Solved

Protect port 1733 on Azure

Posted on 2015-02-20
4
181 Views
Last Modified: 2015-02-23
Hello,
Can someone recommend a good way to protect port 1733 for Azure's SQL VMs?
I am looking here.
http://azure.microsoft.com/blog/2014/03/28/network-isolation-options-for-machines-in-windows-azure-virtual-networks/, with the Option 1:  Subnets within a Single Virtual Network
It says that:
Currently, Windows Azure provides routing across subnets within a single virtual network, but does not provide any type of network ACL capability with respect to internal DIP addresses.  So in order to restrict access to machines within a single virtual network, those machines must leverage Windows Firewall with Advanced Security, as depicted simply in the diagram below."
http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-01-13-25/6574.ashwin-VN.png
Is that the case today?
If it is relevant to you, how have you addressed this?
Thanks!
0
Comment
Question by:IT-NYC
  • 2
  • 2
4 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40623014
VNet indeed has limitation
Can I bring my VLANs to Azure using Virtual Network?
Virtual Networks are Layer-3 overlays. We do not support any Layer – 2 semantics.

Can I specify custom routing policies on my virtual networks and subnets?
No. We do not support custom routing policies with virtual networks.

Can I use SQL DBs with virtual networks?
No. We do not support SQL DBs with virtual networks.

Can I define ACLs on my virtual networks?
No. We do not support ACLs for subnets within virtual networks. However, ACLs can be defined on input endpoints for virtual machines that have been deployed to a virtual network. Note: a virtual machine does not have to be deployed to a virtual network in order to define an ACL for the input endpoint.
https://msdn.microsoft.com/en-us/library/azure/dn133803.aspx

Also i believe you are referring to port 1433 instead for Azure SQL Database service, other considerations to secure:

- Configure the Azure SQL Database firewall to create a server-level firewall setting that enables connection attempts from your computer or Azure to Azure SQL Database server
- Control access to certain databases in your Azure SQL Database server, create database-level firewall rules for the respective databases
- Block inbound connections on TCP port 1433 if inbound communications are not needed by any other applications on that computer, ensure that your firewall continues to block inbound connections on TCP port 1433.
- Only outbound connections on TCP port 1433 are needed for applications to communicate with Microsoft Azure SQL Database.

The Virtual Network Security whitepaper, also speaks on this and with caveat
To enable communication with the database, firewall rules must be defined in Windows Azure SQL Database allowing the public IP address of the VM in Windows Azure to communicate with the data source.

However, creating ACLs based on IP addresses is not ideal, since the ACLs must be updated any time the public virtual addresses change. This can result in service failures, and puts additional burden on the administrator. Public virtual IP addresses can change after compute resources are de-allocated when a virtual machine is shut down, or after a deployment is deleted. Using in-place upgrade enables administrators to deploy new versions of their service without the public IPs of the VMs changing.
      
•      For more information on how to configure IP ACLs, see About Network Access Control Lists
http://go.microsoft.com/fwlink/?LinkId=386611
Azure SQL Database Firewall - https://msdn.microsoft.com/en-us/library/azure/ee621782.aspx
Azure SQL Database Connection Security - http://social.technet.microsoft.com/wiki/contents/articles/2951.windows-azure-sql-database-connection-security.aspx#comment-4847
0
 

Author Comment

by:IT-NYC
ID: 40626116
Btan,
Thanks for your post. Appreciate the details.
Yes, in my situation, it will be a SQL database running on  a Azure Windows server.
So, the below should be my plan (after -------)? The only part that's confusing is what you refer as caveat:
"To enable communication with the database, firewall rules must be defined in Windows Azure SQL Database allowing the public IP address of the VM in Windows Azure to communicate with the data source."
How do you read this?
-----------------------------------------------------
- Configure the Azure SQL Database firewall to create a server-level firewall setting that enables connection attempts from your computer or Azure to Azure SQL Database server
- Control access to certain databases in your Azure SQL Database server, create database-level firewall rules for the respective databases
- Block inbound connections on TCP port 1433 if inbound communications are not needed by any other applications on that computer, ensure that your firewall continues to block inbound connections on TCP port 1433.
- Only outbound connections on TCP port 1433 are needed for applications to communicate with Microsoft Azure SQL Database.

Thanks in advance!
0
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 40627150
as long as the SQL is running live the controls and filter rules should already be tested and in place. likely you need some test images with dummy data as staging instance in separate LAN for start.

as for the FW setting to allow public IP, it is simply meaning when a PC attempts to connect to your database server from the Internet, the firewall checks the originating IP address of the request against the full set of server-level and (if required) database-level firewall rules. That can be configured. Overall, the intent is that Azure SQL Database firewall prevents all access to your Azure SQL Database server until you specify which PC or machinehave permission. The firewall grants access based on the originating IP address of each request. I do see that it is unwise to expose direct SQL access to internet and there should be consideration of some proxy fronting it for checks. Check out summary - http://www.greensql.com/article/microsoft-sql-azure-database-security-best-practices

Ref-
Azure SQL Database Firewall
https://msdn.microsoft.com/en-us/library/azure/ee621782.aspx
How to: Configure Firewall Settings (Azure SQL Database)
https://msdn.microsoft.com/en-us/library/azure/jj553530.aspx
0
 

Author Comment

by:IT-NYC
ID: 40627313
Thanks, btan!
0

Featured Post

Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Ever needed a SQL 2008 Database replicated/mirrored/log shipped on another server but you can't take the downtime inflicted by initial snapshot or disconnect while T-logs are restored or mirror applied? You can use SQL Server Initialize from Backup…
Via a live example, show how to backup a database, simulate a failure backup the tail of the database transaction log and perform the restore.
Viewers will learn how to use the INSERT statement to insert data into their tables. It will also introduce the NULL statement, to show them what happens when no value is giving for any given column.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now