Access to Azure MySQL Flexible Server from a definite firewall

I created an instance of MySQL Flexible Server on Azure. I need to close public network access and allow it only through a definite firewall.

The firewall has a definite public IP and I can specify it in the MySQL networking section, that's not a problem. The problem comes because I could connect to the DB from anywhere, and I don't know all possible source IPs in advance.

I need to route all traffic through the firewall, so that it'll be coming from a single IP, from Azure point of view. The MySQL server has an FQDN like <name>.mysql.database.azure.com.

Unfortunately, I can't specify FQDN in my firewall, only IPs, and IP might change. With a classic MySQL Single Server I would configure the fw rules to allow traffic towards all IPs listed in "Azure Service Tags" file for the service/region pair, say Sql.WestEurope.

This does not seem to work with Flexible because the resolved IP from its FQDN can't be found among service tags.

How could I do ?

Yes, this feature was changed from single server to flexible, no service tag is supported now.

Try using private access with VNet integration to restrict access to your Azure MySQL Flexible Server to a specific virtual network or subnet.
You can choose to create a new private DNS zone while deploying with private access or use an existing one. You can setup your firewall destination IP if it does not support FQDN.