SlideShare a Scribd company logo

Securing Azure Sql Server

M
Mitesh Chauhan

The document explains how to access Azure SQL from Azure VMs using service endpoints, emphasizing that this method does not require an internet endpoint on the SQL server. It outlines the steps to implement service endpoints, configure network security groups (NSGs), and further secure SQL servers through auditing, encryption, and dynamic data masking. Key features include direct access from Azure Virtual Network (VNet) without NAT or load balancers and the requirement for the VNet and SQL server to be in the same region.

Technology
1 of 13
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com Access Azure SQL from Azure VMs through the Microsoft Azure backbone network without the need for internet endpoints on the SQL Server Securing your Azure SQL Server Mitesh Chauhan
Why should we use service endpoints ? Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com Access Azure SQL from Azure VMs through the Microsoft Azure backbone network without the need for internet endpoints on the SQL Server. • Neater way to access SQL from Azure VNET (No NAT device, load balancer or SQL public IP required) • If using forced tunnelling, you can now access SQL Server directly Notes • Service endpoints are applied at the subnet level, consider this in your virtual network design • VNET and SQL Server must be in the same region, can be in different subscriptions • There can be many unique service endpoints per subnet • Accessing SQL via service endpoints does NOT mean the SQL Server becomes part of your virtual network
SQL Database Server with Internet Endpoints Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com
SQL Database Server with Service Endpoints Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com
Steps required for connecting SQL Server to Subnet Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com VNET Create a service endpoint on your subnet • Specify which service (SQL) in which region can access the Subnet Azure SQL Server Create SQL Server Firewall Rule to connect to service endpoint for the subnet. • Specify which Service Endpoint in which vnet/ subnet to allow connections from. Network Security Group (NSG = Layer 4 Firewall Rules) Allow SQL traffic from desired region. • Attach NSG to required subnet
Tips To Secure Your SQL Server Further Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com 1. Use NSGs to lock down access to only the SQL service and region required We can select SQL or Storage for the service endpoint. We can then specify the service and the region in an NSG Security Features available for your production databases / servers 2. Enable Auditing and Threat Detection 3. Databases are encrypted by default. Microsoft Manage the encryption and keys. • Option to Bring Your Own Keys is also available.
Tips To Secure Your SQL Server Further Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com Use Dynamic Data Masking to protect personal data – Create Rules Enable dynamic data masking on your columns in your tables that have personally identifiable information.
Tips To Secure Your SQL Server Further Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com Use Dynamic Data Masking to protect personal data - Results Any non admin accounts (that have not been excluded) will only see masked data. Example Masking rule on customertable, EmailAddress Column RESULT > > >
Additional Reference Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com Subnet View • One service endpoint created • Service endpoint allows access FROM selected Azure SQL Services
Additional Reference Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com NSG Inbound Firewall Rules View • Rules are applied to all VMs in the subnet the NSG is attached to • Rule 110 = Known IP address has RDP access • Rule 200 = Allow access FROM the SQL Service running in the Azure East US Region • No Outbound rules configured (default is to allow all outbound traffic).
Additional Reference Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com Azure SQL Server Firewall Rules View • Access to all Azure Services switched Off • No Internet endpoint rules configured • (client IP address shown for info only) • Subnet with the service endpoint Selected
Additional Reference Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com SQL Server Security Settings View • Auditing and Threat Detection Enabled • Notification Email Set • Database Encryption Enabled (by default) with Microsoft Managed Keys.
Microsoft Source Reference Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com • Use Virtual Network service endpoints and rules for Azure SQL Database • https://docs.microsoft.com/en-us/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview • Virtual Network Service Endpoints • https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#key-benefits

More Related Content

PPTX
What's New in ASP.NET Identity - TRINUG Sept 2014
Derek Smith
 
PPTX
Exam 70-533 Module 2 -Lesson 2 (Part 1) Implementing and managing virtual net...
Shawn Ismail
 
PPTX
Identity in ASP.NET Core
ondrejbalas
 
ODP
Authentication & Authorization in ASPdotNet MVC
Mindfire Solutions
 
PPTX
Microsoft asp.net identity security
rustd
 
PPTX
48. Azure Active Directory - Part 1
Shawn Ismail
 
PPTX
Get Started With Microsoft Azure Cloud Service
Jayant Chauhan
 
PDF
Microservices with Spring Boot Tutorial | Edureka
Edureka!
 
What's New in ASP.NET Identity - TRINUG Sept 2014
Derek Smith
 
Exam 70-533 Module 2 -Lesson 2 (Part 1) Implementing and managing virtual net...
Shawn Ismail
 
Identity in ASP.NET Core
ondrejbalas
 
Authentication & Authorization in ASPdotNet MVC
Mindfire Solutions
 
Microsoft asp.net identity security
rustd
 
48. Azure Active Directory - Part 1
Shawn Ismail
 
Get Started With Microsoft Azure Cloud Service
Jayant Chauhan
 
Microservices with Spring Boot Tutorial | Edureka
Edureka!
 

What's hot (13)

PPT
SQL Server 2008 Security Overview
ukdpe
 
PPTX
Asp.net identity dot netconf
rustd
 
PPTX
Dnc2015 azure-microservizi-vforusso
DotNetCampus
 
PPTX
Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...
Shawn Ismail
 
PPTX
Asp.Net Identity
Marwa Ahmad
 
PPSX
ZubZib Black Coffee #9 - ASP.NET Identity
Non Intanon
 
PPTX
Sql injection
Praneeth Perera
 
PPT
ASP.NET 13 - Security
Randy Connolly
 
PPT
SynapseIndia dotnet website security development
Synapseindiappsdevelopment
 
PPTX
Rc2010 alt architecture
JasonOffutt
 
PPTX
What's new in visual studio 2013
Taiseer Joudeh
 
PPTX
Introduction to lightning components
Madan Khichi
 
KEY
SQL Server: Security
LearnNowOnline
 
SQL Server 2008 Security Overview
ukdpe
 
Asp.net identity dot netconf
rustd
 
Dnc2015 azure-microservizi-vforusso
DotNetCampus
 
Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...
Shawn Ismail
 
Asp.Net Identity
Marwa Ahmad
 
ZubZib Black Coffee #9 - ASP.NET Identity
Non Intanon
 
Sql injection
Praneeth Perera
 
ASP.NET 13 - Security
Randy Connolly
 
SynapseIndia dotnet website security development
Synapseindiappsdevelopment
 
Rc2010 alt architecture
JasonOffutt
 
What's new in visual studio 2013
Taiseer Joudeh
 
Introduction to lightning components
Madan Khichi
 
SQL Server: Security
LearnNowOnline
 
Ad

Similar to Securing Azure Sql Server (20)

PPTX
Demystifying azure networking for on premises-azure databases
Mohamed Wali
 
PPTX
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Thuan Ng
 
PPTX
Securing an Azure full-PaaS architecture - Data saturday #0001 Pordenone
Marco Obinu
 
PPTX
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
European Collaboration Summit
 
PPTX
Azure Network Security Groups (NSG)
Shawn Ismail
 
PDF
Windows azure sql_database_security_isug012013
sqlserver.co.il
 
PDF
Azure Boot Camp 21.04.2018 SQL Server in Azure Iaas PaaS on-prem Lars Platzdasch
Lars Platzdasch
 
PDF
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
NCCOMMS
 
PPTX
A_Z-_104_T0_0_A-EN_U-Power_Point_04.pptx
jayshuklatrainer
 
PPTX
Securing your data with Azure SQL DB
Microsoft Tech Community
 
PPTX
ciplaasfqewfefewtwegndkvndsgjbsdz-dfafd.pptx
kreshenka
 
PDF
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheClouds
Tobias Koprowski
 
PDF
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheClouds
Tobias Koprowski
 
PDF
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
Tobias Koprowski
 
PPTX
Enter The Matrix Securing Azure’s Assets
BizTalk360
 
PDF
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
Tobias Koprowski
 
PPTX
JoTechies - Azure SQL DB
JoTechies
 
PDF
Working with azure database services platform
ssuser79fc19
 
PPTX
Sql server lesson11
Ala Qunaibi
 
PPTX
Securing your data with Azure SQL DB
Cheah Eng Soon
 
Demystifying azure networking for on premises-azure databases
Mohamed Wali
 
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Thuan Ng
 
Securing an Azure full-PaaS architecture - Data saturday #0001 Pordenone
Marco Obinu
 
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
European Collaboration Summit
 
Azure Network Security Groups (NSG)
Shawn Ismail
 
Windows azure sql_database_security_isug012013
sqlserver.co.il
 
Azure Boot Camp 21.04.2018 SQL Server in Azure Iaas PaaS on-prem Lars Platzdasch
Lars Platzdasch
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
NCCOMMS
 
A_Z-_104_T0_0_A-EN_U-Power_Point_04.pptx
jayshuklatrainer
 
Securing your data with Azure SQL DB
Microsoft Tech Community
 
ciplaasfqewfefewtwegndkvndsgjbsdz-dfafd.pptx
kreshenka
 
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheClouds
Tobias Koprowski
 
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheClouds
Tobias Koprowski
 
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
Tobias Koprowski
 
Enter The Matrix Securing Azure’s Assets
BizTalk360
 
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
Tobias Koprowski
 
JoTechies - Azure SQL DB
JoTechies
 
Working with azure database services platform
ssuser79fc19
 
Sql server lesson11
Ala Qunaibi
 
Securing your data with Azure SQL DB
Cheah Eng Soon
 
Ad

Recently uploaded (20)

PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Approach and Philosophy of On baking technology
30anthuong17
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 

Securing Azure Sql Server

  • 1. Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com Access Azure SQL from Azure VMs through the Microsoft Azure backbone network without the need for internet endpoints on the SQL Server Securing your Azure SQL Server Mitesh Chauhan
  • 2. Why should we use service endpoints ? Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com Access Azure SQL from Azure VMs through the Microsoft Azure backbone network without the need for internet endpoints on the SQL Server. • Neater way to access SQL from Azure VNET (No NAT device, load balancer or SQL public IP required) • If using forced tunnelling, you can now access SQL Server directly Notes • Service endpoints are applied at the subnet level, consider this in your virtual network design • VNET and SQL Server must be in the same region, can be in different subscriptions • There can be many unique service endpoints per subnet • Accessing SQL via service endpoints does NOT mean the SQL Server becomes part of your virtual network
  • 3. SQL Database Server with Internet Endpoints Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com
  • 4. SQL Database Server with Service Endpoints Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com
  • 5. Steps required for connecting SQL Server to Subnet Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com VNET Create a service endpoint on your subnet • Specify which service (SQL) in which region can access the Subnet Azure SQL Server Create SQL Server Firewall Rule to connect to service endpoint for the subnet. • Specify which Service Endpoint in which vnet/ subnet to allow connections from. Network Security Group (NSG = Layer 4 Firewall Rules) Allow SQL traffic from desired region. • Attach NSG to required subnet
  • 6. Tips To Secure Your SQL Server Further Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com 1. Use NSGs to lock down access to only the SQL service and region required We can select SQL or Storage for the service endpoint. We can then specify the service and the region in an NSG Security Features available for your production databases / servers 2. Enable Auditing and Threat Detection 3. Databases are encrypted by default. Microsoft Manage the encryption and keys. • Option to Bring Your Own Keys is also available.
  • 7. Tips To Secure Your SQL Server Further Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com Use Dynamic Data Masking to protect personal data – Create Rules Enable dynamic data masking on your columns in your tables that have personally identifiable information.
  • 8. Tips To Secure Your SQL Server Further Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com Use Dynamic Data Masking to protect personal data - Results Any non admin accounts (that have not been excluded) will only see masked data. Example Masking rule on customertable, EmailAddress Column RESULT > > >
  • 9. Additional Reference Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com Subnet View • One service endpoint created • Service endpoint allows access FROM selected Azure SQL Services
  • 10. Additional Reference Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com NSG Inbound Firewall Rules View • Rules are applied to all VMs in the subnet the NSG is attached to • Rule 110 = Known IP address has RDP access • Rule 200 = Allow access FROM the SQL Service running in the Azure East US Region • No Outbound rules configured (default is to allow all outbound traffic).
  • 11. Additional Reference Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com Azure SQL Server Firewall Rules View • Access to all Azure Services switched Off • No Internet endpoint rules configured • (client IP address shown for info only) • Subnet with the service endpoint Selected
  • 12. Additional Reference Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com SQL Server Security Settings View • Auditing and Threat Detection Enabled • Notification Email Set • Database Encryption Enabled (by default) with Microsoft Managed Keys.
  • 13. Microsoft Source Reference Mitesh.chauhan@outlook.com @miteshchauhanuk Miteshc.wordpress.com • Use Virtual Network service endpoints and rules for Azure SQL Database • https://docs.microsoft.com/en-us/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview • Virtual Network Service Endpoints • https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#key-benefits