Using SQL Server online


Just looking for general advice.
I've seen quite a few times people advise that it isn't good to open SQL Server to the internet.
We have a few Amazon RDS and EC2 SQL Server instances and I'm wondering what the best practices for keeping these reasonably secure would be?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Koen Van WielinkBusiness Intelligence SpecialistCommented:
Hi Stuart,

While I'm certainly no expert, based on my research on this topic you basically have 2 choices. The most secure setup is a VPC (virtual private cloud) which allows you to completely control and configure a virtual network which is logically separated from the rest of Amazon. You basically get the same functions and control as an on-premise setup, with for example the options to create private and public facing subnets for your specific requirements. Hardware VPN is also an option then to connect to this network.
If that's not an option for you, then you have to use Amazon's standard security groups. In that case best practice is I believe to only open TCP access to specific IP addresses from your local on-premise network. This way only your own servers can reach your Amazon databases and no one else. You can define additional rules in your security groups to fine-tune your data access.
Hope this helps.
DiscoStubaccaAuthor Commented:
Ok, so in one situation we have our main local client server application/database.
We also have a web application, however we don't want the web application directly connected to the local server so we have an Amazon AWS SQL Server which the web application connects to.
The local server sends the required data up to the Amazon server.
From what you are saying I'm thinking that the Amazon server should have access restricted to the web applications IP address and the local servers IP address only, is that right?

Koen Van WielinkBusiness Intelligence SpecialistCommented:
Hi Stuart,

Based on what I've read, that's indeed the case. You want to restrict inbound connections for the data replication from local to cloud to  your company's public IP address (I assume you have at least 1 or 2 fixed IP's for this purpose).  This way only traffic from your internal network would be able to get to the server (if you want server to server connectivity only I think you have to go with the VPC option and configure a VPN between your network and Amazon, so that your internal IP addresses are recognizable on Amazon). For outbound connections you'd allow traffic to flow only to your web application server (if that's running on AWS as well than that should be easy enough).
I personally find the documentation AWS provides pretty clear. Here's their link to VPC:

and here's a similar link to get started with Security groups:

Good luck.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SQL Server 2008

From novice to tech pro — start learning today.