Open In App

Microsoft Azure – Security in Azure SQL

Last Updated : 31 Mar, 2023
Like Article

Pre-requisite: Azure VM

Microsoft Azure is a cloud computing service offered by Microsoft for the purpose of application management through Microsoft-managed data centers. Microsoft Azure provides users with numerous application management options, which helps them freely and conveniently manage their work. Azure SQL is a group of cloud services, provided by Microsoft Azure, which provides relational database services to the user. It offers products like Azure SQL Database, Azure SQL Managed Instance, and SQL Server on Azure VMs. While using such services, security is always a concern. here, in this article, we’ll be talking about Azure SQL and specifically, its security features. Azure SQL is a rational database service, that provides multi-layer security features to its users.  Here are some of the main security features provided by the Azure SQL Database:

Database Firewall in Azure SQL:

Azure SQL provides a  Database firewall feature that helps keep the data safe for the user. Its default setting prevents all direct access to the SQL database and only allows some of the selected iPs addresses as per the requirement of the user. Such settings create a virtual security wall against cyber attacks. 

The gateway firewall’s address restriction feature aids in restricting the addresses in its database and only permits access based on the request’s IP address of origin. Customers have granular control over only specific IP address ranges that are acceptable.

DoSGuard Settings:

DoSGuard is a DoS-based feature (Denial of service), which is an Azure SQL service that serves as a database gateway. It helps to lessen cyberattacks by actively participating in tracking operations to find failed login attempts from IP addresses. If an IP address attempts to log in multiple times in a short period of time without success, it is blocked from accessing any service resources for a predetermined period of time.

The Secure channel capability negotiations are carried out by the Azure SQL Database gateway when it establishes a connection with the database servers in order to implement TDS FIPS 140-2 verified encrypted connections. While permitting client connections, a Stateful TDS packet inspection is additionally carried out.

It only allows connections and transactions that are necessary for the service to run. While some connections, protocols, and ports are by default disabled. The network communications are limited by source and destination networks, protocols, and port numbers using VLANs and ACLs.

Through features like host VM firewall and Azure SQL Database gateway firewall in Azure, the customer can control and configure processes like ACLs on load balancers and routers. Which gives enough freedom and security to the user. 

TDS Protocol:

The Tabular Data Stream Protocol, also known as TDS Protocol, is an application layer request/response protocol that makes it easier to communicate with database servers and offers channel encryption and authentication.  Azure SQL supports only TDS protocol, prompting the database only to be reachable via TCP/1433 by default. Such a feature is an assurance of network security.

Customer Privacy And Data Segmentation:

Azure has structured its products in a way that separates the publicly accessible system components from internal resources. Physical and logical boundaries between web servers provide access to the public-facing Azure portal and the underneath Azure virtual infrastructure, which contains customer application instances and data.

Here, the Azure production network is used to manage all publicly available data. The production network is subjected to two-factor authentication and border protection techniques, which combine the data isolation capabilities with the firewall and security feature sets.

Production Configuration Management in Azure SQL:

The operations teams of the Azure SQL Database develop all configuration changes and maintain the standard secure configurations. Here, along with software and hardware changes, all configuration changes in production systems are tracked using a central tracking system. Networking changes are also tracked using an ACL management service.

which are then deployed in a production environment after being tested in a staging environment. In the course of testing, it also evaluates the software builds. As part of the entry checklist criteria, security and privacy checks are also examined. The appropriate deployment team releases changes at predetermined intervals. Before a release is put into production, the members of the respective deployment team review and approve it.

The modifications are tracked and, in the event of a failure, changed back. The configuration settings in the Azure virtual environment are centrally managed, applied, and verified using Source Depot, Git, TFS, Master Data Services (MDS), runners, FC, and the WinFabric platform.

In a similar vein, validation procedures for hardware and network changes were made in an establishment to assess their compliance with the build specifications. Through a coordinated change advisory board (CAB) made up of relevant groups from across the stack, the releases are examined and approved.

Segregation of VLAN:

Network segmentation with virtual local area networks (VLANs) is another advantage of Azure SQL. It creates a set of isolated networks within the data center. Each network has its own network packet. When properly configured, can protect the network from system attacks. It separates the authorized networks from unauthorized ones and therefore can manage the task efficiently.

The Azure production network is divided logically into three primary VLANs. The first is the main VLAN, which connects unreliable customer nodes. The second type is FC VLAN, which includes trusted FCs as well as support systems. Finally, the device VLAN is a collection of trusted network and other infrastructure devices. Such segregation provides secure and flexible user mobility in the Azure SQL database. 

Control over Unauthorized Device Addresses And PC Isolation Settings:

The Azure Fabric Controller (FC) is the fabric’s central catalyst. Which is designed to manage and redirect threats to it. Usually from possible compromised FAs within customer applications. FC only recognizes hardware with pre-loaded device information, such as the DHCP servers on the FC, which have configured lists of MAC addresses of the nodes they are willing to boot with. and any other unrecognized network device addresses are not incorporated into the fabric inventory, and thus are not connected or approved to communicate with any system within the fabric inventory. This reduces the possibility of unauthorized systems conversing with the FC and having access to the VLAN and Azure.

Packet Filtering:

Packet filtering is another Azure SQL feature that allows or blocks packets at any OS layer. The IPFilter and software firewalls that are installed on the root and host operating systems of the nodes impose connectivity restrictions and prevent unwanted traffic between VMs. It examines each data packet and categorizes it according to predefined rules. It generally looks for information such as the source IP address, destination IP address, source port number, destination port number, and so on, and then decides the next step based on the information received. It only accepts packets that are certain to be safe, while others that are uncertain are rejected.

Settings Related To Hypervisor, Root OS, and Host VMs: 

The Azure hypervisor system is built on the idea of the Windows Hyper-V platform. Which is intended to aid in the security of information transfer between VMs by isolating it via the Virtual Machine Manager (VMM) and hardware. It establishes and maintains the overall system’s integrity. The computer administrator can use this setting to specify guest partitions with separate address spaces. Which aids in the loading of an operating system and applications that run simultaneously with the host that runs in the computer’s root partition. The host operating system has direct access to all of the system’s physical devices and external devices for example storage controllers, networking adoptions, etc. 

By exposing “virtual devices” to each guest partition, the host OS allows guest partitions to share the use of these physical devices. As a result, an operating system running in a guest partition can access virtualized external devices provided by virtual machines services running in the root partition.

Like Article
Suggest improvement
Share your thoughts in the comments

Similar Reads