Summary

After enabling workspace-level IP firewall rules (GA since March 2026) on a Fabric workspace, SSMS can no longer connect to a Warehouse via TDS. The Fabric portal continues to work fine from the same machine/IP. The error message incorrectly references private links, even though no private link configuration is in place.

Error

Microsoft SQL Server, Error: 18456

While private links are enabled, you cannot connect from this IP address.

Connection Id: 853380c1-12e4-40ec-8e0b-2e5c4dab2f48
Timestamp: 2026-05-10 14:52:25Z

Environment

• Workspace setting: "Allow connections from selected networks and workspace level private links" — enabled
• IP firewall rules: Configured with correct public IP address(es)
• Tenant setting — "Configure workspace-level inbound network rules": Enabled
• Tenant setting — "Configure workspace-level IP firewall rules": Enabled
• Tenant setting — "Azure Private Link": NOT enabled
• Tenant setting — "Block Public Internet Access": NOT enabled
• No VPN or split-tunnel networking involved

What works

• Accessing the Warehouse, Lakehouse, and all other workspace items through the Fabric portal (browser) — works correctly with IP firewall rules active.
• Connecting via SSMS when the workspace is set to "Allow all connections" — works fine (after ~15 min propagation).

What does NOT work

• Connecting via SSMS (TDS endpoint, port 1433) to the Warehouse when IP firewall rules are active — blocked with the error above, even though the IP is whitelisted.

What I have ruled out

1. IP rules are correctly registered. Verified via the REST API:

   GET /v1/workspaces/<id>/networking/communicationpolicy/inbound/firewall

   Returns the expected IP addresses.

2. Propagation delay is not the issue. The setting has been in place for over 24 hours. I have also tested toggling back to "Allow all connections" — SSMS works again after ~15 minutes.

3. The IP address is correct. The same public IP is used successfully to connect to other Azure SQL databases via SSMS. Confirmed via whatismyip.com and the "Add client IP address" option in the Fabric portal.

4. Not a tenant-level private link issue. Azure Private Link is explicitly disabled at the tenant level. "Block Public Internet Access" is also disabled.

5. Reproduced across fresh setups. Created a new workspace, new Warehouse, applied IP firewall rules — same result.

6. Tested with and without VPN — same result.

Suspected root cause

The error message says "While private links are enabled" — but I have not enabled private links. This suggests that when the workspace is set to "Allow connections from selected networks and workspace level private links", the TDS endpoint internally treats this as a private link scenario, regardless of whether only IP firewall rules are configured. The Fabric portal (HTTPS) correctly evaluates the IP allowlist, but the TDS endpoint appears to fall into a different code path that rejects all non-private-link connections.

This would mean workspace-level IP firewall rules do not currently work for SSMS/TDS connections, despite "Warehouses" being listed as a supported item type in the documentation.

Questions

1. Is this a known limitation or bug with workspace-level IP firewall rules and TDS endpoints?
2. If this is by design, can the documentation be updated to reflect that SSMS/TDS connections require workspace-level Private Link and cannot rely on IP firewall rules alone?
3. Is there a timeline for IP firewall rules to support TDS connections?

Any insight from the product team or community members who have successfully used IP firewall rules with SSMS would be greatly appreciated.