Securing Azure Sql Server

•

0 likes•115 views

How to Secure SQL Server in Azure using Service Endpoints, auditing, threat detection and dynamic data masking. Scripts to show how to enable these features.

Technology

Mitesh.chauhan@outlook.com
@miteshchauhanuk
Miteshc.wordpress.com
Access Azure SQL from Azure VMs through the Microsoft Azure backbone network
without the need for internet endpoints on the SQL Server
Securing your Azure SQL Server
Mitesh Chauhan

Why should we use service endpoints ?
Mitesh.chauhan@outlook.com
@miteshchauhanuk
Miteshc.wordpress.com
Access Azure SQL from Azure VMs through the Microsoft Azure backbone network
without the need for internet endpoints on the SQL Server.
• Neater way to access SQL from Azure VNET (No NAT device, load balancer or SQL public IP required)
• If using forced tunnelling, you can now access SQL Server directly
Notes
• Service endpoints are applied at the subnet level, consider this in your virtual network design
• VNET and SQL Server must be in the same region, can be in different subscriptions
• There can be many unique service endpoints per subnet
• Accessing SQL via service endpoints does NOT mean the SQL Server becomes part of your virtual network

SQL Database Server with Internet Endpoints
Mitesh.chauhan@outlook.com
@miteshchauhanuk
Miteshc.wordpress.com

SQL Database Server with Service Endpoints
Mitesh.chauhan@outlook.com
@miteshchauhanuk
Miteshc.wordpress.com

Steps required for connecting SQL Server to Subnet
Mitesh.chauhan@outlook.com
@miteshchauhanuk
Miteshc.wordpress.com
VNET
Create a service endpoint on your subnet
• Specify which service (SQL) in which region can access the Subnet
Azure SQL Server
Create SQL Server Firewall Rule to connect to service endpoint for the subnet.
• Specify which Service Endpoint in which vnet/ subnet to allow connections from.
Network Security Group (NSG = Layer 4 Firewall Rules)
Allow SQL traffic from desired region.
• Attach NSG to required subnet

Tips To Secure Your SQL Server Further
Mitesh.chauhan@outlook.com
@miteshchauhanuk
Miteshc.wordpress.com
1. Use NSGs to lock down access to only the SQL service and region required
We can select SQL or Storage for the service endpoint. We can then specify the service and the region in an NSG
Security Features available for your production databases / servers
2. Enable Auditing and Threat Detection
3. Databases are encrypted by default. Microsoft Manage the encryption and keys.
• Option to Bring Your Own Keys is also available.

Tips To Secure Your SQL Server Further
Mitesh.chauhan@outlook.com
@miteshchauhanuk
Miteshc.wordpress.com
Use Dynamic Data Masking to protect personal data – Create Rules
Enable dynamic data masking on your columns in your tables that have personally identifiable information.

Additional Reference
Mitesh.chauhan@outlook.com
@miteshchauhanuk
Miteshc.wordpress.com
Subnet View
• One service endpoint created
• Service endpoint allows access FROM selected Azure SQL
Services

Additional Reference
Mitesh.chauhan@outlook.com
@miteshchauhanuk
Miteshc.wordpress.com
NSG Inbound Firewall Rules View
• Rules are applied to all VMs in the subnet the NSG is attached to
• Rule 110 = Known IP address has RDP access
• Rule 200 = Allow access FROM the SQL Service running in the Azure East US Region
• No Outbound rules configured (default is to allow all outbound traffic).

Additional Reference
Mitesh.chauhan@outlook.com
@miteshchauhanuk
Miteshc.wordpress.com
Azure SQL Server Firewall Rules View
• Access to all Azure Services switched Off
• No Internet endpoint rules configured
• (client IP address shown for info only)
• Subnet with the service endpoint Selected

Additional Reference
Mitesh.chauhan@outlook.com
@miteshchauhanuk
Miteshc.wordpress.com
SQL Server Security Settings View
• Auditing and Threat Detection Enabled
• Notification Email Set
• Database Encryption Enabled (by default) with Microsoft Managed Keys.

Microsoft Source Reference
Mitesh.chauhan@outlook.com
@miteshchauhanuk
Miteshc.wordpress.com
• Use Virtual Network service endpoints and rules for Azure SQL Database
• https://docs.microsoft.com/en-us/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview
• Virtual Network Service Endpoints
• https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#key-benefits

What's hot

SQL Server 2008 Security Overview

ukdpe

Asp.net identity dot netconf

rustd

Dnc2015 azure-microservizi-vforusso

DotNetCampus

In this session I go over what Azure accounts and subscriptions are. Further details are provided about various Admin roles in Microsoft Azure both at account and subscription level. This sessions ends with a demo of everything discussed in this session and singing up for a Trial Azure Subscription. Please subscribe to the channel to stay updated about the training. Also please comment on the training videos. Thank you! http://www.cloudranger.net YouTube: https://www.youtube.com/c/CloudrangerNetwork

Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...

Shawn Ismail

Asp.Net Identity

Marwa Ahmad

ZubZib Black Coffee #9 - ASP.NET Identity

Non Intanon

Sql injection

Praneeth Perera

ASP.NET 13 - Security

Randy Connolly

SynapseIndia dotnet website security development

Synapseindiappsdevelopment

Rc2010 alt architecture

JasonOffutt

What's new in visual studio 2013

Taiseer Joudeh

Introduction to lightning components

Madan Khichi

SQL Server: Security

LearnNowOnline

What's hot (13)

SQL Server 2008 Security Overview

Asp.net identity dot netconf

Dnc2015 azure-microservizi-vforusso

Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...

Asp.Net Identity

ZubZib Black Coffee #9 - ASP.NET Identity

Sql injection

ASP.NET 13 - Security

SynapseIndia dotnet website security development

Rc2010 alt architecture

What's new in visual studio 2013

Introduction to lightning components

SQL Server: Security

Similar to Securing Azure Sql Server

A to z for sql azure databases

Antonios Chatzipavlis

In this webinar, we review the steps necessary to design, set up, and deploy IT cloud infrastructure for running a multi-server, Microsoft SharePoint Server farm on AWS. In this webinar we will also cover how to architect for high availability and provision the relevant AWS services and resources to run SharePoint Server workloads at scale on the AWS Cloud. You will find out where to access available content and tools, such as AWS CloudFormation templates and the Advanced Implementation Guide that will help you quickly implement and customize a scalable, enterprise-class SharePoint Server farm on AWS. This webinar is designed for a technical audience. After the presentation, you will have an opportunity to participate in a live Q&A discussion, where you may write in questions to AWS team members.

AWS Webcast - SharePoint 2013

Amazon Web Services

In this session, we will examine how to use AWS Tools for Windows PowerShell to move a typical in-house application, housed on a "server under someone's desk", to the cloud. We will cover importing the server as a virtual machine image running an Amazon Virtual Private Cloud (Amazon VPC) in Amazon Elastic Compute Cloud (Amazon EC2). We will then show how to configure, maintain, and monitor the running instances by automating AWS infrastructure, including the provisioning of the AWS resources, Amazon EC2 Simple Systems Manager (SSM), and Amazon CloudWatch.

(DEV202) Under the Desk to the AWS Cloud with Windows PowerShell

Amazon Web Services

SCCM on Microsoft Azure

Mohamed Tawfik

Azure privatelink

Udaiappa Ramachandran

New ThousandEyes Product Features and Release Highlights: June 2023

ThousandEyes

Enter The Matrix Securing Azure’s Assets

BizTalk360

Deploying SharePoint on Microsoft Azure #spsnairobi2014. This presentation was done by Martin Njalale of Caytree Partners LLC at Sharepoint Saturday Nairobi event on 18th Oct 2014, held at Techno Brain HQ in Nairobi, Kenya. The presentation starts with an introduction into cloud computing and Microsoft Azure. It then goes ahead to explain how SharePoint can be deployed on Microsoft Azure Virtual Machines.

Deploying SharePoint on Microsoft Azure #spsnairobi2014

Martin Njalale

Companies are struggling to understand the various cloud deployment options and how they will effectively manage their environment. As organizations transition to using cloud solutions for part or all of their database configurations, the IT teams need to understand what choices they must make for ensuring they can meet business expectations for performance, security, and availability. IDERA’s Rob Reinauer shares insights into managing SQL Server environments from cloud to ground so that you can make confident decisions for your database deployments and mitigate the added data risks cloud environments can introduce.

IDERA Slides: Managing the Transition to Hybrid Cloud

DATAVERSITY

24 HOP edición Español -Diferentes técnicas de administración de logins y usu...

SpanishPASSVC

Secure your Azure Web App 2019

Frans Lytzen

Securing your data with Azure SQL DB

Microsoft Tech Community

Haal de mist uit de monitoring van je cloud met System Center 2012 R2 Operati...

wwwally

This webinar reviews our new Remote Desktop Gateway Reference Implementation Guide which will help you deploy Remote Desktop Gateway on AWS in about an hour. Included is an overview of the reference architecture, best practices for securely accessing your Windows-based instances using the Remote Desktop Protocol (RDP) for remote administration. Also provided are AWS CloudFormation templates to help automate deployment.

AWS Webcast - Deploying Remote Desktop Gateway on the AWS Cloud

Amazon Web Services

Data ANZ - Using database for ML.NET.pptx

Luis Beltran

Working with azure database services platform

ssuser79fc19

Azure service fabric overview

Baskar rao Dsn

Do you know that enterprises with more than half their business from cloud generate 1.6X more recurring revenue than other partners? Enterprises are capitalizing on the growing cloud services market by building successful practices on Microsoft Azure, and are outperforming their peers by growing more quickly and profitably. Building a website is one such business initiative. In recent times, building a website has become easier with the new CMS available, but configuring it to be up and running was always a time consuming job. Microsoft Azure enables you to build, deploy and scale your website, while configuring the database and domain, providing the connection string, and setting up FTP account to upload your website. Following topics are covered in this webinar • Introduction to Cloud and Microsoft Azure Capabilities • Overview & Pre-Requisites for Microsoft Azure Websites • Free vs. Shared vs. Standard Websites • Managing your Azure Websites: Preview portal & Command Line • Deploy and scale modern websites with Azure

Microsoft Azure: Deploy and Scale Modern Websites

WinWire Technologies Inc

Microsoft SQL Azure - Building Applications Using SQL Azure Presentation

Microsoft Private Cloud

SQL Azure is built on the SQL Server’s core engine, so developing against SQL Azure is very similar to developing against on-premise SQL Server. While there are certain features that are not compatible with SQL Azure, most T-SQL syntax is compatible. The MSDN link http://msdn.microsoft.com/en-us/library/ee336281.aspx provides a comprehensive description of T-SQL features that are supported, not supported and partially supported in SQL Azure.

Microsoft SQL Azure - Developing And Deploying With SQL Azure Whitepaper

Microsoft Private Cloud

Similar to Securing Azure Sql Server (20)

A to z for sql azure databases

AWS Webcast - SharePoint 2013

(DEV202) Under the Desk to the AWS Cloud with Windows PowerShell

SCCM on Microsoft Azure

Azure privatelink

New ThousandEyes Product Features and Release Highlights: June 2023

Enter The Matrix Securing Azure’s Assets

Deploying SharePoint on Microsoft Azure #spsnairobi2014

IDERA Slides: Managing the Transition to Hybrid Cloud

24 HOP edición Español -Diferentes técnicas de administración de logins y usu...

Secure your Azure Web App 2019

Securing your data with Azure SQL DB

Haal de mist uit de monitoring van je cloud met System Center 2012 R2 Operati...

AWS Webcast - Deploying Remote Desktop Gateway on the AWS Cloud

Data ANZ - Using database for ML.NET.pptx

Working with azure database services platform

Azure service fabric overview

Microsoft Azure: Deploy and Scale Modern Websites

Microsoft SQL Azure - Building Applications Using SQL Azure Presentation

Microsoft SQL Azure - Developing And Deploying With SQL Azure Whitepaper

Recently uploaded

ICT role in 21st century education and its challenges

rafiqahmad00786416

Dubai, often portrayed as a shimmering oasis in the desert, faces its own set of challenges, including the occasional threat of flooding. Despite its reputation for opulence and modernity, the emirate is not immune to the forces of nature. In recent years, Dubai has experienced sporadic but significant floods, testing the resilience of its infrastructure and communities. Among the critical lifelines in this bustling metropolis is the Dubai International Airport, a bustling hub that connects the city to the world. This article explores the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Orbitshub

Exploring Multimodal Embeddings with Milvus

Zilliz

Architecting Cloud Native Applications

WSO2

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

DBX First Quarter 2024 Investor Presentation

Dropbox

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

The microservices honeymoon is over. When starting a new project or revamping a legacy monolith, teams started looking for alternatives to microservices. The Modular Monolith, or 'Modulith', is an architecture that reaps the benefits of (vertical) functional decoupling without the high costs associated with separate deployments. This talk will delve into the advantages and challenges of this progressive architecture, beginning with exploring the concept of a 'module', its internal structure, public API, and inter-module communication patterns. Supported by spring-modulith, the talk provides practical guidance on addressing the main challenges of a Modultith Architecture: finding and guarding module boundaries, data decoupling, and integration module-testing. You should not miss this talk if you are a software architect or tech lead seeking practical, scalable solutions. About the author With two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Victor Rentea

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

MINDCTI Revenue Release Quarter One 2024

MIND CTI

[BuildWithAI] Introduction to Gemini.pdf

Sandro Moreira

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

Manulife - Insurer Transformation Award 2024

The Digital Insurer

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

Recently uploaded (20)

ICT role in 21st century education and its challenges

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Exploring Multimodal Embeddings with Milvus

Architecting Cloud Native Applications

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Artificial Intelligence Chap.5 : Uncertainty

DBX First Quarter 2024 Investor Presentation

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

MINDCTI Revenue Release Quarter One 2024

[BuildWithAI] Introduction to Gemini.pdf

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Axa Assurance Maroc - Insurer Innovation Award 2024

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Manulife - Insurer Transformation Award 2024

CNIC Information System with Pakdata Cf In Pakistan

Securing Azure Sql Server

1. Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com Access Azure SQL from Azure VMs through the Microsoft Azure backbone network without the need for internet endpoints on the SQL Server Securing your Azure SQL Server Mitesh Chauhan

2. Why should we use service endpoints ? Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com Access Azure SQL from Azure VMs through the Microsoft Azure backbone network without the need for internet endpoints on the SQL Server. • Neater way to access SQL from Azure VNET (No NAT device, load balancer or SQL public IP required) • If using forced tunnelling, you can now access SQL Server directly Notes • Service endpoints are applied at the subnet level, consider this in your virtual network design • VNET and SQL Server must be in the same region, can be in different subscriptions • There can be many unique service endpoints per subnet • Accessing SQL via service endpoints does NOT mean the SQL Server becomes part of your virtual network

3. SQL Database Server with Internet Endpoints Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com

4. SQL Database Server with Service Endpoints Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com

5. Steps required for connecting SQL Server to Subnet Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com VNET Create a service endpoint on your subnet • Specify which service (SQL) in which region can access the Subnet Azure SQL Server Create SQL Server Firewall Rule to connect to service endpoint for the subnet. • Specify which Service Endpoint in which vnet/ subnet to allow connections from. Network Security Group (NSG = Layer 4 Firewall Rules) Allow SQL traffic from desired region. • Attach NSG to required subnet

6. Tips To Secure Your SQL Server Further Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com 1. Use NSGs to lock down access to only the SQL service and region required We can select SQL or Storage for the service endpoint. We can then specify the service and the region in an NSG Security Features available for your production databases / servers 2. Enable Auditing and Threat Detection 3. Databases are encrypted by default. Microsoft Manage the encryption and keys. • Option to Bring Your Own Keys is also available.

7. Tips To Secure Your SQL Server Further Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com Use Dynamic Data Masking to protect personal data – Create Rules Enable dynamic data masking on your columns in your tables that have personally identifiable information.

8. Tips To Secure Your SQL Server Further Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com Use Dynamic Data Masking to protect personal data - Results Any non admin accounts (that have not been excluded) will only see masked data. Example Masking rule on customertable, EmailAddress Column RESULT > > >

9. Additional Reference Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com Subnet View • One service endpoint created • Service endpoint allows access FROM selected Azure SQL Services

10. Additional Reference Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com NSG Inbound Firewall Rules View • Rules are applied to all VMs in the subnet the NSG is attached to • Rule 110 = Known IP address has RDP access • Rule 200 = Allow access FROM the SQL Service running in the Azure East US Region • No Outbound rules configured (default is to allow all outbound traffic).

11. Additional Reference Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com Azure SQL Server Firewall Rules View • Access to all Azure Services switched Off • No Internet endpoint rules configured • (client IP address shown for info only) • Subnet with the service endpoint Selected

12. Additional Reference Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com SQL Server Security Settings View • Auditing and Threat Detection Enabled • Notification Email Set • Database Encryption Enabled (by default) with Microsoft Managed Keys.

13. Microsoft Source Reference Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com • Use Virtual Network service endpoints and rules for Azure SQL Database • https://docs.microsoft.com/en-us/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview • Virtual Network Service Endpoints • https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#key-benefits

Securing Azure Sql Server

Recommended

Recommended

More Related Content

What's hot

What's hot (13)

Similar to Securing Azure Sql Server

Similar to Securing Azure Sql Server (20)

Recently uploaded

Recently uploaded (20)

Securing Azure Sql Server