Microsoft SQL Server

Connect AnomalyArmor to any Microsoft SQL Server database. This guide covers on-premise SQL Server, Azure SQL Database, and Amazon RDS for SQL Server.

Supported Versions & Platforms

Platform	Minimum Version	Notes
SQL Server	2012+	On-premise or any cloud
SQL Server 2019	Recommended	Best compatibility
SQL Server 2022	Latest	Fully supported
Azure SQL Database	Any	All service tiers
Azure SQL Managed Instance	Any	All service tiers
Amazon RDS SQL Server	2012+	All instance classes

SQL Server 2008 and earlier are not supported. Please upgrade to SQL Server 2012+ for compatibility.

Connection Settings

Field	Description	Example
Connection Name	Friendly identifier	`Production SQL Server`
Host	Hostname or IP address	`db.example.com`
Port	Database port	`1433`
Database	Database name	`myapp_production`
Username	SQL Server user	`anomalyarmor`
Password	User password	`********`
SSL Mode	SSL configuration	`require`

Authentication Methods

Method	Supported	Notes
SQL Server Authentication	Yes	Username and password
Windows Authentication	No	Not currently supported
Azure Active Directory	No	Planned for future release

SQL Server Authentication (username/password) is required. Windows Authentication and Azure AD are planned for future releases.

Creating a Read-Only User

Create a dedicated user with minimal permissions:

-- Create a login at the server level
CREATE LOGIN anomalyarmor WITH PASSWORD = 'YourSecurePassword123!';

-- Switch to your database
USE your_database;

-- Create a user for the login
CREATE USER anomalyarmor FOR LOGIN anomalyarmor;

-- Grant SELECT on schemas (repeat for each schema you want to monitor)
GRANT SELECT ON SCHEMA::dbo TO anomalyarmor;
GRANT SELECT ON SCHEMA::production TO anomalyarmor;

-- Grant VIEW DEFINITION for schema introspection
GRANT VIEW DEFINITION TO anomalyarmor;

Verifying Permissions

Test that the user can access metadata:

-- Should return tables
SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES
WHERE TABLE_SCHEMA = 'dbo';

-- Should return columns
SELECT COLUMN_NAME, DATA_TYPE FROM INFORMATION_SCHEMA.COLUMNS
WHERE TABLE_SCHEMA = 'dbo';

Provider-Specific Instructions

Azure SQL Database
Azure SQL Managed Instance
Amazon RDS
On-Premise

Azure SQL Database

Connection Details:

Host: yourserver.database.windows.net
Port: 1433
SSL Mode: Encryption is always enabled (TLS 1.2+)

Firewall Configuration:

Go to Azure Portal > SQL databases > Your database > Set server firewall
Add a rule for each AnomalyArmor IP address (see Settings > Security)
Or enable “Allow Azure services” if AnomalyArmor runs in Azure

Firewall Rules
──────────────
Rule name       │ Start IP       │ End IP
AnomalyArmor-1  │ 34.xxx.xxx.xxx │ 34.xxx.xxx.xxx
AnomalyArmor-2  │ 34.xxx.xxx.xxx │ 34.xxx.xxx.xxx

Service Tiers: All tiers are supported:

Basic, Standard, Premium (DTU-based)
General Purpose, Business Critical, Hyperscale (vCore-based)
Serverless

Azure SQL Database enforces encrypted connections. The SSL mode setting is informational - Azure will always use TLS 1.2+.

Azure SQL Managed Instance

Connection Details:

Host: yourinstance.abc123.database.windows.net
Port: 1433 (default) or 3342 (public endpoint)
SSL Mode: require

Connectivity Options:

Method	Description
VNet Integration	Connect through Azure VNet peering
Public Endpoint	Enable public endpoint on port 3342

Public Endpoint Setup:

Go to Azure Portal > SQL managed instances > Your instance > Security > Networking
Enable Public endpoint
Add AnomalyArmor IPs to Deny public access exceptions

For VNet-based connectivity, contact us about Enterprise VPC peering options.

Amazon RDS for SQL Server

Connection Details:

Host: Your RDS endpoint (e.g., mydb.abc123.us-east-1.rds.amazonaws.com)
Port: 1433 (default)
SSL Mode: require

Security Group Configuration:

Go to AWS Console > RDS > Your Instance > Security Groups
Edit inbound rules
Add rule:
- Type: MS SQL
- Port: 1433
- Source: AnomalyArmor IPs (see Settings > Security)

Security Group: sg-abc123
────────────────────────────────────────────────────────
Inbound Rules
MS SQL │ TCP │ 1433 │ 34.xxx.xxx.xxx/32 │ AnomalyArmor
MS SQL │ TCP │ 1433 │ 34.xxx.xxx.xxx/32 │ AnomalyArmor

RDS SQL Server Editions: All editions are supported:

Express Edition
Web Edition
Standard Edition
Enterprise Edition

RDS instances in private subnets require NAT Gateway or VPC peering for AnomalyArmor access.

On-Premise SQL Server

Connection Details:

Host: Your server’s hostname or IP
Port: 1433 (or custom port)
SSL Mode: Depends on your setup

Firewall Configuration:Allow inbound connections from AnomalyArmor IPs:

# Windows Firewall example
New-NetFirewallRule -DisplayName "AnomalyArmor SQL" `
  -Direction Inbound -LocalPort 1433 -Protocol TCP `
  -RemoteAddress 34.xxx.xxx.xxx -Action Allow

SQL Server Configuration:Ensure TCP/IP is enabled:

Open SQL Server Configuration Manager
Go to SQL Server Network Configuration > Protocols
Enable TCP/IP
Set TCP Port to 1433 (or your preferred port)
Restart SQL Server service

Mixed Mode Authentication:SQL Server Authentication must be enabled:

Connect in SSMS as administrator
Right-click server > Properties > Security
Select SQL Server and Windows Authentication mode
Restart SQL Server service

SSL/TLS Configuration (recommended):

Install a valid SSL certificate on the server
In SQL Server Configuration Manager, go to SQL Server Network Configuration > Protocols > Properties
Set Force Encryption to Yes

What We Query

AnomalyArmor runs these types of queries:

-- Tables and views
SELECT TABLE_SCHEMA, TABLE_NAME, TABLE_TYPE
FROM INFORMATION_SCHEMA.TABLES
WHERE TABLE_SCHEMA NOT IN ('sys', 'INFORMATION_SCHEMA');

-- Columns
SELECT COLUMN_NAME, DATA_TYPE, IS_NULLABLE, COLUMN_DEFAULT
FROM INFORMATION_SCHEMA.COLUMNS;

-- Freshness (for timestamp columns)
SELECT MAX(your_timestamp_column) FROM your_table;

Impact: Minimal. These are lightweight metadata queries using standard INFORMATION_SCHEMA views.

Excluded Schemas

AnomalyArmor automatically excludes system schemas:

sys - SQL Server system objects
INFORMATION_SCHEMA - ANSI standard metadata views

All user-created schemas are included by default.

Troubleshooting

Error: Login failed for user 'anomalyarmor'Causes:

Wrong username or password
SQL Server Authentication not enabled
User doesn’t have access to the specified database

Solutions:

Verify username and password are correct
Check SQL Server is in Mixed Mode authentication
Ensure the login exists: SELECT name FROM sys.server_principals WHERE name = 'anomalyarmor'
Ensure the user has database access

Cannot open database

Error: Cannot open database 'mydb' requested by the loginCauses:

Database name is incorrect
User doesn’t have access to the database
Database doesn’t exist

Solutions:

Verify database name (case-sensitive on some configurations)
Check user permissions: SELECT name FROM sys.database_principals WHERE name = 'anomalyarmor'
Grant access: USE mydb; CREATE USER anomalyarmor FOR LOGIN anomalyarmor;

Connection refused or timeout

Error: Cannot connect to SQL Server or connection timeoutCauses:

Firewall blocking the connection
Wrong hostname or port
SQL Server not listening on TCP/IP
SQL Server Browser service not running (named instances)

Solutions:

Verify AnomalyArmor IPs are allowlisted
Check firewall rules
Ensure TCP/IP protocol is enabled in SQL Server Configuration Manager
For named instances, ensure SQL Server Browser is running or specify the port
Test connectivity: Test-NetConnection hostname -Port 1433

Azure SQL firewall error

Error: Cannot connect - firewall rule or error 40615Causes:

AnomalyArmor IP not in Azure SQL firewall rules
Public access is disabled

Solutions:

Go to Azure Portal > SQL databases > Set server firewall
Add AnomalyArmor IP addresses to firewall rules
Ensure “Deny public network access” is Off

Windows Authentication required

Error: Error 18470 or “Windows authentication is required”Causes:

Server is configured for Windows Authentication only
SQL Server Authentication is disabled

Solutions:

Enable Mixed Mode authentication in SQL Server properties
Restart SQL Server service
AnomalyArmor currently requires SQL Server Authentication

No tables found in discovery

Causes:

User lacks SELECT permission on schemas
User lacks VIEW DEFINITION permission
All tables are in excluded schemas

Solutions:

Grant schema access: GRANT SELECT ON SCHEMA::dbo TO anomalyarmor;
Grant view definition: GRANT VIEW DEFINITION TO anomalyarmor;
Test query: SELECT * FROM INFORMATION_SCHEMA.TABLES;

Next Steps

Run Discovery

Scan your SQL Server database

Set Up Alerts

Get notified of schema changes

Getting Started

Core Concepts

Data Sources

Detect Schema Changes

Monitor Data Health

Coverage Tiers

Get Notified

Understand Your Data

Organize & Tag

Guides

Account & Settings

Security

Help

Downloads

Supported Versions & Platforms

Connection Settings

Authentication Methods

Creating a Read-Only User

Verifying Permissions

Provider-Specific Instructions

Azure SQL Database

Azure SQL Managed Instance

Amazon RDS for SQL Server

On-Premise SQL Server

What We Query

Excluded Schemas

Troubleshooting

Next Steps

Run Discovery

Set Up Alerts

Getting Started

Core Concepts

Data Sources

Detect Schema Changes

Monitor Data Health

Coverage Tiers

Get Notified

Understand Your Data

Organize & Tag

Guides

Account & Settings

Security

Help

Downloads

​Supported Versions & Platforms

​Connection Settings

​Authentication Methods

​Creating a Read-Only User

​Verifying Permissions

​Provider-Specific Instructions

​Azure SQL Database

​Azure SQL Managed Instance

​Amazon RDS for SQL Server

​On-Premise SQL Server

​What We Query

​Excluded Schemas

​Troubleshooting

​Next Steps

Run Discovery

Set Up Alerts

Supported Versions & Platforms

Connection Settings

Authentication Methods

Creating a Read-Only User

Verifying Permissions

Provider-Specific Instructions

Azure SQL Database

Azure SQL Managed Instance

Amazon RDS for SQL Server

On-Premise SQL Server

What We Query

Excluded Schemas

Troubleshooting

Next Steps