Solved

Protect port 1733 on Azure

Posted on 2015-02-20
4
208 Views
Last Modified: 2015-02-23
Hello,
Can someone recommend a good way to protect port 1733 for Azure's SQL VMs?
I am looking here.
http://azure.microsoft.com/blog/2014/03/28/network-isolation-options-for-machines-in-windows-azure-virtual-networks/, with the Option 1:  Subnets within a Single Virtual Network
It says that:
Currently, Windows Azure provides routing across subnets within a single virtual network, but does not provide any type of network ACL capability with respect to internal DIP addresses.  So in order to restrict access to machines within a single virtual network, those machines must leverage Windows Firewall with Advanced Security, as depicted simply in the diagram below."
http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-01-13-25/6574.ashwin-VN.png
Is that the case today?
If it is relevant to you, how have you addressed this?
Thanks!
0
Comment
Question by:IT-NYC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 40623014
VNet indeed has limitation
Can I bring my VLANs to Azure using Virtual Network?
Virtual Networks are Layer-3 overlays. We do not support any Layer – 2 semantics.

Can I specify custom routing policies on my virtual networks and subnets?
No. We do not support custom routing policies with virtual networks.

Can I use SQL DBs with virtual networks?
No. We do not support SQL DBs with virtual networks.

Can I define ACLs on my virtual networks?
No. We do not support ACLs for subnets within virtual networks. However, ACLs can be defined on input endpoints for virtual machines that have been deployed to a virtual network. Note: a virtual machine does not have to be deployed to a virtual network in order to define an ACL for the input endpoint.
https://msdn.microsoft.com/en-us/library/azure/dn133803.aspx

Also i believe you are referring to port 1433 instead for Azure SQL Database service, other considerations to secure:

- Configure the Azure SQL Database firewall to create a server-level firewall setting that enables connection attempts from your computer or Azure to Azure SQL Database server
- Control access to certain databases in your Azure SQL Database server, create database-level firewall rules for the respective databases
- Block inbound connections on TCP port 1433 if inbound communications are not needed by any other applications on that computer, ensure that your firewall continues to block inbound connections on TCP port 1433.
- Only outbound connections on TCP port 1433 are needed for applications to communicate with Microsoft Azure SQL Database.

The Virtual Network Security whitepaper, also speaks on this and with caveat
To enable communication with the database, firewall rules must be defined in Windows Azure SQL Database allowing the public IP address of the VM in Windows Azure to communicate with the data source.

However, creating ACLs based on IP addresses is not ideal, since the ACLs must be updated any time the public virtual addresses change. This can result in service failures, and puts additional burden on the administrator. Public virtual IP addresses can change after compute resources are de-allocated when a virtual machine is shut down, or after a deployment is deleted. Using in-place upgrade enables administrators to deploy new versions of their service without the public IPs of the VMs changing.
      
•      For more information on how to configure IP ACLs, see About Network Access Control Lists
http://go.microsoft.com/fwlink/?LinkId=386611
Azure SQL Database Firewall - https://msdn.microsoft.com/en-us/library/azure/ee621782.aspx
Azure SQL Database Connection Security - http://social.technet.microsoft.com/wiki/contents/articles/2951.windows-azure-sql-database-connection-security.aspx#comment-4847
0
 

Author Comment

by:IT-NYC
ID: 40626116
Btan,
Thanks for your post. Appreciate the details.
Yes, in my situation, it will be a SQL database running on  a Azure Windows server.
So, the below should be my plan (after -------)? The only part that's confusing is what you refer as caveat:
"To enable communication with the database, firewall rules must be defined in Windows Azure SQL Database allowing the public IP address of the VM in Windows Azure to communicate with the data source."
How do you read this?
-----------------------------------------------------
- Configure the Azure SQL Database firewall to create a server-level firewall setting that enables connection attempts from your computer or Azure to Azure SQL Database server
- Control access to certain databases in your Azure SQL Database server, create database-level firewall rules for the respective databases
- Block inbound connections on TCP port 1433 if inbound communications are not needed by any other applications on that computer, ensure that your firewall continues to block inbound connections on TCP port 1433.
- Only outbound connections on TCP port 1433 are needed for applications to communicate with Microsoft Azure SQL Database.

Thanks in advance!
0
 
LVL 64

Assisted Solution

by:btan
btan earned 500 total points
ID: 40627150
as long as the SQL is running live the controls and filter rules should already be tested and in place. likely you need some test images with dummy data as staging instance in separate LAN for start.

as for the FW setting to allow public IP, it is simply meaning when a PC attempts to connect to your database server from the Internet, the firewall checks the originating IP address of the request against the full set of server-level and (if required) database-level firewall rules. That can be configured. Overall, the intent is that Azure SQL Database firewall prevents all access to your Azure SQL Database server until you specify which PC or machinehave permission. The firewall grants access based on the originating IP address of each request. I do see that it is unwise to expose direct SQL access to internet and there should be consideration of some proxy fronting it for checks. Check out summary - http://www.greensql.com/article/microsoft-sql-azure-database-security-best-practices

Ref-
Azure SQL Database Firewall
https://msdn.microsoft.com/en-us/library/azure/ee621782.aspx
How to: Configure Firewall Settings (Azure SQL Database)
https://msdn.microsoft.com/en-us/library/azure/jj553530.aspx
0
 

Author Comment

by:IT-NYC
ID: 40627313
Thanks, btan!
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimized for private cloud infrastructures and datacenters, Nano Server is minimalistic, yet super-efficient, OS for services such as Hyper-V and Hyper-V cluster. Learn how you can easily deploy Nano Server and unlock its power!
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
Via a live example, show how to setup several different housekeeping processes for a SQL Server.

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question