We are attempting to configure Dev users at a project level with only 'viewer' access and also allow them to login to Cloud SQL. Strangely there are no granular permissions as there are for DataStore or Bigquery.
When attempting to connect after configuring the Cloud SQL proxy to follow Google best practice for connecting to V2 Cloud SQL instances.
The connection is refused in MySQL workbench and the following message appears in the Proxy window.
As soon as the Project privileges are changed to 'editor' in IAM, the same connection works fine. With a lack of roles for Cloud SQL, this means all users either cant access Cloud SQL v2 with proxy or can reset the root password.
Hopefully we are mistaken as this seems like a serious security issue?
You are correct, at this time the actor must have at least 'project editor' role to connect using the Cloud SQL Proxy.
Related
I have the "Allow Azure Services to access this server" option turned on for my Azure Database. The reason for me having turned it on is because I have a Function App that accesses the database to do inserts etc.
My question is, is having this option turned on a security issue at all? If it is, what is the best practice method to keep my database secure while still being able to access it myself through my Function App.
Assuming you are connecting to your SQL databases using username/password combination, there's always a security risk in case your username/password are leaked.
A better approach would be to use Managed Identity. What you will do is assign an identity to your Function app and then allow that identity to connect to your database. That way only your Function App will be able to connect to your database. You would still need to keep "Allow Azure Services to access this server" option turned on though.
Please see this link on connecting an Azure WebApp to a SQL Database using Managed Identity: https://learn.microsoft.com/en-us/azure/app-service/tutorial-connect-msi-sql-database?tabs=windowsclient%2Cef%2Cdotnet
I'm having trouble connecting to my SQL Server in an Azure Logic App.
I've just created a fresh SQL Server and database and am now attempting to connect to it in my logic app. However, it doesn't appear to be showing when I enter my credentials. I've been following this tutorial.
Does anyone know why this might be the case? Is it perhaps a permission thing that I may have missed?
I've also found that if i do an AD connection, I get this:
Try this for connecting to your DB:
first of all, try to connect with Azure AD Integrated here, and if you don't see your SQL Server and DB in the list try the next step
go to Resource Group where you created LogicApp and find the connection name that you used when trying to connect with Azure AD Integrated. You need to open it and click on Edit API Connection. In Authentication Type use SQL Server Authentication and other data to connect to your DB here.
Make sure you are allowing azure services to access your database server at
SQL Server > Firewalls and virtual networks > Allow Azure services and resources to access this server = Yes
For security concerns I'm planning to not allow Azure services to communicate with Azure services but the services it is only working with.
For example, I've some web apps that uses Azure SQL Databases. Should I only add the outbound IP addresses of Azure Web Apps in the Azure SQL server firewall?
or I need to do something else?
This is not as easy as it should be. SQL Azure is not designed to be virtual network friendly so your only options are "Allow all Azure services" or hard-coded IPs. Unless your web apps have static IPs however, this won't be possible without writing a custom updater for the database which picks up IP address changes.
You could install a SQL server onto a VM and use virtual private networks, otherwise, make sure the login credentials are secure and accept the fact that an Azure client from anyone could attempt to connect to your database server.
The best way to lock down your SQL Database is with AAD Integration, and Managed Service Identities. Azure will provision an AAD identity for your application, and only code running in that application will be able to generate an Access Token for that Identity. Then you can provision it as an AAD user in your SQL Server.
This has the (large) added benefit of removing the secrets from the application, so you don't have to configure your application with a Client Secret, or a SQL Login/Password.
You can also run your App on a VNet, and configure your SQL firewall to only permit access from that VNet using Virtual Network service Endpoints For Azure SQL Database.
Or use the newer and much better Private Link for Azure SQL Database.
Some of the ways to secure the connection to the sql database that could be considered in this case are -
As you mentioned you are already thinking of configuring a firewall to whitelist the allowed IP addresses. The firewall could be configured both on the sql server level and the database level(we can use SSMS to configure the firewall at the database level).
We can encrypt data. Of course this would be encryption at rest. And the good news is the application connecting to the database need not change to query encrypted data.
The third way would be the traditional way(even if we were not using azure db) we would prevent unauthorized access by creating users/roles/permissions.
A very nice feature I found Azure db provides is the Threat Detection Capability. If you turned that on we would be notified of the possible vulnerabilities of the current db/server setup. And also where can we make improvements to fix those issues.
Connect your Azure function with your SQL DB using private endpoints and VNET integration. Your app service will need to be standard or premium. Even Premium function plan will do. This LINK talks about it.
Authenticate your azure function on your SQL DB using managed identities. See this link for info on how to do that. Managed identities
In short yes.
You can possibly make this more secure by creating vnet connection from the web app and creating a service endpoint for SQL. I'm not sure that will work, but worth a try.
I have a Node.js/JavaScript application deployed to Bluemix. I need my application to be able to connect to a DB2 datasource (connection string shown below).
The lexbz181112.cloud.dst.ibm.com is an IBM server running on premise.
What steps do I need to take to connect to this datasource from my application (which is running in Bluemix)? I don't want to change any of my application code in order to read/write from the database.
DRIVER={DB2};DATABASE=MYDB;HOSTNAME=lexbz181112.cloud.dst.ibm.com;UID=xxx;PWD=xxx;PORT=nnnnn;PROTOCOL=TCPIP
It is the same when you connect your application to remote database or cloud database, as long as you have hostname:port, database name and username/password.
If your application and database both on Bluemix, have you tried to bind this database service to your application directly?
The Bluemix Secure Gateway service is used in such cases. It establishes a secure, transparent bridge between your on-premises resource, in your case the DB2 server, and your cloud application. Because it is transparent to the application you don't need to change your application code. The secure connection is established from "on-prem" to the cloud, so that the on-prem administrators are in charge.
Some time I ago I wrote a sample application to walk through all the steps to create a scenario as described by you. You can find the instructions on GitHub.
If the host is reachable from the Internet you can simply access it from your application as you'd normally do, since a Bluemix application is able to connect to the Internet. The only improvement I'd do to this is to use a user provided service instance. It allows you to separate the DB connection parameters from the application code, avoiding to have those hard coded in the application.
I'm having some issues with logging in to my azure sql server. The problem is that I do not know the server level principal, and the database has never been logged into before. Is there a way to connect to the database for the first time without server level principal? Is it possible to change server level principal password from portal?
Of course, you can change the server password from the portal on your server options :