How to Secure SQL Server in Azure using Service Endpoints, auditing, threat detection and dynamic data masking. Scripts to show how to enable these features.
2. Why should we use service endpoints ?
Mitesh.chauhan@outlook.com
@miteshchauhanuk
Miteshc.wordpress.com
Access Azure SQL from Azure VMs through the Microsoft Azure backbone network
without the need for internet endpoints on the SQL Server.
• Neater way to access SQL from Azure VNET (No NAT device, load balancer or SQL public IP required)
• If using forced tunnelling, you can now access SQL Server directly
Notes
• Service endpoints are applied at the subnet level, consider this in your virtual network design
• VNET and SQL Server must be in the same region, can be in different subscriptions
• There can be many unique service endpoints per subnet
• Accessing SQL via service endpoints does NOT mean the SQL Server becomes part of your virtual network
3. SQL Database Server with Internet Endpoints
Mitesh.chauhan@outlook.com
@miteshchauhanuk
Miteshc.wordpress.com
4. SQL Database Server with Service Endpoints
Mitesh.chauhan@outlook.com
@miteshchauhanuk
Miteshc.wordpress.com
5. Steps required for connecting SQL Server to Subnet
Mitesh.chauhan@outlook.com
@miteshchauhanuk
Miteshc.wordpress.com
VNET
Create a service endpoint on your subnet
• Specify which service (SQL) in which region can access the Subnet
Azure SQL Server
Create SQL Server Firewall Rule to connect to service endpoint for the subnet.
• Specify which Service Endpoint in which vnet/ subnet to allow connections from.
Network Security Group (NSG = Layer 4 Firewall Rules)
Allow SQL traffic from desired region.
• Attach NSG to required subnet
6. Tips To Secure Your SQL Server Further
Mitesh.chauhan@outlook.com
@miteshchauhanuk
Miteshc.wordpress.com
1. Use NSGs to lock down access to only the SQL service and region required
We can select SQL or Storage for the service endpoint. We can then specify the service and the region in an NSG
Security Features available for your production databases / servers
2. Enable Auditing and Threat Detection
3. Databases are encrypted by default. Microsoft Manage the encryption and keys.
• Option to Bring Your Own Keys is also available.
7. Tips To Secure Your SQL Server Further
Mitesh.chauhan@outlook.com
@miteshchauhanuk
Miteshc.wordpress.com
Use Dynamic Data Masking to protect personal data – Create Rules
Enable dynamic data masking on your columns in your tables that have personally identifiable information.
8. Tips To Secure Your SQL Server Further
Mitesh.chauhan@outlook.com
@miteshchauhanuk
Miteshc.wordpress.com
Use Dynamic Data Masking to protect personal data - Results
Any non admin accounts (that have not been excluded) will only see masked data.
Example
Masking rule on customertable,
EmailAddress Column
RESULT > > >
13. Microsoft Source Reference
Mitesh.chauhan@outlook.com
@miteshchauhanuk
Miteshc.wordpress.com
• Use Virtual Network service endpoints and rules for Azure SQL Database
• https://docs.microsoft.com/en-us/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview
• Virtual Network Service Endpoints
• https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#key-benefits