Solved

Protect port 1733 on Azure

Posted on 2015-02-20
4
177 Views
Last Modified: 2015-02-23
Hello,
Can someone recommend a good way to protect port 1733 for Azure's SQL VMs?
I am looking here.
http://azure.microsoft.com/blog/2014/03/28/network-isolation-options-for-machines-in-windows-azure-virtual-networks/, with the Option 1:  Subnets within a Single Virtual Network
It says that:
Currently, Windows Azure provides routing across subnets within a single virtual network, but does not provide any type of network ACL capability with respect to internal DIP addresses.  So in order to restrict access to machines within a single virtual network, those machines must leverage Windows Firewall with Advanced Security, as depicted simply in the diagram below."
http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-01-13-25/6574.ashwin-VN.png
Is that the case today?
If it is relevant to you, how have you addressed this?
Thanks!
0
Comment
Question by:IT-NYC
  • 2
  • 2
4 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
VNet indeed has limitation
Can I bring my VLANs to Azure using Virtual Network?
Virtual Networks are Layer-3 overlays. We do not support any Layer – 2 semantics.

Can I specify custom routing policies on my virtual networks and subnets?
No. We do not support custom routing policies with virtual networks.

Can I use SQL DBs with virtual networks?
No. We do not support SQL DBs with virtual networks.

Can I define ACLs on my virtual networks?
No. We do not support ACLs for subnets within virtual networks. However, ACLs can be defined on input endpoints for virtual machines that have been deployed to a virtual network. Note: a virtual machine does not have to be deployed to a virtual network in order to define an ACL for the input endpoint.
https://msdn.microsoft.com/en-us/library/azure/dn133803.aspx

Also i believe you are referring to port 1433 instead for Azure SQL Database service, other considerations to secure:

- Configure the Azure SQL Database firewall to create a server-level firewall setting that enables connection attempts from your computer or Azure to Azure SQL Database server
- Control access to certain databases in your Azure SQL Database server, create database-level firewall rules for the respective databases
- Block inbound connections on TCP port 1433 if inbound communications are not needed by any other applications on that computer, ensure that your firewall continues to block inbound connections on TCP port 1433.
- Only outbound connections on TCP port 1433 are needed for applications to communicate with Microsoft Azure SQL Database.

The Virtual Network Security whitepaper, also speaks on this and with caveat
To enable communication with the database, firewall rules must be defined in Windows Azure SQL Database allowing the public IP address of the VM in Windows Azure to communicate with the data source.

However, creating ACLs based on IP addresses is not ideal, since the ACLs must be updated any time the public virtual addresses change. This can result in service failures, and puts additional burden on the administrator. Public virtual IP addresses can change after compute resources are de-allocated when a virtual machine is shut down, or after a deployment is deleted. Using in-place upgrade enables administrators to deploy new versions of their service without the public IPs of the VMs changing.
      
•      For more information on how to configure IP ACLs, see About Network Access Control Lists
http://go.microsoft.com/fwlink/?LinkId=386611
Azure SQL Database Firewall - https://msdn.microsoft.com/en-us/library/azure/ee621782.aspx
Azure SQL Database Connection Security - http://social.technet.microsoft.com/wiki/contents/articles/2951.windows-azure-sql-database-connection-security.aspx#comment-4847
0
 

Author Comment

by:IT-NYC
Comment Utility
Btan,
Thanks for your post. Appreciate the details.
Yes, in my situation, it will be a SQL database running on  a Azure Windows server.
So, the below should be my plan (after -------)? The only part that's confusing is what you refer as caveat:
"To enable communication with the database, firewall rules must be defined in Windows Azure SQL Database allowing the public IP address of the VM in Windows Azure to communicate with the data source."
How do you read this?
-----------------------------------------------------
- Configure the Azure SQL Database firewall to create a server-level firewall setting that enables connection attempts from your computer or Azure to Azure SQL Database server
- Control access to certain databases in your Azure SQL Database server, create database-level firewall rules for the respective databases
- Block inbound connections on TCP port 1433 if inbound communications are not needed by any other applications on that computer, ensure that your firewall continues to block inbound connections on TCP port 1433.
- Only outbound connections on TCP port 1433 are needed for applications to communicate with Microsoft Azure SQL Database.

Thanks in advance!
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
Comment Utility
as long as the SQL is running live the controls and filter rules should already be tested and in place. likely you need some test images with dummy data as staging instance in separate LAN for start.

as for the FW setting to allow public IP, it is simply meaning when a PC attempts to connect to your database server from the Internet, the firewall checks the originating IP address of the request against the full set of server-level and (if required) database-level firewall rules. That can be configured. Overall, the intent is that Azure SQL Database firewall prevents all access to your Azure SQL Database server until you specify which PC or machinehave permission. The firewall grants access based on the originating IP address of each request. I do see that it is unwise to expose direct SQL access to internet and there should be consideration of some proxy fronting it for checks. Check out summary - http://www.greensql.com/article/microsoft-sql-azure-database-security-best-practices

Ref-
Azure SQL Database Firewall
https://msdn.microsoft.com/en-us/library/azure/ee621782.aspx
How to: Configure Firewall Settings (Azure SQL Database)
https://msdn.microsoft.com/en-us/library/azure/jj553530.aspx
0
 

Author Comment

by:IT-NYC
Comment Utility
Thanks, btan!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Companies keep a much closer eye on costs today, so changing to new Technology – Microsoft Office 365 is the smartest move to take.
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
Via a live example combined with referencing Books Online, show some of the information that can be extracted from the Catalog Views in SQL Server.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now