Restricting access to a Azure SQL Database using a specific Instance Level Public IP

I am working on a Azure project  to migrate a distributed application from on-premises to cloud. Part of the customer infrastructure is based on a clustered SQL Server, and we decided to leverage on Azure SQL Database for this scope. Post Objective The purpose of this post is to show you a very simplified version of the architecture that we have implemented, focusing on the method we have used to secure the traffic between Azure Virtual Machines and Azure SQL Database. Considerations Azure SQL Database cannot be part of a Azure Virtual Network, so it cannot inherit the configuration from Azure IaaS services, like Network Security Groups, site to site VPNs, or others. This means that the connection between Azure SQL Database and Azure IaaS services must go through a public internet connection. Azure SQL Database has its own firewall, that can be enabled at server level or database level. This can help us because we could restrict access to the DB to a specific IP range. The image below describes how the Azure SQL Database firewall works. Additional information on Azure SQL Database firewall could be found here : https://azure.microsoft.com/en-us/documentation/articles/sql-database-firewall-configu Azure SQL Database firewall has an option that enables the connection from Azure Services, e.g. a Virtual Machine. This point requires an additional comment, because enabling access to all Azure Services potentially enables access from all Azure Services, even those that are not part of the same infrastructure. To avoid this, we could decide to only accept connections from a Static Public IP. Azure gives us this flexibility through Instance Level Public IP (ILPIP), that gives us the possibility to assign a Public IP to a specific Virtual Machine. To learn more about how ILPIP works, you could see the image below or visit this page: https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-instance-level-public-ip/ Solution adopted Well, the solution here is pretty easy, I have just associated a ILPIP to the Virtual Machine and configured the Azure SQL DB Firewall in order to accept connections only from the ILPIP (see image above) . Configuration steps 1 – provision an Azure SQL Database to deploy an Azure SQL Database, you can follow this tutorial : https://azure.microsoft.com/en-us/documentation/articles/sql-database-get-started/ You could stop at step 4 of the tutorial, because we are adding a few details in the screenshot below the point number 1 is related to Azure services. Setting this option to ON, all Azure services would be enabled to access our database server, of course with the required credentials. So I have set this option to OFF, which means that any attempt to access the DB from a VM in Azure with produce the message-box below 2 – Enable the ILPIP Now we need to enable the ILPIP for the Virtual Machine, and this can be also achieved using the Azure Portal (the red arrow in the image below), during the provisioning phase. Please consider that ILPIPs have a cost, details could be found here: https://azure.microsoft.com/en-us/pricing/details/ip-addresses/  3 – Test the connection And that’s it, after adding the ILPIP to the Azure SQL Database firewall, the connection will work. To learn more about Azure SQL Database I recommend visiting this page: https://azure.microsoft.com/en-us/documentation/services/sql-database/. Ciao! Francesco @francedit

Enabling RBAC (Role Based Access Control) to access a Virtual Machine on Microsoft Azure

Suppose you have the following request from one of your external consultants (I’ve got this request from one of my customers :) ): - I would like to access the Virtual Machine for administrative purposes, and I need to be able to shutdown (or start it)  it when needed. I only have a Microsoft Account, which is not integrated with your AD. Your VM is running on Microsoft Azure, and you don’t want to give access to all resources in your subscription. With the Azure Management Portal, the only possibility was to create a custom application (see an example here) using APIs and restrict access using a different interface. That’s because the old Azure portal only allows the possibility to add co-administrators, which could access to all services inside the subscription. Then Azure Active Directory has been launched, and with it also role based authentication features, together with the new Azure Portal, in preview today. RBAC is really a cool addition, that can cover most of the typical scenarios, including complex configurations via Azure PowerShell, Azure CLI or APIs. But let’s go back to our original request: you need to give access to a specific VM, including possibility to shutdown it, when needed. This can be achieved using the GUI, and below you could find the steps required. A few preliminary notes: NOTE1: to get detailed information on how RBAC works on Azure, please visit this page - https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure/ NOTE2: RBAC only applies to Azure Portal (https://portal.azure.com ), and not to Azure Management Portal (https://www.windowsazure.com) . Administrators and co-admins in the Azure Management Portal will have access to all the resources and services in the Azure Portal. A user enabled with RBAC that it’s not added in the admin and co-admin area in the Azure Management Portal, won’t have access to all the resources inside the subscription, but only to resources and services to which he is enabled to. NOTE3: RBAC can be enabled via Azure Portal, Azure PowerShell, Azure CLI NOTE4: RBAC is based on Azure Active Directory. It is possible to enable access to external Microsoft Account users, which will become Guest Accounts in Azure Active Directory. 1 – Enable access to a Virtual Machine Select the Virtual Machine that has to be enabled for external access. Navigate to Settings and then to Users section. Select Add from the Users section. Under Select a role section, select Virtual Machine Contributor Add the Microsoft Account. You have the option to invite the account, if not already in the list of enabled accounts. In the image below you could find the result of the user assignment. 2 – External user access experience This is the user experience that francescodiaz@outlook.com will find after being enabled to the portal. As you can see, only the VM will be displayed in the list of resources. The external user has also the possibility to shutdown or restart the VM, if needed.   Conclusions This is the quickest way, and not the best, to give the access of a VM to an external user. For additional information, I recommend to visit this page, which contains a lot of useful details and best practices.   Ciao! Francesco @francedit