Connection to IaaS DB via ADF - azure-data-factory-2

We have an Azure IaaS database from which we want to copy data via ADF.
For that we are currently using Self hosted IR but since the DB is hosted on an Azure VM itself isn't it possible to directly communicate between ADF and IaaS DB with out IR(By whitelisting some IP or opening some port)

I think you should open some port, otherwise the self-hosted integration runtime can't access the Azure SQL database directly.
According to this post, if your firewall does not allow outbound port 1433. In this case, you can use a staged copy to Azure SQL Database. In this scenario, you would require only HTTPS (port 443) for the data movement.

Related

Azure app service (ASE) SQL Azure connection

I have an app service located inside the app service environment(ASE). I have a virtual network which I have put ASE into the subnet in the Vnet.
What I am trying to do is, I am trying to connect SQL Azure endpoint which is not in Vnet or my azure tenant. ASE has an outbound IP address and when I try to tcpping to azure SQL endpoint, it is responding me without any issue.
The problem is when I try to connect SQL endpoint inside the application, I am getting "Cannot open server" error. It usually happens when there is firewall in SQL Azure endpoint. I have checked log analytics (in target SQL endpoint) and saw my app connection is blocked but when I check the client IP, it shows me private IP of ASE. I really don't understand how it can be possible? I would see my public ip in there, since ASE is external ASE.
Do you have any idea how that can be possible?
If you have enabled the virtual network service endpoint for Microsoft.Sql in the ASE subnet, When you connect to your Azure SQL server with service endpoints turned on, the source IP of SQL connections will switch to the private IP space of your VNet.
If so, you need to allow the given VNet/subnet by specifying it in the VNet firewall rules of the SQL server. If you do not want to use a virtual network service endpoint, you can whitelist the outbound IP address of the application in the firewall of the SQL server.
For more information, you could read the blog1 and blog2.

Connectivity to Azure Managed SQL Instance from local SSMS

I have created a Azure managed sql instance. We have peered the vnet of both managed instance and the local VM vnet. Our organization doesnot allow installing Point-to-site vpn on current VM.
Please advice, how can we connect to managed sql instance from on-premises sql server (SSMS).
Thanks in advance.
Since you try to connect from a SSMS installed on a host located on-premises, on the routing table that is added to the subnet where SQL Managed Instance is deployed, add another route to the routing table for your on premise subnet with next hop Virtual Network Gateway.
Make sure NSG (Network Security Group) rules allow communication between the subnets on port 1433 for this connection.
Please also ensure that you enabled 1433 outbound on the host Windows Firewall, as this will also not be permitted by default.

How to Connect to OnPremise SQL Server from SSMS in Azure VM usign Hybrid Connection Manager

This question is bit on the Reverse Side of Connecting via SSMS from Azure VM to on premise SQL Server.
Can Hybrid connection Manager be used to configure connectivity between Onpremise and Azure such that i can use SSMS from Azure VM to connect to OnPremise SQL Server?
I don't think you can use Hybrid connection Manager to connect between On-premise and Azure network. As far as I know, the HCM is a relay agent and included in a partition of hybrid connection feature. The hybrid connection feature consists of two outbound calls to Azure Service Bus Relay.
For example, if you want web apps in the app service to access the DB in the on-premise network. There is a connection from a library on the host where your app is running in App Service. There is also a connection from the HCM to Service Bus Relay. See how it works. Also, The new Hybrid Connections capability of Relay is a secure, open-protocol evolution based on HTTP and WebSockets. In this case, you could not create a Hybrid Connection from Azure VM to Service Bus Relay via SSMS.
So, If you want to connect the on-premise SQL server from Azure VM via SSMS, you need to set up a VPN connection between Azure and your on-premise network. Read more details about VPN gateway.

New Linked Service (Azure SQL Database) Test connection failed

I'm creating New Linked Service that would allow connecting to PaaS DB but the Test Connection is failing. Things I've checked are:
-Firewall on Logical VM for PaaS DB(Relevant IP are in place)
-Connect to PaaS DB via SSMS(It Works)
-Typos
I've used AutoResolveIntegrationRuntime since DB is in the same RG as the Azure DataFactory. Google didn't help much.
Regards
PS: More info can be provided if needed.
Firstly, make sure you have opened the "Allow access to Azure Service" in firewall setting.
What's your PSSA DB, single database or managed instance?
For single database:
The important thing you need to know that:
For managed instance:
To use copy data from an Azure SQL Database Managed Instance that's located in a virtual network, set up a self-hosted integration runtime that can access the database. For more information, see Self-hosted integration runtime.
If you provision your self-hosted integration runtime in the same virtual network as your managed instance, make sure that your integration runtime machine is in a different subnet than your managed instance. If you provision your self-hosted integration runtime in a different virtual network than your managed instance, you can use either a virtual network peering or virtual network to virtual network connection. For more information, see Connect your application to Azure SQL Database Managed Instance.
Here an tutorial can helps you: Azure SQL Managed Instances and Azure Data Factory: a walk-through.
Hope this helps.

SQL Azure deployment security concerns

We are developing an application that uses a Windows Azure cloud service, and a SQL Azure database. We have an ASP .NET MVC project that uses database-first to create the entities in our Visual Studio solution. Now we need to deploy the database schema to Azure.
Currently this is not possible because our network blocks outbound access on port 1433, which is the only port SQL Azure is available on. We have asked our security team for permission to open port 1433 outbound, but they have some concerns:
There is unencrypted database traffic (port 1433) allowed at Microsoft's firewall over the internet for Azure. Although there is no sensitive information in the database, management credentials are probably in clear text if database credentials are not encrypted and can lead to defacement risks.
What network ports are opened at the internet firewall for access to the system hosting the website and database?
I believe the concern in the first question is that credentials for managing the Azure DB will be sent over on port 1433 unencrypted during deployment. For the second one, I think the answer is that we can configure endpoints to open whatever ports we want for our cloud service, but they are closed by default.
I did some research, but was unable to find any definitive answers on these questions from Microsoft, which makes me think we are asking the wrong questions. I would be interested in insight from anyone with more experience in this than I have.
SQL Azure only accepts encrypted (SSL) communication per the Security Guidelines and Limitations (Windows Azure SQL Database) article here: http://msdn.microsoft.com/en-us/library/windowsazure/ff394108.aspx
Encryption and Certificate Validation All communications between
Windows Azure SQL Database and your application require encryption
(SSL) at all times. If your client application does not validate
certificates upon connection, your connection to Windows Azure SQL
Database is susceptible to "man in the middle" attacks. To validate
certificates with application code or tools, explicitly request an
encrypted connection and do not trust the server certificates. If your
application code or tools do not request an encrypted connection, they
will still receive encrypted connections. However, they may not
validate the server certificates and thus will be susceptible to "man
in the middle" attacks. To validate certificates with ADO.NET
application code, set Encrypt=True and TrustServerCertificate=False in
the database connection string. For more information, see How to:
Connect to Windows Azure SQL Database Using ADO.NET. SQL Server
Management Studio also supports certificate validation. In the Connect
to Server dialog box, click Encrypt connection on the Connection
Properties tab. SQL Server Management Studio does not support Windows
Azure SQL Database in versions prior to SQL Server 2008 R2.
SQL Azure uses 1433 and 8443. The port requirements for Azure are available here: http://msdn.microsoft.com/en-us/library/windowsazure/jj136814.aspx
If you want to limit firewall traffic to and from specific IP addresses, the Azure datacenter IP ranges are available here: http://msdn.microsoft.com/en-us/library/windowsazure/dn175718.aspx
Some options (in addition to DarrelNorton's answer):
- you can use a dedicated SQL Server VM, then you can use port forwarding and the port issue is not a problem and you have additional firewall options and additional security software you can instal
- dedicated SQL VM allows you to take advantage of TDE (Trans. Data Encryption) in SQL Server or you can do more advanced encryption techniques that are not available in SQL Azure DB
- Dedicated SQL VM you are isolated from other MSFT clients. If you get hacked, you can re provision the VM from scripts
- you can use a Virtual Network connection between the MSFT data center and your local network if you are concerned about security (the VPN is encrypted)