As part of the JoTechies global azure bootcamp event in Jordan April 22, 2017, Raghda Abd Aldeen is talking about Azure SQL databases is talking a

1. Become Azure
SQL Database
Rockstar
RaghdaAbdAldeen
April2017
JoTechies
www.jotechies.com

2. raabdald@Microsoft.com
@RaghdaAldwaimeh
www.linkedin.com/in/
raghda-abd-al-deen-15408839/
raghda.aldawaimeh
RaghdaAbdAldeen

3. Jo Techies
JoTechies is a Tech community that
provides education, help and social
events for IT professional in Jordan
and helps you network with local IT
peers.
@JoTechies
JoTechies
www.JoTechies.com

4.  Understanding Azure SQL
 What is it
 Five Goals
 Database Levels/DTUs
 Migration Process
 Performance and tuning
 Secure and protect Data
 Geo-Replication and Geo-Restore

5. Low Control
Shared
Lowercost
Dedicated
Highercost
High Control
Hybrid Cloud
100% Compatibility
Rapid self-service provisioning
SQL Server in WA VM - IaaS
Virtualized Machine
SQL Server
Physical Machine (raw iron)
Full h/w control
Roll-your-own HA/DR/scale
Managed database service
Focus on business logic
Virtualized Database
WA SQL Database - PaaS
Elastic/Self-Service capabilities
Full h/w control
SQL Server PrivateVirtualized Machine
SQL Server on Azure - IaaS

6.  SQL Server as Service
 Service managed by Microsoft
 Almost 0 maintenance
 Resources oriented to use your database
 Based on DTU (Data Throughput Unit) (Basic,
Standard, Premium, Elastic DB Pool, ADW)

7. → Each database in Azure SQL Database is associated with a logical server. The
database can be:
•A single database with its own set of resources (DTUs)
•Part of an elastic pool that shares a set of resources (eDTUs)

8. DTU is defined by the bounding box for the
resources required by a database workload and
measures power across performance levels..
% CPU
% read % write
% memory
Across Basic, Standard, and Premium, Premium RS,
each performance level is assigned a defined level of
throughput
Introducing the Database Throughput Unit (DTU)
which represents database power and replaces
hardware specs
Redefined
Measure of
power

9. Single
Database
ElasticPool
Database
Basic — 5 DTU
S0 — 10 DTU
S1 — 20 DTU
S2 — 50 DTU
S3 — 100 DTU
P1 — 125 DTU
P2 — 250 DTU
P4 — 500 DTU
P6 — 1,000 DTU
P11 — 1,750 DTU
P15 – 4,000 DTU
IO-intensive workloads
that do not require the
highest availability
guarantees
PRS1 — 125 DTU
PRS2 — 250 DTU
PRS4 — 500 DTU
PRS6 — 1000 DTU

10. Area Limit Description
Databases per server Up to 5000 Up to 5000 databases are
allowed per server on V12
servers.
DTUs per server 45000 45000 DTUs are allowed per
server on V12 servers for
provisioning standalone
databases and elastic pools. The
total number of standalone
databases and pools allowed per
server is limited only by the
number of server DTUs.
Other SQL Database limits

11. Tools to manage & develop with Azure SQL Database

16. Elastic Databases
Provisioning resources for the entire pool
rather than for single databases simplifies
your management tasks. Plus you have a
predictable budget for the pool.
eDTUS consumption
Individual databases are
given the flexibility to auto-
scale within set parameters.
Under heavy load a
database can consume
more eDTUs to meet
demand.
Databases under light
loads consume less, and
databases under no load
don’t consume any eDTUs.
16

17. Elastic Databases
17

18. Workers & requests limits
equivalent to single DBs DTU
% CPU
% read % write
% memory
Elastic Databases

21. Memory
impact on
performance -
I/O
In case of
problem,
scale up
•Online Process
•Found the issue with QDS.
Check
your
Database
•Metrics
•Alerts
•Monitoring tools
Migration
Process
•Transactional Replication without
downtime.
•SQL Azure Migration Wizard
Choose
the
Model
•Single/Elastic
•Performance counters.
•Reviewed instance configuration.
•Azure SQL database calculator tool.
http://dtucalculator.azurewebsites.net/

22. • Azure SQL DB as a subscriber of SQL
Server Transactional Replication.
• Two main scenarios:
1. Migrate your data to Azure SQL DB with no
downtime.
2. Bridge SQL Server on-premises/on VMs to
Azure SQL DB.

24. for archiving or for moving to another platform.
 database schema and data to a BACPAC file.
 BACPAC file can be stored in Azure blob storage or in local storage in an on-premises
location and later imported back into Azure SQL Database or into a SQL Server on-premises installation
no write activity is occurring during the export.
 exporting from a transactionally consistent copy of your Azure SQL database.

25. SQLPackage utility
SQL Server Management Studio
PowerShell

26. a snapshot of the source database as of the time of the copy request.
same server or a different server.
different performance level within the same service tier (edition).
fully functional, independent database.
can upgrade or downgrade it to any edition
logins, users, and permissions can be managed independently.
Azure portal, Transact-SQL,Powershell
Copy Azure SQL DB

28. Long Term
Retention – 10
years of backup
High availability
Disaster Recovery
3 copies of the data
Geo-Replication (additional)
Geo-Replicated Storage
Point-In-Time Restore with Data Center
change
Recover a DB deleted.
• Backup Full, Differential and Transaction Log every
5-10 minutes.
* Estimated Recovery Time (ERT) - The estimated duration
for the database to be fully functional after a restore/failover
request. † Recovery Point Objective (RPO) - The amount of
most recent data changes (time interval) the application
could lose after recovery.

29. •The vault must be created in the same Azure subscription that created
the SQL server and in the same geographic region and resource group.
•You then configure a retention policy for any database. The policy
causes the weekly full database backups be copied to the Recovery
Services vault and retained for the specified retention period (up to 10
years).
•You can then restore from any of these backups to a new database in
any server in the subscription. The copy is performed by Azure storage
from existing backups and has no performance impact on the existing
database

30. GEO-Replication
30
• Recovery from an outage
• Standard Geo-replicación
• Geo-restore
• Configure geo-replication for Azure SQL Database with the Azure Portal

31. Security Approach in SQL Server
Sessions
Active Directory
Security
Azure Active Directory
Security
Firewall
Encryption
Transparent Data
Encryption
Always Encrypted
TLS (connection
string)
Data protection
Row-level security
Dynamic data
masking
Analysis
SQL Auditing
Threat Detection
C2 common
SQL Server Audit
Azure SQL PaaS SQL Server IaaS/On-Premise All implementations

32. Security Approach – Control Database Access
Port: 1433
Protocol: TCP
Encrypted
Proxy:
• Protect
connection
• Check
firewall rules
Authentication
Method.
ADO
.NET 4.6
ADALSQL
AAD

33. Security Approach – Control Application Access
Dynamic Data Masking
Row-Level Security
Centralize your
row access logic
within the
database.
Limit the exposure of
sensitive data by
obfuscating query results
for app users and
engineer

34. Demo - Dynamic Data Masking
CREATE USER Peter FOR LOGIN Peter;
GRANT SELECT ON Contacto TO Peter;
CREATE TABLE Contacto
(ID int IDENTITY PRIMARY KEY,
Nombre varchar(100) MASKED WITH (FUNCTION = 'partial(1,"XXXXXXX",0)') NULL,
Apellido varchar(100) NOT NULL,
NrTlf varchar(12) MASKED WITH (FUNCTION = 'default()') NULL,
Email varchar(100) MASKED WITH (FUNCTION = 'email()') NULL);
INSERT Contacto (Nombre, Apellido, NrTlf, Email) VALUES
('Roberto', 'Torres', '91551234567', 'RTorres@contoso.com'),
('Juan', 'Galvin', '95551234568', 'JGalvin@contoso.com'),
('José', 'Garcia', '95551234569', 'Jgarcia@contoso.net');
EXECUTE AS USER = 'Peter';
SELECT * FROM Contacto;
REVERT;

35. Demo - Row Level Security
CREATE TABLE Protegido
(ID int IDENTITY PRIMARY KEY,
Nombre varchar(100) MASKED WITH (FUNCTION =
'partial(1,"XXXXXXX",0)') NULL,
Apellido varchar(100) NOT NULL,
NrTlf varchar(12) MASKED WITH (FUNCTION = 'default()') NULL,
Email varchar(100) MASKED WITH (FUNCTION = 'email()') NULL,
UserID int );
select * from sys.database_principals
INSERT Protegido (Nombre, Apellido, NrTlf, Email, UserId) VALUES
('Roberto', 'Torres', '91551234567', 'RTorres@contoso.com', 5),
('Juan', 'Galvin', '95551234568', 'JGalvin@contoso.com', 5),
('José', 'Garcia', '95551234569', 'Jgarcia@contoso.net',1);
CREATE FUNCTION SecPred(@userId int)
RETURNS TABLE
WITH SCHEMABINDING
AS
RETURN SELECT 1 as valor WHERE @userId = user_id()
CREATE SECURITY POLICY [secpol] ADD FILTER PREDICATE
[dbo].[SecPred]([UserId]) on [dbo].[Protegido]
GRANT SELECT ON protegido TO Peter;
GRANT SELECT ON protegido TO Ken;
EXECUTE AS USER = 'Kent';
SELECT * FROM protegido;
REVERT;
EXECUTE AS USER = 'Peter';
SELECT * FROM protegido;
REVERT;

36. Security Approach – Proactive monitoring
SQL Auditing
Threat Detection
Logged Database events
Detects suspicious database activities indicating
possible malicious intent to access, breach or
exploit data in the database
Analyzing

37. Security Approach – How Connections work
SQL Auditing
servername.database.windows.net
TCP, Port: 1433
P S
S
S
servername.database.secure.windows.net
TCP, Port: 1433
Connection is redirected
via TDS protocol
TDS <3.2 – JDBC
SQL Auditing Enabled

38. Security Approach - SQL Auditing
Audit Records Example

39. Security Approach - SQL Auditing
Setup

40. Security Approach - SQL Auditing
Data Captured Visualization
40

41. Security Approach - SQL Auditing
Threat Detection Example
Threat Detection detects anomalous database activities indicating
potential security threats to the database.

42. Troubleshooting Steps
Always
• Investigate
Update
Statistics.
Then
• Investigate
Missing
Indexes.
Consider
• Reducing
Fragmentatio
n levels.
Queries
• Right
Workload
for DTU
Level?
Tools
• QDS
• Extende
d Events
• QPI.
Engage
Microsoft
• We can
help!
TroubleshootingSteps

43. Query Data Store
 It is a persisted database with query execution information for
 SQL Server 2016
 Azure SQL DB V12
 Query Performance Tuning and Troubleshooting
 SQL Profiler replacement in some parts.
 Minimum impact for SQL Engine in SQL Server or Azure SQL DB.
 Other tools like Query Performance Insight, Index Advisor are using QDS Information.
 SSMS Reports Supported for SQL Server and Azure SQL Database.
 Catalog Views all available.
 Active or disable this feature demand.
 Use Extended Events to capture the information.

44. Alerts and events
Define
rule
Specify
threshold
Threshold
violated
Alert rule
active
Registers
an alert
Send E-
mail
(optional)

45. Alert Rules
Blocked by
Firewall
Failed
Connections
Successful
Connections
CPU
Percentage
Deadlocks
DTU
Percentage
Log IO
Percentage
Data IO
Percentage
Total
Database Size

46. Thank You
JoTechies
www.jotechies.com
Q & A

47. Event Sessions