We are developing an application that uses a Windows Azure cloud service, and a SQL Azure database. We have an ASP .NET MVC project that uses database-first to create the entities in our Visual Studio solution. Now we need to deploy the database schema to Azure.
Currently this is not possible because our network blocks outbound access on port 1433, which is the only port SQL Azure is available on. We have asked our security team for permission to open port 1433 outbound, but they have some concerns:
There is unencrypted database traffic (port 1433) allowed at Microsoft's firewall over the internet for Azure. Although there is no sensitive information in the database, management credentials are probably in clear text if database credentials are not encrypted and can lead to defacement risks.
What network ports are opened at the internet firewall for access to the system hosting the website and database?
I believe the concern in the first question is that credentials for managing the Azure DB will be sent over on port 1433 unencrypted during deployment. For the second one, I think the answer is that we can configure endpoints to open whatever ports we want for our cloud service, but they are closed by default.
I did some research, but was unable to find any definitive answers on these questions from Microsoft, which makes me think we are asking the wrong questions. I would be interested in insight from anyone with more experience in this than I have.
SQL Azure only accepts encrypted (SSL) communication per the Security Guidelines and Limitations (Windows Azure SQL Database) article here: http://msdn.microsoft.com/en-us/library/windowsazure/ff394108.aspx
Encryption and Certificate Validation All communications between
Windows Azure SQL Database and your application require encryption
(SSL) at all times. If your client application does not validate
certificates upon connection, your connection to Windows Azure SQL
Database is susceptible to "man in the middle" attacks. To validate
certificates with application code or tools, explicitly request an
encrypted connection and do not trust the server certificates. If your
application code or tools do not request an encrypted connection, they
will still receive encrypted connections. However, they may not
validate the server certificates and thus will be susceptible to "man
in the middle" attacks. To validate certificates with ADO.NET
application code, set Encrypt=True and TrustServerCertificate=False in
the database connection string. For more information, see How to:
Connect to Windows Azure SQL Database Using ADO.NET. SQL Server
Management Studio also supports certificate validation. In the Connect
to Server dialog box, click Encrypt connection on the Connection
Properties tab. SQL Server Management Studio does not support Windows
Azure SQL Database in versions prior to SQL Server 2008 R2.
SQL Azure uses 1433 and 8443. The port requirements for Azure are available here: http://msdn.microsoft.com/en-us/library/windowsazure/jj136814.aspx
If you want to limit firewall traffic to and from specific IP addresses, the Azure datacenter IP ranges are available here: http://msdn.microsoft.com/en-us/library/windowsazure/dn175718.aspx
Some options (in addition to DarrelNorton's answer):
- you can use a dedicated SQL Server VM, then you can use port forwarding and the port issue is not a problem and you have additional firewall options and additional security software you can instal
- dedicated SQL VM allows you to take advantage of TDE (Trans. Data Encryption) in SQL Server or you can do more advanced encryption techniques that are not available in SQL Azure DB
- Dedicated SQL VM you are isolated from other MSFT clients. If you get hacked, you can re provision the VM from scripts
- you can use a Virtual Network connection between the MSFT data center and your local network if you are concerned about security (the VPN is encrypted)
Related
We have an Azure IaaS database from which we want to copy data via ADF.
For that we are currently using Self hosted IR but since the DB is hosted on an Azure VM itself isn't it possible to directly communicate between ADF and IaaS DB with out IR(By whitelisting some IP or opening some port)
I think you should open some port, otherwise the self-hosted integration runtime can't access the Azure SQL database directly.
According to this post, if your firewall does not allow outbound port 1433. In this case, you can use a staged copy to Azure SQL Database. In this scenario, you would require only HTTPS (port 443) for the data movement.
I am using Azure SQL Server DB and need to connect to it through my local development environment since we do not have local Db setup. I am using Entity Framework and standard connection string to connect over port 1433. This requires port 1433 opened in organizations firewall.
However, the security group in my workplace wants me to ensure that this communication is secured, to protest data exposure, so that they can open the port 1433 for my work.
How do i ensure that? If this is secured by default, then some link that explains it. If not, the steps I can take to make it happen.
Or point me to a question where this is resolved. Thanks a ton!!!
From https://learn.microsoft.com/en-us/azure/sql-database/sql-database-security-overview:
Important
All connections to Azure SQL Database require encryption (SSL/TLS) at all times while data is "in transit" to and from the database. In your application's connection string, you must specify parameters to encrypt the connection and not to trust the server certificate (this is done for you if you copy your connection string out of the Azure Classic Portal), otherwise the connection will not verify the identity of the server and will be susceptible to "man-in-the-middle" attacks. For the ADO.NET driver, for instance, these connection string parameters are Encrypt=True and TrustServerCertificate=False.
We have sql 2000 databases on our internal network secured behind ISA Firewall. Up till now we have not opened tcp port 1433 to allow external sql traffic in or out. We also have a remote external website with a later version of sql on.
Is there any way to update the external database from our internal network without increasing the chance of anyone hacking into our internal network?
The Sync Framework does this for most cases. I'd recommend against opening up your firewall to allow anyone to connect to your database server - that's pretty much inviting hackers to own your data.
The Sync framework works natively with SQL Server 2000 SP4 and later - though you can probably find a provider for older versions if you try. By using a provider framework, Sync can in principle connect to any data source.
I am currently unable to connect to my Azure SQL database from a separate remote standalone dedicated box in a private datacenter.
I have an Azure SQL database where I manage the list of IP addresses that can connect to this database. This has worked perfectly until now. I have recently set-up a new dedicated box in a private datacenter that needs to query the Azure SQL database at regular 5 second intervals, give or take.
The problem is, this dedicated box cannot establish a connection to the Azure SQL database, despite being able to connect to other remote FTP servers, MySQL servers, etc. The Azure SQL database does have the IP address of the dedicated box on the allowed connection list. Furthermore, I temporarily opened up a massive range of allowed IP addresses (0.0.0.0 -> 255.255.255.255) on the Azure SQL database to see whether this inability to connect may have resulted from IP blocking.
Does anyone have any suggestions or thoughts on what might be causing this and how I could begin debugging the situation better?
To clarify: I can connect to the Azure SQL database from laptops with individual IP addresses in my office and elsewhere, so long as they have been added to the database whitelist; I can make outward connections to remote FTP and MySQL servers from the dedicated box; I have tried to open-up a massive range of allowed IP addresses on Azure SQL with no luck.
Edit
C:\Users\graphite.rack.ID17157>osql -S v7o06blktw.database.windows.net -U XXXXXXX#v7o06blktw -P XXXXXXX
[SQL Server Native Client 11.0] Named Pipes Provider: Could not open a
connection to SQL Server [53].
[SQL Server Native Client 11.0] Login timeout expired
[SQL Server Native Client 11.0] A network-related or instance-specific error
has occurred while establishing a connection to SQL Server. Server is not
found or not accessible. Check if instance name is correct and if SQL Server
is configured to allow remote connections. For more information see SQL Server
Books Online.
To summarize.
Windows Azure SQL Database (formerly known as SQL Azure) works exclusively and only on TCP port 1433. It only support SQL Server Authentication, TCP connection and TDS protocol as of today.
In order to successfully establish connection to SQL Azure one must fulfil the following requirements:
Create SQL Azure server & Database
Setup SQL Azure Server's firewall rules to accept connections from the IP address of application that will connect to that server
Make sure the box (be it Virtual, or home, or whatever) has no blocking outbound TCP port 1433
Explicitly force encryption in connection string
Explicitly chose to not trust server certificate in connection string
Please note that many (if not all) ISPs (Internet Service Providers) and Hosters, as well as IT staff within companies DO block outgoing TCP Port 1433 due to the SQL Slammer worm. This outgoing port blocking appears to be one of the most faced issues of newcommers to SQL Azure.
UPDATE Nov. 2015
As of August 2015, there is preview feature that enables you to use Azure AD to authenticate to Azure SQL Database. You can read more on this new preview feature here: https://azure.microsoft.com/en-us/documentation/articles/sql-database-aad-authentication/
If you're using corporate network for internet access and facing this problem,
a simple way around this is to use your phone's mobile hotspot for internet access instead.
Be sure to disable your ethernet connection too, which may also be connected to the internet.
Spent hours on this issue. The fix for me was finally found to be my setting on the Xfinity firewall. I had it set to high. Once I changed the setting to low security, I could connect to the Azure sql database with no issues.
I am developing a application for a small user group and decided to use sql express.
So the design as normal is sql express will be hosted in one machine(as server machine) and users client app will connect to sql-express host machine for accessing db.
Now the problem is remote clients are not able to connect the db, but host machine can access the db. Can someone please help if you have tried this before ??
Connection string used is as below, do we need to change the connection string ?
Data Source=Hostname\SQLExpress;Integrated Security=true; AttachDbFilename=|DataDirectory|\mydb.mdf;User Instance=true;
Note: Users are not domain connected they are LAN connected.
The database service is probably not setup to listen on TCP port 1433 by default for security reasons. You need to use the configuration utility to enable remote access. You also need to make sure that port is not being blocked by a firewall. These instructions for SQL Server 2005 are useful.
If the users are not running under a domain account I believe you will have issues with authentication. You may want to add them to a domain, or enable SQL Server (password) authentication. After enabling this you can specify a username and password via the connection string. You need to make sure that the user exists and has access to the appropriate tables, views, or stored procedures.
By default, SQL Server does not permit remote connections. You need to change this via the Server Configuration Manager in the Start Menu.