diff --git a/locals.tf b/locals.tf
index 47b46d8..322aa94 100644
--- a/locals.tf
+++ b/locals.tf
@@ -1,4 +1,14 @@
 locals {
   storage_account_name  = provider::azurerm::parse_resource_id(var.storage_account_id).resource_name
   storage_blob_endpoint = "https://${local.storage_account_name}.blob.core.windows.net/"
+
+  firewall_rules = var.firewall_rules_allow_azure_services ? {
+    # Allow connections from inside Azure.
+    # Ref: https://github.com/MicrosoftDocs/sql-docs/blob/2921bf7c9d2301d818479eae0488285403f48250/azure-sql/database/firewall-configure.md#connections-from-inside-azure
+    "azure" = {
+      name             = "AllowAllWindowsAzureIps"
+      start_ip_address = "0.0.0.0"
+      end_ip_address   = "0.0.0.0"
+    }
+  } : {}
 }
diff --git a/main.tf b/main.tf
index 62506cd..11d5c5d 100644
--- a/main.tf
+++ b/main.tf
@@ -41,7 +41,7 @@ resource "azurerm_mssql_server" "this" {
 }
 
 resource "azurerm_mssql_firewall_rule" "this" {
-  for_each = var.firewall_rules
+  for_each = merge(local.firewall_rules, var.firewall_rules)
 
   name             = each.value.name
   server_id        = azurerm_mssql_server.this.id
diff --git a/variables.tf b/variables.tf
index 2b1f955..4051a83 100644
--- a/variables.tf
+++ b/variables.tf
@@ -75,13 +75,14 @@ variable "firewall_rules" {
     end_ip_address   = string
   }))
 
-  default = {
-    "azure" = {
-      name             = "AllowAllWindowsAzureIps"
-      start_ip_address = "0.0.0.0"
-      end_ip_address   = "0.0.0.0"
-    }
-  }
+  default = {}
+}
+
+variable "firewall_rules_allow_azure_services" {
+  description = "Should Azure services be allowed to bypass the firewall rules for this SQL server?"
+  type        = bool
+  default     = true
+  nullable    = false
 }
 
 variable "diagnostic_setting_name" {