How to connect to azure SQL database without IP whitelisting - azure-sql-database

Someone at the interview asked me a question.
Lets assume there is a new SQL Server being provisioned in the resource group. The question was how would you establish a connectin using azure data factory without whitelisting the IP address.
I responded that we could use Managed Identity.
Could someone guide me to the best practices around it. The securest way to connect to Azure SQL DB.
I answered Managed Identity. However not sure about this.

Managed identity is just a type of authentication to access the Database and the best secure way to access it. But that is not the answer for your query w.r.t whitelisting .
you need to enable this property

Related

How to query AAD Security Group Membership from Azure SQL

I'm trying to find a way from within Azure SQL to either 1) enumerate members of an Azure Active Directory security group or 2) check if a user login is a member of an SG. I've found various articles about doing it from a domain joined standalone SQL installation but not from Azure SQL. Most of the samples for the standalone installation use system sprocs like xp_cmdshell which don't exist in Azure SQL. I know I can create an Azure Function or Logic App to sync users to a table but I'd like to avoid using an external process to do this if possible.
#Kalyan Chanumolu-MSFT's comment should be very helpful to you. This scenario is not supported today.
You can try to use his suggestion.
You will have to talk to Microsoft Graph API from an intermediate like an Azure function to relay the data to Azure SQL Database.
You also can raise a support ticket to confirm it and also can put forward your suggestions in the feedback.

How does authorization and authentication work in Azure SQL server?

I see a couple of different options for access control in Azure SQL server. There is a panel on Azure called access control (IAM) where roles like contributor/reader can be assigned to users.
The second place is the SQL server security artifacts which can be viewed in SSMS. Understanding how one of these policies works is straightforward, but how do these two policies work in tandem?
According your comment, please look at this Azure SQL database document: An overview of Azure SQL Database security capabilities:
This article outlines the basics of securing the data tier of an application using Azure SQL Database. The security strategy described follows the layered defense-in-depth approach as shown in the picture below, and moves from the outside in:
It will help you learn from the Azure SQL database security. To know more about the access control and Authorization.
Azure also gives the security best practices to teach you how to use these them.
Reference: Azure SQL Database security best practices playbook. This document provides guidance on how to solve common security requirements for new or existing applications using Azure SQL Database.
Hope this helps.

API for Azure Database for MySQL

Azure Database for MySQL server is still in preview, though we can created database instance on it.
I wonder do we have any API to retrieve the databases that we created on Azure Database for MySQL server? API for metrics of those databases?
Same questions for Azure Database for PostgreSQL server. Thanks!
Related Azure portal screenshot
We have just released the REST API spec today. You can find it here - https://learn.microsoft.com/en-us/rest/api/mysql/
Here's the REST API reference to list all the databases under a server: https://learn.microsoft.com/en-us/rest/api/mysql/databases#Databases_ListByServer
well, they obviously exist, but they are not publicly available yet. I don't see anything reasonable on the REST API reference page.
You may figure this out using the Azure portal + fiddler combo ;)
What do you mean retrieve the databases? You can connect to them in Visual Studio with your SQL server object explorer and entering the server name Azure gave you as the server. I don't know if I am understanding your question right? You can connect to the database just like any other SQL database using a SqlConnection.
EDIT:
I looked into it a little more:
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-connect-query-dotnet-visual-studio
Essentially what I was saying. Provided you have successfully connected your SQL db to Azure you just access it like any other database. For PostgresSql, look into using NpgsqlConnection instead of SqlConnection. They have very similar functionality.

Azure - IP filter depending on the database

I have a Azure application that use different databases of different servers. This databases are independent, and each sector of my application uses only one database.
I try make a IP filter. This filter must identify the solicitant's ip, and allow access each database or not depending this filter. This give me a way for allow access to A and not to B for a IP, access to B and not to A for another IP, full access for another diferent IP... using the security of Azure.
It's this possible?
Thanks, I wait a answer!
PD: sorry for my horrible english!
Assuming you are referring to SQL Azure hosted databases, you can use Database-Level Firewall settings, which are documented here.
Create a database-level firewall rule by using the
sp_set_database_firewall_rule stored procedure. Add a new firewall
setting for Internet-based connections by specifying a unique name in
the name parameter of the sp_set_database_firewall_rule stored
procedure. Specify the lowest desired IP address in that range with
the start_ip_address parameter and the highest desired IP address in
that range with the end_ip_address parameter. The name parameter is of
the nvarchar data type and the start_ip_address and the end_ip_address
parameters are of the varchar data type.
Similarly, you can enable connection attempts from Windows Azure by
using the sp_set_database_firewall_rule stored procedure with the
parameters start_ip_address and end_ip_address equal to 0.0.0.0.
I'm sure you'll have already found a solution to this given its a couple of months old now, but just in-case...
Assuming I'm understanding correctly, you have a bunch of clients communicating to your application server, which in turn queries one of many database servers. The firewall suggested by mellamokb isn't an option as the client isn't actually hitting the database, and so what's needed has to sit on the application server.
Selecting the connection string used to access the/a database based on the client's IP address is probably what you're after here. If you also need to lock the database down using its native security, you will need to create a named user account for each of your clients.
Alternatively, you could investigate Federations on the Azure SQL Database and use either the client's IP address or a similar identifier as the distribution key.

Is it possible to password protect an SQL server database even from administrators of the server?

I want to install an application (ASP.Net + SQL server 2005 express) in local network of some small company for demoing it for a period of time, but I also want nobody even sysadmin have no permission on this database and any permission granting wants a secure pass that I have .
I just want my tables structure and relations and functions be hidden and encrypting the data have no advantage
I need to spend more time on this article Database Encryption in SQL Server 2008 Enterprise Edition that i found from this answer is-it-possible-to-password-protect-an-sql-server-database
but
1.I like to be sure and more clear on this because the other answer in this page says :
Yes. you can protect it from everyone
except the administrators of the
server.
2.if this is possible, the db have to be enterprise edition ?
3.is there any other possible solutions and workaround for this?
4.if I install a new instance with my own sa password , can i restrict other instances admins from attaching the mdf to their own ?
thanks in advance
These people can access your server or the SQL Server instance no matter what you do
anyone with physical access to the server
domain admins of the network
anyone with the sa password
a windows group with local admin and/or sa rights (which implies group policy etc)
You have to host your server offsite if you want no-one to get to log onto it.
It is that simple
In SQL Server, you cannot "password-protect" a database - what you can do is limit the permissions a given user or role has in your database.
You can DENY anyone access to your database - but that's a bit odd, since no one will be able to use it....
You can do all sorts of stuff to your database tables and logins - but a sysadmin will always be able to get around those things and get access to the database. As long as the sysadmin can get his hands physically on the server, I don't think there's any way to totally shut them out.
If you don't trust even your sysadmins, you have bigger problems.....
There's several different ways you could solve this problem.
Host it offsite - I think the easiest solution would just be to host it offsite. There's loads of cheap shared hosting out there which you could use.
Lock out the sysadmins from that server. Assuming you have root access and only you use/need that server you could change the root password and any other passwords on the server.
Do what you're currently doing and try to make something secure even when someone who shouldn't have access has root access to the server. This way sounds tricky and insecure even at best.
I have a contribution for (3):
I'm guessing (I might be wrong) you don't actually have sensitive information in your database, you just want to make it unfeasible for someone in the local network to use any of your stuff.
If that's the case, you could just make it harder for them to read your data by encrypting the data in the database and having your (compiled) code decrypt it before using it.
This way, any sysadmin who is just curious about the data or wants to change his hiscore to 13371337 will not want to go through the trouble of decompiling your code and/or cracking your encryption (for the duration of your demo) and your (assumed) problem will be solved.
I have no idea if this helps you at all, I guess I just want to say you might want to take a look at your problem again. Since you can't keep the sysadmins away from your stuff, you may want to take a different approach like making it less useful to them.
As discussed by the various other posters, you can't password protect a database - deny permissions - to the sysadmin. One alternative that hasn't been discussed is hosting it on a Laptop. Since this is a demo, you can host the Database and ASP.Net site on a laptop and hook that up to their Network - after Sysadmin permission of course - and have the clients test the application from your laptop.
This will allow you to protect the database from Sysadmins and provide the added benefit that if you want to allow them to see the database you can let them use your laptop and you will be there watching their actions on your database. This last benefit is something that you can't do easily with a hosted solution.
The above answers point 3. As for point 2, you will need the Enterprise Edition of SQL Server to take advantage of Transparent Data Encryption (TDE) as per the comparison link on MSDN. If you click on the Enterprise Security link at the top it will show a table explaining the different security capabilities of the different SQL Server versions and it shows that TDE is only for the Enterprise Edition.