I have on prem infra in which I have around 9 server. I want to use Azure Backup Server not the MARS agent as I want to create a copy on prem. I DON'T HAVE ACTIVE DIRECTORY. the question I have do I need AD on prem and domain join azure backup server. Since I don't have AD can I still use Azure Backup Server????
I haven't done it my self but as I know its not a problem since you will install software on your server and vault credentials.
From the link
The installation happens in phases. In the first phase the Microsoft Azure Recovery Services Agent is installed on the server.
The wizard also checks for Internet connectivity. If Internet
connectivity is available you can proceed with installation, if not,
you need to provide proxy details to connect to the Internet.
The next step is to configure the Microsoft Azure Recovery Services
Agent. As a part of the configuration, you will have to provide your
vault credentials to register the machine to the recovery services
vault. You will also provide a passphrase to encrypt/decrypt the data
sent between Azure and your premises. You can automatically generate a
passphrase or provide your own minimum 16-character passphrase.
Continue with the wizard until the agent has been configured.
You require a Domain Controller in the org and that is the requirement for deploying SC DPM or Azure Backup Server. Both requires DC. Though you can then protect domain joined machine or workgroup machine both
https://learn.microsoft.com/en-us/azure/backup/backup-support-matrix-mabs-dpm#management-support
https://learn.microsoft.com/en-us/system-center/dpm/prepare-environment-for-dpm?view=sc-dpm-1807#networking
Related
When connecting a .net application to a local database we have always used a trusted connection connection string.
We are porting our platform over to Azure with:
Apps on Virtual Machines
Azure Domain Services
Sql Managed Instance
We have multiple Apps each run as a specific domain user and use trusted connection to the corresponding database on SQL Managed instance.
Attempting to use trusted connection from a domain joined virtual machine however (for example via SSMS results in the erro 'Azure Active Directory - Integrated' gives the error:
'Integrated Windows authentication supported only in federation flow.'
Looking at the Microsoft documentation it suggests it is possible to have trusted connections to SQL Managed Instance with 'seamless single sign-on' however the documentation only talks about an on premise domain connecting to Azure Active Directory.
Can anyone steer me in the right direction? are trusted connections possible in this setup? If not what is 'best practice' around connection strings to a SQL Managed Instance?
Thanks in advance
The best practice for Azure-native applications is to use Managed Identities to connect to Managed Instance. See eg: Connecting from your application to resources without handling credentials
Each Azure Virtual Machine, App Service App, Function App, etc can be provisioned with an AAD identity. Code running then can generate access tokens for resources (like Managed Instance) without ever touching a password or client secret.
Several Authentication strategies have been added to the SQL Client libraries to facilitate this. Or you can use Azure.Identity, or the local managed identity token endpoint library to fetch your own access token, and leverage that in the SQL Server client.
An alternative for lift-and-shift apps is to use Domain-joined VMs and use Windows Authentication for Managed Instance. This lets you continue to use traditional "Trusted Connection=true" from your VMs running in Azure to Managed Instance.
I have been having trouble finding specific answers to my questions about Azure Backup Server. Basically, I have a client with a Hyper-V Host and two guests. All are running Server 2019. Does Azure Backup Server provide the mechanism to easily restore and spin up these servers in the Azure cloud for quarterly testing, or will I need to create an Azure cloud host to perform this testing?
You cannot restore a backup of a Hyper-V VM, stored in Azure, to Azure as an Azure VM. Because currently this is not a supported scenario. You can only restore to an on-premises host.
FAQ reference URL - https://learn.microsoft.com/en-us/azure/backup/backup-azure-dpm-azure-server-faq#can-i-restore-a-backup-of-a-hyper-v-or-vmware-vm-stored-in-azure-to-azure-as-an-azure-vm
For my graduate project i dove into Microsoft Azure and i had no clue how it worked. Now, a few months later, i need to make some decisions.
For this project I am planning to migrate clients of an MSP to Azure. A typical client currently has 1 DC and 1 RDS in the on-premise setup. Now to host these servers in Azure it is possible to host the DC as a VM (like in a traditional setup) but I can also setup AAD, AADDS, Azure DNS for the client instead of the DC as a VM. So there is only 1 VM needed (for the RDS).
What is recommended for this?
Azure AD Domain Services is a managed domain. You don't need to provision, configure, or otherwise manage domain controllers for this domain. These management activities are provided as a service by Microsoft. So yes, if you are planning to move to cloud-only Azure AD tenant, then you do not need DC/VM. You can also use, ADDS for hybrid infrastructure.
I'm trying to create a "Integration Runtime" (AZURE-SSIS type) in my data factory. (To run my SSIS packages in cloud) I already have a virtual machine (Azure SQL data base server Up and running).
While during the IR creation process I'm not able to link my AZURE SQL database SSISDB catalog to "Catalog database server endpoint" (OR) the server is not showing up in the drop down box.
In the MSDN blog it says
"Confirm that the **Allow access to Azure services** setting is enabled for the database server. This is not applicable when you use Azure SQL Database with virtual network service endpoints/Managed Instance to host SSISDB."
Could anyone know how to enable this feature ? I hope by enabling this feature I can link my server in the IR and run the packages in the cloud.
Thanks
To allow applications from Azure to connect to your Azure SQL server,
Azure connections must be enabled. When an application from Azure
attempts to connect to your database server, the firewall verifies
that Azure connections are allowed. A firewall setting with starting
and ending address equal to 0.0.0.0 indicates Azure connections are
allowed. If the connection attempt is not allowed, the request does
not reach the Azure SQL Database server.
you can do it any way, powershell, az cli, arm templates. if you go to the portal to the firewall blade, there would be a button to do that.
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure
Please take a look where is located on below image.
On this documentation you will have instructions how to reach that screen.
For security concerns I'm planning to not allow Azure services to communicate with Azure services but the services it is only working with.
For example, I've some web apps that uses Azure SQL Databases. Should I only add the outbound IP addresses of Azure Web Apps in the Azure SQL server firewall?
or I need to do something else?
This is not as easy as it should be. SQL Azure is not designed to be virtual network friendly so your only options are "Allow all Azure services" or hard-coded IPs. Unless your web apps have static IPs however, this won't be possible without writing a custom updater for the database which picks up IP address changes.
You could install a SQL server onto a VM and use virtual private networks, otherwise, make sure the login credentials are secure and accept the fact that an Azure client from anyone could attempt to connect to your database server.
The best way to lock down your SQL Database is with AAD Integration, and Managed Service Identities. Azure will provision an AAD identity for your application, and only code running in that application will be able to generate an Access Token for that Identity. Then you can provision it as an AAD user in your SQL Server.
This has the (large) added benefit of removing the secrets from the application, so you don't have to configure your application with a Client Secret, or a SQL Login/Password.
You can also run your App on a VNet, and configure your SQL firewall to only permit access from that VNet using Virtual Network service Endpoints For Azure SQL Database.
Or use the newer and much better Private Link for Azure SQL Database.
Some of the ways to secure the connection to the sql database that could be considered in this case are -
As you mentioned you are already thinking of configuring a firewall to whitelist the allowed IP addresses. The firewall could be configured both on the sql server level and the database level(we can use SSMS to configure the firewall at the database level).
We can encrypt data. Of course this would be encryption at rest. And the good news is the application connecting to the database need not change to query encrypted data.
The third way would be the traditional way(even if we were not using azure db) we would prevent unauthorized access by creating users/roles/permissions.
A very nice feature I found Azure db provides is the Threat Detection Capability. If you turned that on we would be notified of the possible vulnerabilities of the current db/server setup. And also where can we make improvements to fix those issues.
Connect your Azure function with your SQL DB using private endpoints and VNET integration. Your app service will need to be standard or premium. Even Premium function plan will do. This LINK talks about it.
Authenticate your azure function on your SQL DB using managed identities. See this link for info on how to do that. Managed identities
In short yes.
You can possibly make this more secure by creating vnet connection from the web app and creating a service endpoint for SQL. I'm not sure that will work, but worth a try.