MS suggests these ways to allow Power BI Desktop to access an Azure DB
a) opening inbound connections of all Azure IP ranges to Azure SQL
b) opening inbound connections to certain IPs
c) use an Enterprise Gateway, even you are in Azure and not on-premise.
Concerns: is this as secure as a real VPN? Means no data can be sent to the DB Server port?
d) Is there no out of the Azure-box-service in place that works like a reverse proxy or application firewall with mfa?
e) is the Azure Application Proxy a solution?
What is the best security praxis?
a) and b) worries me, because of a huge Azure unknown user group that does not need to have access. And because the DB would not be protected against IP spoofing.
For c),d),e) I did not find a clear quote from MS about the security risk.
Thank you for clarifying and commenting my concerns.
From Power BI Desktop, option b) opening inbound connections to certain IPs, is the typical approach. There's typically a small, and fixed set of public IPs that your organization uses for outbound traffic, and these can be added to the Azure SQL Server's Firewall.
IP Spoofing is a non-issue, as Azure will never route return packets to the spoofer, even if they somehow got all the way to the SQL Server.
c) use an Enterprise Gateway Concerns: is this as secure as a real VPN? Means no data can be sent to the DB Server port?
Yes. The Power BI Gateway server runs on a private Azure VNet, and the SQL Server's firewall is configured to allow connections from this VNet. But Power BI Desktop can't connect directly using a Gateway. It's only a solution for connecting from Power BI Service to your data source. So if you publish a shared Data Set, you can connect using Power BI desktop to that. But you can't connect directly from Power BI Desktop to Azure SQL Database via the gateway. So you still need a firewall rule for the users designing the Power BI Data Sets (models) in Power BI Desktop.
Is there no out of the Azure-box-service in place that works like a reverse proxy or application firewall with mfa?
No. This is not an HTTP connection, so there's no reverse proxy. Although you can configure your Azure SQL Database to allow Azure Active Directory accounts, and then use your conditional access policies to force MFA. These are built-in to Azure SQL Database and Azure Active Directory, and are a layer of security after the firewall.
2021 Edit
Azure SQL Database now supports Private Link which enables Azure SQL Database to listen on an IP address on a private network in Azure. This network can be routed to your Power BI Desktop users using Site-to-Site VPN or ExpressRoute, or developers can deploy a Point-to-Site VPN to enable a single desktop to communicate directly with the target private network.
Related
I am really new to the Azure cloud platform and need some help setting up Power BI on Azure with a static IP address to add the address to my firewall. The production MySQL is in Hostgator to distribute among the organization to access analytics.
To control the IP used to connect to your database you must install a Data Gateway either in Azure or on some server you control, and configure the Dataset to use the Gateway to refresh.
Otherwise the IP addresses that may be used by Power BI are documented in the Azure Service Tag list. But they do change over time, so it's a hassle to use with any firewall that doesn't natively support Azure Service Tags.
thanks in advance
I have the following scenario:
SQL database on a SQL Server on premise (source)
SQL database on aAzure (target)
I access to my network from a VPN (F5 - Big IP Edge Client)
I created and configured an Azure VPN Gateway to connect to the VPN. With this configuration and the use of Azure Data Factory, it is possible to see my on-premise database and read the data.
I want to restrict access to the Azure SQL database only to clients from my on-premise network (or connected to the VPN). When i try to set the firewall ip rules, Azure only allow to register public ips address but not recognice IPs from my onpremise network.
Questions
1)It is possible to set access to only clients from insede my private network. How to get this?
2)Is there another better option to get this secure connection?
Regards
SQL Azure maintains a firewall for the SQL Azure servers, preventing anyone from connecting to your server if you do not give their IP address permissions. Permissions are granted by client IP address. Any user’s desktop application that connected to SQL Azure would need to have the SQL Azure firewall open for them in order to connect. The client IP would be the IP address of the desktop machine as seen by the Internet.
Any desktop computer can access SQL Azure as long as it has Internet access, and port 1433 open for outbound connections.
If you're trying to connect from within a corporate network, you can add user machine public IP or the VPN endpoint IP if all user connect through it. Further to allow access from specific on-premises machines, firewall rules can be used to limit connectivity only to your public (NAT) IPs.
A more secure option, you can set up server-level firewall rules (Server-level IP firewall rules apply to all databases within the same server) and Setup database firewall rules (Database-level firewall rules only apply to individual databases, can be configured using Transact-SQL statements, and only after you've configured a server-level firewall rule.)
Create server-level and database-level firewall rules
Configure an Azure Active Directory (AD) administrator
Manage user access with SQL authentication, Azure AD authentication,
and secure connection strings
Enable security features, such as Azure Defender for SQL, auditing,
data masking, and encryption
Refer: Create firewall rules & Configure your client computers
I would like to connect to Azure SQL server from a Window server via SSMS. In the “set server firewall” from Azure, I have given my server IP ( from the system I would like to connect). I need to know the destination IP adders of the Azure DB Server. From Azure portal the location is showing central US . To allow firewall I need to know the destination IP address.
My questions are:
1. As Central US could have multiple IP addresses, do I need to provide all IPs to my Firewall team?
2. How can I know the destination IP address ( i.e. Azure) so that I can provide that to my firewall team?
Note: From SQL server management studio, the tcp default port for SQL is enabled and services are running fine.
Hope I have explained it correctly.Thanks
No. You cannot get a static IP address assignment for your Azure SQL Database. Moreover, what you refer (mysqlserverdatabase.mysql.database.azure.com designates your Azure SQL Database Server, not a single Database. This is a logical server, in which you can put up to 149 Databases (150 with the Master DB).
You have to workaround your requirement for static IP address assingment to work with the DNS Name (mysqlserverdatabase.mysql.database.azure.com).
Otherwise if your company firewall can't work with the DNS Name ,you need to set the server connection policy to Proxy as documented in Azure SQL Connectivity Architecture. This allows the database gateway to proxy all traffic between the client and the DB server. The gateways all have static IP addresses, which are listed in the above document.
If you have setup a VNet in Azure, checkout VNet Service Endpoints to connect Azure SQL.
https://azure.microsoft.com/en-in/blog/vnet-service-endpoints-for-azure-sql-database-now-generally-available/
We are developing a web API with Azure SQL for data persisting that is completely hosted on Azure. We need to push some data from on premise to Azure SQL. Our info-security team is not ready to open the port 1433 to provide outbound connectivity. What is the best approach to connect to Azure SQL from onprem securely. I did some research and found several ways to connect to on prem from Azure, but I need a secure connection to Azure Sql from on premise.
The Azure SQL Database service is only available through TCP port 1433. So you have to open the port 1433 to provide outbound connectivity.
To help secure your on-premises network environment, it’s a best practice to configure your on-premises firewall and allow outbound connections on port 1433 only to your target SQL DB IP addresses listed here. Read more explanation here.
Moreover, Azure SQL Database forces all client connections to be encrypted. You could get more details from an overview of Azure SQL Database security capabilities.
Is it possible to connect a Microsoft Azure Web Site to a SQL Server Database hosted on-premises and, if so, what the steps that I need to follow?
Let any request in coming from you Azure Web Site IP and targeting TCP port 1433 through your firewall . Then change your connectionString on your Azure Web Site to point to the public gateway used on premsie.
As #qux mentioned, you need to allow for inbound traffic on port 1433. With Azure Web Sites, you won't have a dedicated outbound IP address, so you'll need to rely on a secure SQL Server configuration.
If you shift to Cloud Services (web role / worker role), then you will have an IP address to filter against. Same thing with Virtual Machines.
You can also set up a VPN (and there are many VPN appliances certified with Azure).