Demystifying azure networking for on premises-azure databases
Download as PPTX, PDF0 likes223 views
This document discusses Azure SQL connectivity, covering connection processes, firewall rules, and secure connections between Azure services and on-premises SQL servers. It outlines the differences between server-level and database-level firewall rules, as well as connectivity options like VNet service endpoints and Azure Private Link. Additionally, various connectivity patterns and their configurations are demonstrated, highlighting their benefits for secure and reliable access to databases.
Demystifying azure networking for on premises-azure databases
- 1. Sponsored by
- 2. Demystifying Azure Networking for SQL Server/Azure SQL Databases Mohamed Wali @_Mwaly Author, Speaker & DevOps Engineer @Knab
- 3. Agenda Azure SQL Connectivity Azure SQL Firewall Rules VNet Service Endpoints Secure the Connection between Azure App Services and Databases On-Prem SQL Server with App Service Azure Private Link Q&A
- 4. Azure SQL Connectivity Process • Using the public IP address on port 1433 of the database, the client connect to gateway. • Based on the applied connection policy, the traffic will be redirected or proxied to the DB cluster. • Within the DB cluster the traffic will be forwarded to the right database.
- 5. Azure SQL Connectivity Architecture Reference: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-connectivity-architecture#connectivity-architecture
- 6. Azure SQL Connection Policies • Redirect: The traffic originating from the client goes directly to the node hosting the database resulting in lower latency and higher throughput. • Proxy: The traffic originating from the client has to be proxied via Azure SQL Database gateways resulting in higher latency and lower throughput. • Default: Unless you are explicitly specifying the connection policy, it would be “Redirect” for the traffic originating from within Azure, and “Proxy” for the traffic originating from outside Azure.
- 7. Demo: Change Azure SQL Connection Policies
- 8. Server-level vs Database-level Firewall rules • Allows access to all databases within the server. • The rules are stored in the master database. • Can be configured via: • Azure Portal • PowerShell • Transact-SQL statements Server-level • Allows access to specific databases within the server. • The rules are stored in the individual database. • You can’t configure it until you configure first the server-level database. • Can be configured via Transact-SQL statements. • If the IP address range configured at the database-level is different than the range on server-level, only the clients with IP address from the range of the database-level can access the database. Database-level
- 9. How the Firewall works for Azure SQL? • When the client initiate the connection, it verifies whether the client IP address is in the allowed range or not at the database level. • If the client IP address is in range, the connection would be forwarded to the appropriate database in Azure SQL Server. • If not, it verifies whether the client IP address is in the allowed range or not at the server level. • If allowed, the connection would be forwarded to the appropriate server where he can connect to database he wants within the server. • If not, the connection would be refused.
- 10. Demo: Configure Firewall Rules
- 11. VNet Service Endpoints • Extend VNet to Azure Services • Make use of Microsoft Azure backbone network • Faster, Reliable and Secure
- 12. How Service Endpoints Works? Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#securing-azure-services-to-virtual-networks
- 13. Services support Service Endpoints Azure Storage Azure SQL Database Azure SQL Data Warehouse Azure Database for PostgreSQL server Azure Database for MySQL server Azure Database for MariaDB Azure Cosmos DB Azure Key Vault Azure Service Bus Azure Event Hub Azure Data Lake Store Gen 1 Azure App Service Azure Container Registry Preview!
- 15. Secure the Connection between Azure App Services and Databases
- 16. Securing Web App to DB Connection Patterns App Service Internet Azure Virtual Network Point to Site VPN App Service Environment Azure Virtual Network Azure Storage Azure SQL Service Endpoints Pattern 1: VNet Integration Pattern 2: Extending VNets
- 17. New VNet Integration • No gateway needed • Support for ExpressRoute and Service Endpoints • Require Subnet delegation to allow the access between App service and Azure SQL App Service Internet Azure Virtual Network Azure SQL Service Endpoints Delegated subnet
- 18. Demo: New VNet Integration
- 19. On-Prem SQL Server with Azure App Service
- 20. App Service Hybrid Connection • Allow App Service to access on-prem services securely • The on-prem service doesn’t has to be internet accessible • The single app service can provide access in multiple networks • All the connections are outbound over standard web ports. Therefore, no firewall holes needed
- 22. Azure Private Link • Provides private connectivity from VNet, peered networks and on- premises • Built-in exfiltration protection • Improved control over the services by having a predictable IP address space to consume the services, integration with Azure DNS private zone, and having an approval workflow
- 23. What is Private Endpoint? 10.1/16 Private Endpoint 10.1.1.5
- 24. Services support Private Link Azure Storage Azure SQL Database Azure Private Link Service Preview! Preview! Preview!
- 25. Private Endpoints VS Service Endpoints
- 26. Private Link Limitations • Still in Preview • Doesn’t co-exist with Service Endpoints
- 27. Demo: Private Endpoint for Azure SQL
- 28. Q&A