What is the best way to create a secure connection to SQL Azure from a customer location?
We are currently using IP address and setting the firewall, but this is not very secure
That's pretty much all you have with the Azure SQL Database offering today. The TDS protocol is sent to the client over TLS so the transport is secured.
Note that you could theoretically create a "jump" or "bastion" host in Azure on a VM, and allow only connections to Azure SQL from the public VIP of that host, but I'd question how much more secure that is than what you have now.
Related
thanks in advance
I have the following scenario:
SQL database on a SQL Server on premise (source)
SQL database on aAzure (target)
I access to my network from a VPN (F5 - Big IP Edge Client)
I created and configured an Azure VPN Gateway to connect to the VPN. With this configuration and the use of Azure Data Factory, it is possible to see my on-premise database and read the data.
I want to restrict access to the Azure SQL database only to clients from my on-premise network (or connected to the VPN). When i try to set the firewall ip rules, Azure only allow to register public ips address but not recognice IPs from my onpremise network.
Questions
1)It is possible to set access to only clients from insede my private network. How to get this?
2)Is there another better option to get this secure connection?
Regards
SQL Azure maintains a firewall for the SQL Azure servers, preventing anyone from connecting to your server if you do not give their IP address permissions. Permissions are granted by client IP address. Any user’s desktop application that connected to SQL Azure would need to have the SQL Azure firewall open for them in order to connect. The client IP would be the IP address of the desktop machine as seen by the Internet.
Any desktop computer can access SQL Azure as long as it has Internet access, and port 1433 open for outbound connections.
If you're trying to connect from within a corporate network, you can add user machine public IP or the VPN endpoint IP if all user connect through it. Further to allow access from specific on-premises machines, firewall rules can be used to limit connectivity only to your public (NAT) IPs.
A more secure option, you can set up server-level firewall rules (Server-level IP firewall rules apply to all databases within the same server) and Setup database firewall rules (Database-level firewall rules only apply to individual databases, can be configured using Transact-SQL statements, and only after you've configured a server-level firewall rule.)
Create server-level and database-level firewall rules
Configure an Azure Active Directory (AD) administrator
Manage user access with SQL authentication, Azure AD authentication,
and secure connection strings
Enable security features, such as Azure Defender for SQL, auditing,
data masking, and encryption
Refer: Create firewall rules & Configure your client computers
I understand that Microsoft Azure is very secure and the Azure SQL Server as well. However, the question is bit scenario based:
I'm accessing Azure SQL Server DB using SSMS, which is asking me to login using SQL Server authentication.
In Azure DB firewall security setting when I'm trying to add my current PC IP address ( which is Dynamic in nature ),its not adding.However, its actually considering my ISP provided IP address. The questions are: why its not allowing me to add my current IP address? Should not there be a security issue, if its considering my ISP IP ( which I can found "what is my IP") ? How and what level of security Microsoft is providing in this case? Is not it that, if someone will get my SQL Server credential they will go inside my SQL Sever in Azure?
OR
is it like that, the HOST/Computer name and IP address (which got via What is my IP) should be matched then the SQL Server credential will work? - Which is kind of more secure.
Hope I have explained this correctly.This is just to get more clarification not to compare.
I understand that, I think, I should have static IP. But, the local IP is dynamic.
Thanks.
It is the IP address assigned by your ISP what Azure SQL Database firewall can "see". That is the one you need to add as firewall rule. The private IP address your computer is using on your local network cannot be "seen" by Azure SQL database firewall.
Azure SQL Database security is more than just a firewall rule. All data in transit coming from any Azure SQL Database or going to any Azure SQL Database is encrypted. Azure SQL Database does not allow non-encrypted connections. All this is happening on TCP port 1433. You cannot communicate to Azure SQL Database on a different port.
When a client first attempts a connection to SQL Azure Database, it sends an initial connection request. Consider this a "pre-pre-connection" request. At this point the client does not know if SSL/Encryption is required and waits an answer from SQL Azure to determine if SSL is indeed required throughout the session (not just the login sequence, the entire connection session). A bit is set on the response indicating so. Then the client library disconnects and reconnects armed with this information.
When you set Encrypt to true you avoid the "pre-pre-connection", and you are preventing any proxy from turning off the encryption bit on the client side of the proxy, this way attacks like man-in-the-middle attack are avoided.
When secure connections are needed, it is recommended to enable "Encrypt connection" setting on SSMS.
In addition to all this, when you create a new database on Azure SQL Database data at rest is encrypted. Transparent Data Encryption is enabled by deafult.
I'm using SSMS to connect to Azure DB from my laptop. I have provided my laptop IP address in "Set server firewall". However, each time when connecting from SSMS it's considering my public IP address, instead of laptop IP.
My questions are:
why is it not considering my Laptop IP?
How safe is it to configure a public IP address in Azure's "set server firewall"? Will not it possible someone having same public IP can able to connect to Azure DB?
How the Azure DB can be configured so that it should account the request from my laptop IP only?
Azure PaaS service has a public endpoint, so it means that you cannot connect to them from your private IP, you must configure your Azure PaaS with your public IP. There is an option to make a public endpoint as a private endpoint using a private link, vpn point to site, virtual network gateway. Please, have a look at this article for more details.
You can keep security your connection from public IP using Azure PaaS firewall once your connection from your source to azure allows only you public IP, but you have to change this IP in firewall for each time your IP is renewed in case it is dynamic. For the best practice you should consider a private link or a Azure Instance Manager SQL which has more option, but it is more expensive then Azure PaaS SQL.
To help you answer these questions, we first must consider the network topology involved. Your laptop is likely connected to a wireless access point which is connected to a network switch. All traffic on the switch (or series of switches depending on the location you are at) uses a private IP addresses to communicate. These addresses cannot be routed on the public internet. In order for you to access the Azure SQL Database which sits on a different private network then your laptop, it had to travel over the public internet. This means your traffic is going through a series of routers and in order for the connection to correctly route between you and Azure, it needs your public IP address.
It is safe to a certain point. The Azure SQL Server you are connecting too uses SSL/TLS to encrypt the traffic so communication over the public web is encrypted. Your concern for essentially spoofing the public IP is valid which is why it is crucial to make sure you have selected a strong password for the SQL login. Microsoft also deploys a series of edge security services that monitors for attacks on any of their services to ensure the safety of their platform and will flat out block suspected attacks.
If you want to restrict traffic so that only your laptop can be used, now we are introducing a complex but doable architecture. You will need to setup a VNet and VPN Gateway in Azure and connect the two services. You will have to then connect the Azure SQL Database to the VNet you just setup. Once completed, you will need to access the VPN from your laptop which will grant you access to the database. The actual setup isn't trivial as there are many things to take into consideration such as cost, hardware capabilities on your side and security requirements.
At the end of the day, what should drive the "right solution" should be your security requirements. For some, running via a public IP is sufficient, for others they need to access it over a VPN.
To address your comment below, I needed more space so I'm amending the solution.
Anytime you make something publicly accessible over the internet, there is a possibility for someone else to access it. The chances are lowered the more complex you make the password to the resource. If you do not have a static IP address for your internet or someone spoofs your public IP address, there is a chance an attacker will have the ability to connect to the Azure SQL Server. This is where the password complexity comes into play. The stronger the password, the harder/longer it will take to brute force their way in.
If you have time to do the research/learning on this, I'd suggest taking a look at the online training Microsoft has for the Azure Solutions Architect certification. I think it will help you to better understand the intricacies involved with building a solution such as this.
https://learn.microsoft.com/en-us/learn/certifications/azure-solutions-architect
MS suggests these ways to allow Power BI Desktop to access an Azure DB
a) opening inbound connections of all Azure IP ranges to Azure SQL
b) opening inbound connections to certain IPs
c) use an Enterprise Gateway, even you are in Azure and not on-premise.
Concerns: is this as secure as a real VPN? Means no data can be sent to the DB Server port?
d) Is there no out of the Azure-box-service in place that works like a reverse proxy or application firewall with mfa?
e) is the Azure Application Proxy a solution?
What is the best security praxis?
a) and b) worries me, because of a huge Azure unknown user group that does not need to have access. And because the DB would not be protected against IP spoofing.
For c),d),e) I did not find a clear quote from MS about the security risk.
Thank you for clarifying and commenting my concerns.
From Power BI Desktop, option b) opening inbound connections to certain IPs, is the typical approach. There's typically a small, and fixed set of public IPs that your organization uses for outbound traffic, and these can be added to the Azure SQL Server's Firewall.
IP Spoofing is a non-issue, as Azure will never route return packets to the spoofer, even if they somehow got all the way to the SQL Server.
c) use an Enterprise Gateway Concerns: is this as secure as a real VPN? Means no data can be sent to the DB Server port?
Yes. The Power BI Gateway server runs on a private Azure VNet, and the SQL Server's firewall is configured to allow connections from this VNet. But Power BI Desktop can't connect directly using a Gateway. It's only a solution for connecting from Power BI Service to your data source. So if you publish a shared Data Set, you can connect using Power BI desktop to that. But you can't connect directly from Power BI Desktop to Azure SQL Database via the gateway. So you still need a firewall rule for the users designing the Power BI Data Sets (models) in Power BI Desktop.
Is there no out of the Azure-box-service in place that works like a reverse proxy or application firewall with mfa?
No. This is not an HTTP connection, so there's no reverse proxy. Although you can configure your Azure SQL Database to allow Azure Active Directory accounts, and then use your conditional access policies to force MFA. These are built-in to Azure SQL Database and Azure Active Directory, and are a layer of security after the firewall.
2021 Edit
Azure SQL Database now supports Private Link which enables Azure SQL Database to listen on an IP address on a private network in Azure. This network can be routed to your Power BI Desktop users using Site-to-Site VPN or ExpressRoute, or developers can deploy a Point-to-Site VPN to enable a single desktop to communicate directly with the target private network.
Is it possible to connect a Microsoft Azure Web Site to a SQL Server Database hosted on-premises and, if so, what the steps that I need to follow?
Let any request in coming from you Azure Web Site IP and targeting TCP port 1433 through your firewall . Then change your connectionString on your Azure Web Site to point to the public gateway used on premsie.
As #qux mentioned, you need to allow for inbound traffic on port 1433. With Azure Web Sites, you won't have a dedicated outbound IP address, so you'll need to rely on a secure SQL Server configuration.
If you shift to Cloud Services (web role / worker role), then you will have an IP address to filter against. Same thing with Virtual Machines.
You can also set up a VPN (and there are many VPN appliances certified with Azure).