I have a logical Azure SQL Server (Paas), this server hosts dbs for an in-house desktop app for people in multiple countries. I want to be able to geofence access to the server only to those countries where I know my clients are.
Using the firewall rules on the server doesn't work because not all my clients have static IP addresses, so I need to be able to accept connections from any IP originating in those countries, which are far more than the 128-entries cap on Azure, even mixing database-level rules with server-level rules isn't enough because that only gives me 256 entries (not to mention the headache it would be to keep that updated).
So, how do I limit access to the server to only those specific countries where my clients are?
Related
Is there a way to determine which firewall IP's have not been used for certain amount of time to log in to sql azure ? I have few IP's and would like to delete the unused ones.
If you have logging enabled you can check which firewall has been used for certain period, like it is used in last months. Please see fire wall logging.
Azure Sql, as per my understanding does not have any ip specific logging and I am not able to find it.
For current sessions while there seems to be way to get client ip from sql server, it does not seems to be available for Azure Sql.
I have question around DLP (data leakage prevention) from a corporate network.
I have a Virtual Machine on a corporate network. The VM can access an Azure SQL DB in the cloud: aaa.database.windows.net through a connection over port 1433.
However, I don't want that same VM to connect to bbb.database.windows.net.
Azure offers no guarantees on the public IP (both servers could appear as the same IP) - what technology can I use on the corporate's perimeter network/firewall to permit access to aaa but disallow access to bbb?
The attack I am concerned about is someone internal to the company querying data out of aaa and inserting it in to bbb. For example, if the one server is ourcorporatedate.database.windows.net and the other is somerandom.database.windows.net the someone internal to the company could take corporate data and write it to some random database.
Thanks
You can use Virtual Network service endpoints and rules. Virtual network rules are one firewall security feature that controls whether your Azure SQL Database or SQL Data Warehouse server accepts communications that are sent from particular subnets in virtual networks. Learn how to use it and benefits/limitations on this documentation.
If database aaa and bbb have the same public IP address. I think there is not a good way to set in the on-premise firewall to permit access to aaa but deny access to bbb. From the same client, the firewall rule will have the same source IP, protocol, port, and destination IP for outbound traffic.
If you want to selectively grant access to just one of the databases in your Azure SQL server, you can only create a database-level rule for the required database. Also, Specify an IP address range for the database firewall rule that is beyond the IP address range specified in the server-level firewall rule, and ensure that the IP address of the client falls in the range specified in the database-level rule. Server level rules allow access to the Azure SQL Server. Which means that the client will have access to all the databases stored on that SQL Server. Refer to this doc.
The current VPN feature in SQL Azure does not directly prevent this (but please look for future updates where this is planned for the service endpoints feature for SQL Azure). However, there are various mitigations you can use to detect or reduce the ability to do this:
You can enable auditing on the aaa database. This can detect all logins and major state changes to the DB. (Detect)
You can reduce the permissions for various kinds of users on the database to the bare minimum and use features which further reduce the size of the data that a customer can copy out of the database at all. This includes row-level security, data masking, always encrypted (which you would lock down to a specific app/user to be able to decrypt sensitive data in the client - other clients without the key just get cypertext), etc.
Use firewall rules (as stated in the other answers) to restrict which clients can connect to the database at all - then you can restrict where they can connect with permissions.
Please note that SQL Azure's logical servers do not generally imply that every customer database in that server has the same IP. Currently there is a knob in service endpoints (docs page is currently down so I can't get you a link atm) to configure whether you go through the per-region gateway or not. If you don't (recommended), you would see the IP of the hosting node and this can change over time. The Service endpoints feature will give VPN users more control for network-level rules going forward, but some of these features have not yet landed in production. I encourage you to mitigate with other steps (above) until that is available to you.
In Azure SQL DBs, can SQL Logins be restricted to specific IPs?
We currently use the Azure firewall rules to whitelist IPs and it works fine. But better security to restrict each SQL login to a specific allowable IP list.
Thanks!
The quick answer is no.
I was looking through the official documentation, here:
https://azure.microsoft.com/en-us/documentation/articles/sql-database-firewall-configure/
As you know, you can have multiple logins and you can have multiple IP address (or ranges of IPs) but I haven't seen anything to combine both login and IP to allow/deny access.
I have a System which has application server and database server.
In the initial stage, both Database and Application Servers run in a same Physical Server. After that we have segregated these two servers in to separate segments in the network. i.e We have defined two separate VLAN s as application and database and put these two servers in to these two different vlans and given the required access permission through the firewall.
After the segregation we had a major issue regarding the slowness between application and db servers. We have checked the network connectivity and we couldn't find any issue from the network side for the slowness.
After that we have put both Application and DB servers in to one server like the implementation stage. Then the slowness issue has rectified.
I want to know what could be happen for this slowness.
Please advice me.
Thank you
We have a staging and production SharePoint farm housed within Windows Azure. All servers run Windows Server 2012. We're having the same issues in both environments, but for this question, I'll focus on the staging environment.
For the staging environment, I have several servers within the SharePoint farm and 2 SQL servers. All servers are located on the same subnet and affinity group. There is a DHCP server that hands out 192.168.X.X addresses for all servers on the subnet.
I've created a WSFC with both SQL servers as nodes. I've tried creating the cluster with an IP of an unused DHCP address (192.168.X.X) and with a link local address (using a PowerShell script to create the cluster found online from Microsoft). In both cases, the cluster IP is not accessible from any machine on the subnet. However, in both cases, the cluster appears to be up and restarting the active node pushes the passive node to the new active node. I think that this may be one of my root problems.
My final goal is to create an SQL Availability Group Listener for SharePoint to use for DB connections. With the cluster created, I am able to create an Availability Group in SQL Management Studio. I can see that it works: when rebooting the primary replica, the secondary turns to primary, all DBs are synced and up to date, etc. However, when I try to create the AG Listener, it fails with an error claiming that it cannot access the cluster or the cluster is not active.
I've read a lot online. Some claim that it's not possible to create AGs in Azure, others claim that this hotfix fixes things (http://support.microsoft.com/kb/2854082), and a few that claim it works when you set the Listener IP to the public endpoint. I've tried them all and haven't had any success. There's got to be some way to increase the reliability of SQL in a totally enclosed, Azure environment. Does anyone have any experience with this? Has anyone gotten it to work? If so, how did you do it? If not, is there another way to go about SQL availability?