Do you want to lock down your Azure Blob Storage account via the built in firewall but want to be able to use BULK INSERT via Azure SQL Database? Like many things, documentation alludes to it being possible but doesn’t explicitly lay out the process. Here’s a step by step process:

First, lock down your blob storage account in the networking section (if you haven’t already). Make sure to select Selected Networks and “Allow trusted Microsoft services to access this storage account”

Locking down your blob storage account Next, you will add a System Managed Identity to your SQL Azure Server with this PowerShell command:

Set-AzSqlServer -ResourceGroupName '<ResourceGroupName>' -ServerName 'SqlAzureServerName' -AssignIdentity

After this is provisioned you will have to add the Managed Identity to the Storage Blob Data Contributor role. To do this, go to Access Control (IAM) for your Blob Storage Account, click the Add Button, and Add role assignment from the dropdown. Select Storage Blob Data Contributor for the Role, and your service principal will have the same name as your SQL Azure Server.

Now, you go through your normal steps of adding a credential, external data source, and bulk inserting. The primary difference being, instead of using a Shared Access Signature you use the Managed Identity.

ALTER DATABASE SCOPED CREDENTIAL [TestCredMI]
  WITH IDENTITY = 'Managed Identity'
;

CREATE EXTERNAL DATA SOURCE [TestDLTest]
WITH ( TYPE = BLOB_STORAGE
      ,LOCATION   = 'https://YourStorageAccount.blob.core.windows.net/YourContainer'
      ,CREDENTIAL = [TestCredMI]
);

BULK INSERT [peloton]
FROM 'MoviesWithActors.csv'
WITH ( DATA_SOURCE = 'TestDLTest'
      ,FORMAT = 'CSV'
      ,KEEPIDENTITY
    );

You should now have a fully working, fully locked down Azure Blob Storage account talking to your SQL Azure Database. This is really exciting because it allows you to limit access to individual databases and networking ranges making security that much more hardened.