Hello dear reader. This is the second of a four part series on a recent online event hosted by Microsoft on their Microsoft Developer page over on YouTube. From August 17th to August 20th Ann Hoffman and Bob Ward hosted a live boot camp for Azure SQL. This post provides you with key takeaways from day 2 of that event. The topic title for Day 2 was Azure security and performance. Below are my takeaways. If you’re looking for Day 1 takeaways, look here.
I. Four methods discussed for handling network security in Azure for Azure SQL database.
- The setting “Allow Access to Azure Services.” This setting allows any Azure resource to communicate with other Azure resources. So, this allows wide open communication between all your Azure resources. It is not recommended to leave this enabled.
- Firewall Rules : This is what it sounds like – a firewall service hosted by Azure that allows you to build rules about access within and to and from Azure services, including traffic related to on-premises resources.
- Virtual Network Rules : These are rules are a feature of the Azure firewall. They are applied at the server level and not the database level.
- Private Link : This is the creation of a private endpoint for network communication. This is the most secure method.
II. Understanding RBAC is important.
RBAC stands for Role Based Access Control and is a means to provide granular controls in your Azure environment. This feature isn’t just about SQL. RBAC is applicable to your total Azure environment. This method of security involves assigning a role, which is just a named collection of permissions, to a security principal and making that assignment at a certain scope.
A security principal can be a user, group, service principal or a managed identity. A user is an individual account with access in Azure Active Directory. The “Group” service principal is the same concept as a Windows AD group. It is a collection of users created in azure Active Directory. A Service Principal can be thought of as a user account for an application. A Managed Identity is an identity managed by Azure that provides access to Azure resources, like Azure Key Vault, for example. A managed identity might be used to access Azure Key Vault to retrieve other secrets that are needed. Managed identities are a feature of Azure Active Directory and are included in subscriptions to Azure AD.
Remember, I said that RBAC is about assigning collections of permissions, called Roles, to security principals and making that assignment at a certain scope. Well, we’ve talked about security principals So let’s discuss roles.
There are four categories of roles that are applied to various resource types in Azure. Those roles are:
- Owner – Has full access to all resources within a subscription. Service principles in this role can also delegate access to other people.
- Contributor – This role allows a service principle to create and manage access to resources, but can’t grant access to others.
- Reader – This role only allows view access.
- User Access Administrator – Manages user access to resources.
These categories of roles appear in various forms and with various names within categories of resources like Computer, Networking, Storage, Integration, Security, etc.
Scopes Within Azure
A scope is a set of resources that access applies to. Scope has a hierarchy with parent-child inheritance. Grant access at the very top, and you’ve granted that access to everything below it.T he hierarchy is Management Group > Subscriptions > Resource Group > Resources.
What are some examples of things RBAC can be used for?
- Allow a person to manage virtual networks but not VMs.
- Segment access for Development DBAs just to non-prod databases. They can be in a group with the Contributor role so they can create and manage databases within a subscription that hosts only non-prod databases.
- Allow a person to view endpoints, but not change them in any way.
III. Authentication to Azure SQL
- Mixed mode authentication to SQL is forced.
- SQL auth login is required during deployment and is called “server admin.” This account is a server level principal and is effectively in the “sysadmin” role for the server and databases.
- If you need Windows authentication then you need to use Azure Active Directory.
- There are some syntax differences with the CREATE LOGIN scripting for managed instance and Azure SQL Database. This is most notable when Azure AD authentication is involved.
- There are a couple of less privileged database roles that can be utilized to limit the need for using the server admin SQL auth login. LoginManager is a database level role in the master database of the logical server. People in this role can create logins for the database server. The DBManager role is also located in the master of the logical server. This role can create and delete databases on the database server.
IV. Azure SQL Performance Capabilities
There is a lot that could be said about performance for Azure SQL. I am only giving you some key takeaways.
- Large scale capacity in Azure is absolutely available. You get up to 128 vCores, 4 TB of memory and 4 TB’s of space for a database in Azure SQL. In Hyperscale you have a 100TB max database size.
- TempDB is on local SSD and the MIXED_PAGE_ALLOCATION setting is off.
- Only full recovery is supported so minimal logging in bulk operations is not available.
- MAXDOP is controllable at the database level.
- Optimize for ad hoc workloads, a great feature for managing plan cache bloat, is supported for SQL Managed Instance but not for SQL Database.
V. Azure SQL Monitoring
There are a lot of options for monitoring in Azure. The portal provides access to a lot of different options. You get things like Azure Monitor Metrics, alerts and logs that can be reviewed. Performance overview and query performance insights in the portal are provided via Query Store, which is on by default.
Extended events is available in Azure Managed Instance and Azure SQL DB. The one thing to be aware of is that you don’t have access to the underlying file system for Azure SQL DB so the only way to have a file target for an extended events session is to use Azure Blob storage.
Dynamic Management Views are available in Azure Managed Instance and SQL DB. For managed instance all SQL Servers DMVs are available. For Azure SQL DB a common subset of DMVs are on hand.
Remember that for Managed Instance there is no access to the underlying operating system so things like perfmon are not available. Despite that, you do have access to the perfmon counters via sys.dm_os_performance_counters.
There are some Azure specific DMVs. Sys.server_resource_stats in Azure Managed Instance returns aggregated data concerning CPU usage, IO and storage data. It can also return things like the resource SKU, meaning whether you are using General Purpose or the Business Critical tier. The counterpart to this DMV for Azure SQL Database is called sys.dm_db_resource_stats.
This is already a long post and there is a lot I didn’t share or summarize. I encourage you to research performance features like Intelligent Query Processing, Automatic Plan Correction and Automatic Tuning for Azure SQL Database.
I hope these takeaways have been informative and will inspire you to watch the videos and do some of your own research.