Restricting access to a Azure SQL Database using a specific Instance Level Public IP

I am working on a Azure project  to migrate a distributed application from on-premises to cloud. Part of the customer infrastructure is based on a clustered SQL Server, and we decided to leverage on Azure SQL Database for this scope. Post Objective The purpose of this post is to show you a very simplified version of the architecture that we have implemented, focusing on the method we have used to secure the traffic between Azure Virtual Machines and Azure SQL Database. Considerations Azure SQL Database cannot be part of a Azure Virtual Network, so it cannot inherit the configuration from Azure IaaS services, like Network Security Groups, site to site VPNs, or others. This means that the connection between Azure SQL Database and Azure IaaS services must go through a public internet connection. Azure SQL Database has its own firewall, that can be enabled at server level or database level. This can help us because we could restrict access to the DB to a specific IP range. The image below describes how the Azure SQL Database firewall works. Additional information on Azure SQL Database firewall could be found here : https://azure.microsoft.com/en-us/documentation/articles/sql-database-firewall-configu Azure SQL Database firewall has an option that enables the connection from Azure Services, e.g. a Virtual Machine. This point requires an additional comment, because enabling access to all Azure Services potentially enables access from all Azure Services, even those that are not part of the same infrastructure. To avoid this, we could decide to only accept connections from a Static Public IP. Azure gives us this flexibility through Instance Level Public IP (ILPIP), that gives us the possibility to assign a Public IP to a specific Virtual Machine. To learn more about how ILPIP works, you could see the image below or visit this page: https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-instance-level-public-ip/ Solution adopted Well, the solution here is pretty easy, I have just associated a ILPIP to the Virtual Machine and configured the Azure SQL DB Firewall in order to accept connections only from the ILPIP (see image above) . Configuration steps 1 – provision an Azure SQL Database to deploy an Azure SQL Database, you can follow this tutorial : https://azure.microsoft.com/en-us/documentation/articles/sql-database-get-started/ You could stop at step 4 of the tutorial, because we are adding a few details in the screenshot below the point number 1 is related to Azure services. Setting this option to ON, all Azure services would be enabled to access our database server, of course with the required credentials. So I have set this option to OFF, which means that any attempt to access the DB from a VM in Azure with produce the message-box below 2 – Enable the ILPIP Now we need to enable the ILPIP for the Virtual Machine, and this can be also achieved using the Azure Portal (the red arrow in the image below), during the provisioning phase. Please consider that ILPIPs have a cost, details could be found here: https://azure.microsoft.com/en-us/pricing/details/ip-addresses/  3 – Test the connection And that’s it, after adding the ILPIP to the Azure SQL Database firewall, the connection will work. To learn more about Azure SQL Database I recommend visiting this page: https://azure.microsoft.com/en-us/documentation/services/sql-database/. Ciao! Francesco @francedit

Configuring Azure Network Security Groups with PowerShell

  One of my first activities in my new role here at Insight has been to help one of our customers to setup an Azure environment for a Business Intelligence project, with a couple of network security requirements, including the configuration of Azure Network Security Groups, which can be used to control the traffic between Virtual Machines. In this post we will focus only on this part of the request, showing how to create a simple test scenario to simulate the utilization of Azure NSG. Scenario                Create a Virtual Network on Azure with 2 subnets, and enable only the specified traffic communication between the 2 networks. In our example we will enable the FTP traffic, denying the rest of traffic. Configuration 1-     Create a Azure Virtual Network and two subnets. This step is very easy and it can be done using the Azure portal (both old and new portal are fine for this purpose). To see a tutorial you can visit this page: http://azure.microsoft.com/en-us/documentation/articles/create-virtual-network/ Result of the VNET creation is shown below. We have a Virtual Network called netacl. The VNET contains two subnets: -        Subnet-1 – 10.0.0.0/24 -        Subnet-2 – 10.0.1.0/24 2-     Create two virtual machines, where each VM will be coupled with a specific subnet. a.      Francedacl1 – 10.0.0.4 b.      Francedacl2 – 10.0.1.4 3-     Enable network security groups at subnet level, to limit the allowed traffic between the two subnets. The security group will be called sg1. In our case we are using SG at subnet level, but you could use them also between VMs This step can be accomplished using PowerShell, and below you could find the cmdlets that I have used for the configuration   Add-AzureAccount   Set-AzureSubscription -SubscriptionName "my subscription" Select-AzureSubscription -SubscriptionName "my subscription" Get-AzureSubscription   $vnetname = "netacl" $subnetname = "Subnet-1"   #francedacl1 10.0.0.4 in subnet "Subnet-1" #francedacl2 10.0.1.4 in subnet "Subnet-2"   #Create a new security group New-AzureNetworkSecurityGroup -Name "sg1" -Location "West Europe"   #Add the SG to the backend subnet (this is where the "inbound" rule will apply) Get-AzureNetworkSecurityGroup -Name "sg1" | Set-AzureNetworkSecurityGroupToSubnet -VirtualNetworkName $vnetname -SubnetName $subnetname   #Allow FTP Get-AzureNetworkSecurityGroup -Name "sg1" | Set-AzureNetworkSecurityRule -Name "Allow FTP" -Type Outbound -Priority 100 -Action Allow -SourceAddressPrefix '10.0.0.0/24'  -SourcePortRange '*' -DestinationAddressPrefix '10.0.1.0/24' -DestinationPortRange "21" -Protocol TCP   #Deny other  Get-AzureNetworkSecurityGroup -Name "sg1" | Set-AzureNetworkSecurityRule -Name "Disable all other traffic" -Type Outbound -Priority 200 -Action Deny -SourceAddressPrefix '10.0.0.0/24'  -SourcePortRange '*' -DestinationAddressPrefix '10.0.1.0/24' -DestinationPortRange "*" -Protocol *   #Get info on the SG Get-AzureNetworkSecurityGroup -Name "sg1" -Detailed       Test the configuration                To test the configuration we can simply try to access the FTP port (success) and try to access another port, e.g. RDP (failure) In case you need to delete the security group you could use commands below: #remove Remove-AzureNetworkSecurityGroupFromSubnet -Name "sg1" -VirtualNetworkName "netacl" -SubnetName "Subnet-1"   Remove-AzureNetworkSecurityGroup "sg1" -Force   Considerations NSG is a great enhancement that can assist in the design of a secure network configuration, e.g. a DMZ. I recommend to visit the official Microsoft documentation to get more information about NSG: http://azure.microsoft.com/blog/2014/11/04/network-security-groups/ Ciao! Francesco @francedit