: Fivetran only supports tables with a single CDC capture instance. Our syncs only include tables and columns that are present in a CDC instance. If you add new tables or columns, you must create a new CDC instance that includes them and delete the old instance.
Fivetran Teleport Synclink
You do not need to do any additional configuration to use Fivetran Teleport Sync.
Finish Fivetran configurationlink
In your connector setup form, enter a destination schema prefix. This prefix applies to each replicated schema and cannot be changed once your connector is created.
In the Host field, enter your database host's IP (for example,
188.8.131.52) or domain (for example,
Enter your database instance's port number. The port number is usually
For the Database, enter the name of the database you want to connect to Fivetran.
Choose your authentication method. If you selected Connect with a username and password, provide the following information:
Choose your connection method. If you selected Connect via an SSH tunnel, provide the following information:
- SSH hostname (do not use a load balancer's IP address/hostname)
- SSH port
- SSH user
- If you enabled TLS on your database in Step 2, set the Require TLS through tunnel toggle to ON.
Choose your incremental update method.
Click Save & Test. Fivetran tests and validates our connection to your Azure SQL database. Upon successful completion of the setup tests, you can sync your data using Fivetran.
Fivetran performs the following tests to ensure that we can connect to your Azure SQL database and that it is properly configured:
- The Connecting to SSH Tunnel Test validates the SSH tunnel details you provided in the setup form. It then checks that we can connect to your database using the SSH Tunnel. (We skip this test if you aren't connecting using SSH.)
- The Connecting to Host Test validates the database credentials you provided in the setup form. It then verifies that the database host is not private and checks that we can connect to the host.
- The Validating Certificate Test generates a pop-up window where you must choose which certificate you want Fivetran to use. It then validates that certificate and checks that we can connect to your database using TLS. (We skip this test if you aren't connecting directly.)
- The Connecting to Database Test checks that we can access your database.
- The Checking Access to Schema Test checks that we have the correct permissions to access the schemas in your database. It then verifies that your database contains at least one table.
- The Validating Replication Config Test verifies that your database has an incremental update mechanism enabled (either CDC or CT).
NOTE: The tests may take a few minutes to finish running.