docs: Fix metadata field order and ms.date, fix description, replace 'using' with 'by using', rewrite sentences for clarity

Author: duongau

articles/firewall/sql-fqdn-filtering.md

@@ -1,45 +1,44 @@
 ---
 title: Configure Azure Firewall application rules with SQL FQDNs
-description: In this article, you learn how to configure SQL FQDNs in Azure Firewall application rules.
-services: firewall
+description: Configure SQL FQDNs in Azure Firewall application rules to control access to SQL server instances from your virtual networks.
 author: duau
+ms.author: duau
 ms.service: azure-firewall
-ms.custom: devx-track-azurecli, devx-track-azurepowershell
 ms.topic: how-to
-ms.date: 10/31/2022
-ms.author: duau
+ms.date: 03/28/2026
+ms.custom: devx-track-azurecli, devx-track-azurepowershell
 # Customer intent: "As a network administrator, I want to configure SQL FQDN application rules in Azure Firewall, so that I can control access to specific SQL server instances from my virtual networks."
 ---
 
 # Configure Azure Firewall application rules with SQL FQDNs
 
-You can now configure Azure Firewall application rules with SQL FQDNs. This allows you to limit access from your virtual networks to only the specified SQL server instances.
+You can configure Azure Firewall application rules with SQL FQDNs. This configuration limits access from your virtual networks to only the specified SQL server instances.
 
-With SQL FQDNs, you can filter traffic:
+By using SQL FQDNs, you can filter traffic:
 
-- From your VNets to an Azure SQL Database or Azure Synapse Analytics. For example: Only allow access to *sql-server1.database.windows.NET*.
-- From on-premises to Azure SQL Managed Instances or SQL IaaS running in your VNets.
-- From spoke-to-spoke to Azure SQL Managed Instances or SQL IaaS running in your VNets.
+- From your virtual networks to an Azure SQL Database or Azure Synapse Analytics. For example: Only allow access to *sql-server1.database.windows.NET*.
+- From on-premises to Azure SQL Managed Instances or SQL IaaS running in your virtual networks.
+- From spoke-to-spoke to Azure SQL Managed Instances or SQL IaaS running in your virtual networks.
 
-SQL FQDN filtering is supported in [proxy-mode](/azure/azure-sql/database/connectivity-architecture#connection-policy) only (port 1433). If you use SQL in the default redirect mode, you can filter access using the SQL service tag as part of [network rules](features-by-sku.md#key-basic-features).
+SQL FQDN filtering is supported in [proxy-mode](/azure/azure-sql/database/connectivity-architecture#connection-policy) only (port 1433). If you use SQL in the default redirect mode, you can filter access by using the SQL service tag as part of [network rules](features-by-sku.md#key-basic-features).
 If you use non-default ports for SQL IaaS traffic, you can configure those ports in the firewall application rules.
 
-## Configure using Azure CLI
+## Configure by using Azure CLI
 
 1. Deploy an [Azure Firewall using Azure CLI](deploy-cli.md).
-1. If you filter traffic to Azure SQL Database, Azure Synapse Analytics, or SQL Managed Instance, ensure the SQL connectivity mode is set to **Proxy**. To learn how to switch SQL connectivity mode, see [Azure SQL Connectivity Settings](/azure/azure-sql/database/connectivity-settings#change-the-connection-policy-via-the-azure-cli).
+1. If you filter traffic to Azure SQL Database, Azure Synapse Analytics, or SQL Managed Instance, set the SQL connectivity mode to **Proxy**. To learn how to switch SQL connectivity mode, see [Azure SQL Connectivity Settings](/azure/azure-sql/database/connectivity-settings#change-the-connection-policy-via-the-azure-cli).
 
    > [!NOTE]
-   > SQL *proxy* mode can result in more latency compared to *redirect*. If you want to continue using redirect mode, which is the default for clients connecting within Azure, you can filter access using the SQL [service tag](service-tags.md) in firewall [network rules](tutorial-firewall-deploy-portal.md#configure-a-network-rule).
+   > SQL *proxy* mode can result in more latency compared to *redirect*. If you want to continue using redirect mode, which is the default for clients connecting within Azure, you can filter access by using the SQL [service tag](service-tags.md) in firewall [network rules](tutorial-firewall-deploy-portal.md#configure-a-network-rule).
 
-1. Create a new rule collection with an application rule using SQL FQDN to allow access to a SQL server:
+1. Create a new rule collection with an application rule that uses SQL FQDN to allow access to a SQL server:
 
    ```azurecli
     az extension add -n azure-firewall
-    
-    az network firewall application-rule create \ 
+
+    az network firewall application-rule create \
         --resource-group Test-FW-RG \
-        --firewall-name Test-FW01 \ 
+        --firewall-name Test-FW01 \
         --collection-name sqlRuleCollection \
         --priority 1000 \
         --action Allow \
@@ -49,50 +48,51 @@ If you use non-default ports for SQL IaaS traffic, you can configure those ports
         --target-fqdns sql-serv1.database.windows.net
    ```
 
-## Configure using Azure PowerShell
+## Configure by using Azure PowerShell
 
 1. Deploy an [Azure Firewall using Azure PowerShell](deploy-ps.md).
-1. If you filter traffic to Azure SQL Database, Azure Synapse Analytics, or SQL Managed Instance, ensure the SQL connectivity mode is set to **Proxy**. To learn how to switch SQL connectivity mode, see [Azure SQL Connectivity Settings](/azure/azure-sql/database/connectivity-settings#change-the-connection-policy-via-the-azure-cli).
+1. If you filter traffic to Azure SQL Database, Azure Synapse Analytics, or SQL Managed Instance, set the SQL connectivity mode to **Proxy**. To learn how to switch SQL connectivity mode, see [Azure SQL Connectivity Settings](/azure/azure-sql/database/connectivity-settings#change-the-connection-policy-via-the-azure-cli).
 
    > [!NOTE]
-   > SQL *proxy* mode can result in more latency compared to *redirect*. If you want to continue using redirect mode, which is the default for clients connecting within Azure, you can filter access using the SQL [service tag](service-tags.md) in firewall [network rules](tutorial-firewall-deploy-portal.md#configure-a-network-rule).
+   > SQL *proxy* mode can result in more latency compared to *redirect*. If you want to continue using redirect mode, which is the default for clients connecting within Azure, you can filter access by using the SQL [service tag](service-tags.md) in firewall [network rules](tutorial-firewall-deploy-portal.md#configure-a-network-rule).
 
-1. Create a new rule collection with an application rule using SQL FQDN to allow access to a SQL server:
+1. Create a new rule collection with an application rule that uses SQL FQDN to allow access to a SQL server:
 
    ```azurepowershell
    $AzFw = Get-AzFirewall -Name "Test-FW01" -ResourceGroupName "Test-FW-RG"
-    
+
    $sqlRule = @{
       Name          = "sqlRule"
-      Protocol      = "mssql:1433" 
+      Protocol      = "mssql:1433"
       TargetFqdn    = "sql-serv1.database.windows.net"
       SourceAddress = "10.0.0.0/24"
    }
-    
+
    $rule = New-AzFirewallApplicationRule @sqlRule
-    
+
    $sqlRuleCollection = @{
-      Name       = "sqlRuleCollection" 
-      Priority   = 1000 
+      Name       = "sqlRuleCollection"
+      Priority   = 1000
       Rule       = $rule
       ActionType = "Allow"
    }
-    
+
    $ruleCollection = New-AzFirewallApplicationRuleCollection @sqlRuleCollection
-    
-   $Azfw.ApplicationRuleCollections.Add($ruleCollection)    
-   Set-AzFirewall -AzureFirewall $AzFw    
+
+   $Azfw.ApplicationRuleCollections.Add($ruleCollection)
+   Set-AzFirewall -AzureFirewall $AzFw
    ```
 
-## Configure using the Azure portal
-1. Deploy an [Azure Firewall using Azure CLI](deploy-cli.md).
-1. If you filter traffic to Azure SQL Database, Azure Synapse Analytics, or SQL Managed Instance, ensure the SQL connectivity mode is set to **Proxy**. To learn how to switch SQL connectivity mode, see [Azure SQL Connectivity Settings](/azure/azure-sql/database/connectivity-settings#change-the-connection-policy-via-the-azure-cli).  
+## Configure by using the Azure portal
+
+1. Deploy an [Azure Firewall using the Azure portal](tutorial-firewall-deploy-portal.md).
+1. If you filter traffic to Azure SQL Database, Azure Synapse Analytics, or SQL Managed Instance, set the SQL connectivity mode to **Proxy**. To learn how to switch SQL connectivity mode, see [Azure SQL Connectivity Settings](/azure/azure-sql/database/connectivity-settings#change-the-connection-policy-via-the-azure-cli).
 
    > [!NOTE]
-   > SQL *proxy* mode can result in more latency compared to *redirect*. If you want to continue using redirect mode, which is the default for clients connecting within Azure, you can filter access using the SQL [service tag](service-tags.md) in firewall [network rules](tutorial-firewall-deploy-portal.md#configure-a-network-rule).
+   > SQL *proxy* mode can result in more latency compared to *redirect*. If you want to continue using redirect mode, which is the default for clients connecting within Azure, you can filter access by using the SQL [service tag](service-tags.md) in firewall [network rules](tutorial-firewall-deploy-portal.md#configure-a-network-rule).
 
-1. Add the application rule with the appropriate protocol, port, and SQL FQDN and then select **Save**.
-1. Access SQL from a virtual machine in a VNet that filters the traffic through the firewall. 
+1. Add the application rule with the appropriate protocol, port, and SQL FQDN, and then select **Save**.
+1. Access SQL from a virtual machine in a virtual network that filters the traffic through the firewall.
 1. Validate that [Azure Firewall logs](./firewall-workbook.md) show the traffic is allowed.
 
 ## Next steps