SQL under the hood

SQL Azure DatabaseUnder the hood
Ing. Eduardo Castro, PhD
Comunidad Windows
ecastro@grupoasesor.net
http://ecastrom.blogspot.com

Agenda
Service Review
SQL Azure Architecture & Workflows
Service Resilience
Service Monitoring
Attack Vectors/Security considerations
Wrap up

What is “SQL Azure”?

The Azure Services PlaformAn illustration
.NET Services
SQL Azure
Applications
Windows Azure
Applications
Windows
Mobile
Windows
Vista/XP
Windows
Server
Others

Review – Conceptual model
Subscription
Used to map service usage to the billing instrument
Users may have many subscriptions
Logical Server
Akin to SQL Server Instance
Unit of Geo-Location & Billing
1:1 Subscription & server
User Database
Restricted T-SQL surface area
Additional catalog views provided e.g. sys.billing, sys.firewall_rules, etc

SQL AzureA relational DB in the cloud
SQL Azure Database
Data Hub
Others (Future)
Relational database as a service
Highly available, automatically maintained
Extension of the SQL Server Data Platform
.NET Services
SQL Services
Applications
Live Services
Windows Azure
Applications
Windows
Mobile
Windows
Vista/XP
Windows
Server
Others

Extending SQL Server Data Platform to the Cloud
Data Sync
Reference Data
Database
Symmetric Programming Model
Data Hub Aggregation
Initial services – core RDBMS capabilities with SQL Azure Database, Data Sync
Future Offerings
Additional data platform capabilities: Reporting, BI
New services: Reference Data

The New SQL Data Services
Clear Feedback: “I want a database in the Cloud”
Familiar SQL Server relational model
Uses existing APIs & tools
Built for the Cloud with availability and scale
Accessible to all from PHP, Ruby, and Java
Focus on combining the best features of SQL Server running at scale with low friction

The Evolution of SDS
Evolves
BrowserApplication
Application
Application
BrowserApplication
Application
ODBC, OLEDB, ADO.Net PHP, Ruby, …
REST Client
SQL Client*
REST Client
Cloud
Cloud
Windows Azure
REST (Astoria)
Web App
ADO.Net + EF
REST Client
HTTP+REST
HTTP+REST
HTTP
TDS
HTTP
Windows Azure
Web App
SQL Client*
Data Center
Data Center
TDS + TSQL Model
REST/SOAP + ACE Model
SDS Next
SDS Current
* Client access enabled using TDS for ODBC, ADO.Net, OLEDB, PHP-SQL, Ruby, …

SQL Azure Network Topology
Applications use standard SQL client libraries: ODBC, ADO.Net, PHP, …
Application
Internet
Azure Cloud
TDS (tcp)
Security Boundary
Load balancer forwards ‘sticky’ sessions to TDS protocol tier
LB
TDS (tcp)
Gateway
Gateway
Gateway
Gateway
Gateway
Gateway
Gateway: TDS protocol gateway, enforces AUTHN/AUTHZ policy; proxy to CloudDB
TDS (tcp)
SQL
SQL
SQL
SQL
SQL
SQL
Scalability and Availability: Fabric, Failover, Replication, and Load balancing

TDS Gateway
TDS Listener
Capability negotiation
TDS Packet inspection
Security
Logical->Physical mapping via metadata catalog
Enabler for multi-tenet capabilities
Isolation layer

TDS Gateway Layering
Gateway Process
TDS Endpoint
AdminSvc Endpoint
Provisioning Endpoint
Protocol Parser
Business Logic Services
Connection Mgmt
SQL
SQL
SQL
SQL
SQL
SQL

Provisioning
Subscription
Coordinated across all Azure services
Executed in parallel w/retries
Server
May occur between data centers
Point where Geo-location is established
Database
Always occurs within a single data center
Cross node operations executed during this process e.g. add new db to sys.databases on the master

Server Provisioning
Driven by administrator Portal
Provision request is sent to Gateway
Metadata catalog entry created
DNS record (CNAME) created within LiveDNS service
Master DB created
On completion metadata catalog updated

SQL Azure Server Provisioning
Live DNS Cluster
Customer Browser
Live DNS Svc
Datacenter (Sub-Region)
1
5
Portal LB
Gateway LB
2
4
3
6
Front-end Node
Front-end Node
Front-end Node
Front-end Node
Gateway
Gateway
Admin Portal
Admin Portal
7
Backend Node
Backend Node
Backend Node
SQL Server
SQL Server
SQL Server
Mgmt. Services
Mgmt. Services
Mgmt. Services
Fabric
Fabric
Fabric

Database Provisioning
Gateway performs stateful TDS packet inspection
Picks out subset of messages
Parses out args for create database
Makes entry into Gateway metadata catalog
Unused replica set located and reserved
Replica set (UserDB) is prepped for use
Metadata catalog is updated

SQL Azure Database provisioning
TDS Gateway
1
Front-end Node
Protocol Parser
TDS Session
2
3
Gateway Logic
Master Node
Master Cluster
Master Node Components
4
7
5
6
8
Backend Node 1
Backend Node 2
Backend Node 3
SQL Instance
SQL Instance
SQL Instance
SQL DB
SQL DB
SQL DB

SQL Azure Login Process
Login request arrives at the Gateway
Gateway locates MasterDb & UserDb replica sets
Credentials are validated against MasterDb
TDS session is opened to UserDB and requests are forwarded

SQL Azure Login Process
TDS Gateway
7
1
Front-end Node
Protocol Parser
TDS Session
2
6
Gateway Logic
Master Node
Global Partition Map
Master Node Components
3
8
4
5
Backend Node 1
Backend Node 2
Backend Node 3
SQL Instance
SQL Instance
SQL Instance
SQL DB
SQL DB
SQL DB

Service Resilience
Provisioning
State machines used to coordinate activities across node (and datacenter) boundaries
Failed provisioning attempts cleaned automatically after 10 minutes
Login
Failovers during the login will be transparent (<30 seconds)
Metadata catalog refresh occurs automatically
Active Session
Surface as connection drops (due to state)

Monitoring Service Health
Metrics
Cluster wide performance counters gather key metrics on the service
Used to alert Operations to issues before they become a problem
Early warning system
Code issues
Capacity warnings
Health
Exercises the service routinely looking for problems
When issues are encountered runs deep diagnostics
Network connectivity at the node level
Validate all dependent services (Live DNS, Live ID, etc)
Monitoring from other MSFT DC’s
Validates accessibility from multiple geographic locations
Alerts fired automatically when test jobs fail

Security/Attack Considerations
Service
Secure channel required (SSL)
Denial Of Service trend tracking
Packet Inspection
Server
IP allow list (Firewall)
Idle connection culling
Generated server names
Database
Disallow the most commonly attacked user id’s (SA, Admin, root, guest, etc)
Standard SQL Authn/Authz mode

Wrap Up
Reviewed SQL Azure Architecture & Workflows
Provisioning (Server & DB)
Login
Service Resilience & Health
Failure detection and correction
How we determine service health
Security considerations
Attack vectors and mitigations
Questions?

Links
http://comunidadwindows.org
http://ecastrom.blogspot.com
http://www.sqlazurelabs.com
http://www.microsoft.com/windowsazure/
http://sql.azure.com/

http://comunidadwindows.org	36
http://mswindowscr.org	17
http://www.slideshare.net	10
http://comunidadwindows.com	1

SQL under the hood

by Eduardo Castro on May 11, 2010

Accessibility

Tags

Upload Details

Usage Rights

4 Embeds 64

Statistics

SQL under the hood — Presentation Transcript