> ## Documentation Index
> Fetch the complete documentation index at: https://docs.genloop.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Azure SQL

> Connect an Azure SQL database to Genloop with server, database, and read-only credentials over an encrypted connection, optionally through an SSH tunnel.

Genloop connects to Azure SQL over an encrypted connection using a read-only user. The same connector works for self-hosted SQL Server.

## Before you connect

* A database user with read access to the tables you want to query.
* Network access from Genloop. In the Azure portal, add Genloop's regional IP address to your server's firewall rules. See [Before you begin](/using-genloop/connections/connect-a-database#before-you-begin).

## Connection fields

| Field                        | Description                                                                           |
| ---------------------------- | ------------------------------------------------------------------------------------- |
| **Connection name**          | A name to identify this connection in Genloop                                         |
| **Host**                     | Server hostname, for example `myserver.database.windows.net`                          |
| **Port**                     | The port your server listens on. Defaults to `1433`                                   |
| **Database**                 | Name of the database to connect                                                       |
| **Username**                 | Database user Genloop connects as                                                     |
| **Password**                 | Password for that user                                                                |
| **Trust server certificate** | Off by default. Enable only for self-hosted SQL Server with a self-signed certificate |

## Encryption (TLS)

The connection is always encrypted; there is no option to turn encryption off. What you control is certificate validation:

* **Azure SQL** — leave **Trust server certificate** off so the server's certificate is validated.
* **Self-hosted SQL Server with a self-signed certificate, or a tunnelled connection to a local server** — turn **Trust server certificate** on so the connection is accepted.

## Connect through an SSH tunnel

If the server is not reachable directly, reach it through a bastion or jump host. Turn on **Connect via SSH tunnel** in the connection form and complete these fields. When tunnelling to a local server, turn **Trust server certificate** on.

| Field                   | Description                                                                             |
| ----------------------- | --------------------------------------------------------------------------------------- |
| **SSH host**            | Public IP or DNS of the bastion. Cannot be `localhost`                                  |
| **SSH port**            | SSH port on the bastion. Default is `22`                                                |
| **SSH username**        | User Genloop signs in to the bastion as                                                 |
| **PEM key**             | Your private key file. Sent encrypted with the rest of the credentials                  |
| **Remote bind address** | Server host as seen from the bastion. Use `127.0.0.1` if the server runs on the bastion |
| **Remote bind port**    | Server port as reached from the bastion                                                 |

## Permissions

Genloop only reads your data. Give the connecting user read access to the tables you select; no write access is needed. A minimal grant looks like this:

```sql theme={null}
GRANT SELECT ON SCHEMA::dbo TO genloop_user;
```

## Next steps

<CardGroup cols={2}>
  <Card title="Connect a database" icon="database" href="/using-genloop/connections/connect-a-database">
    Back to the full connection flow.
  </Card>

  <Card title="Context Hub" icon="brain" href="/using-genloop/context-hub">
    View and edit the memory built from your connection.
  </Card>
</CardGroup>
