not just a cloud version of SQL Server – NESQL
Download
Report
Transcript not just a cloud version of SQL Server – NESQL
Azure SQL Database:
Not just a cloud version
of SQL Server
New England SQL Event
24-June-2016
CTO
@codingoutloud
1. High Level Comparison to SQL Server
2. Most Important Slide about the differences
3. Drill into random interesting capabilities
4. Securing
5. Some demos
@codingoutloud
IS
SQL Server
Common
“Just change the
connection
string…”
Additional information on Differences:
Azure SQL DB
Innovation
https://azure.microsoft.com/en-us/documentation/articles/sql-database-transact-sql-information/
• Demo: Create a SQL DB from PowerShell
• Demo: Meet the Portal (portal.azure.com)
• Demo: Create a SQL DB from portal
• Demo: (LATER) Delete all demo
resources at once
@codingoutloud
1. Single Team – Cloud First
2. Core Code Base
3. Transact-SQL
Yes, full support
https://feedback.azure.com/
4. Most of the features
5. Mature
@codingoutloud
Category 1: Takes a Different Approach
Example: SQL Agent
Category 2: On the way
Network Support
But in the works…
Category 3: No plan (?)
https://feedback.azure.com/
@codingoutloud
Azure SQL Database
SQL Server
1. Control Plane (ARM,
1. Installed/locked up
API, Scripting, Portal)
2. Storage ecosystem
3. Limited vertical scale
1 TB
4. License (pay) by hour
5. Manageability over
control
@codingoutloud
2. “The database”
3. Unlimited*
*Available hardware (16 TB VM?)
4. Box License (or VM)
5. Control over
manageability
ARM
Resource Groups
ARM Templates
1. Model based + imperative
1. http://armviz.io/#/
2. Your DB can live with other
2. https://github.com/A
resources, spanning regions
3. DB in exactly 1 RG, but
there’s a linking mechanism 3.
4. Lifecycle, monitoring, admin
access
@codingoutloud
zure/azurequickstart-templates
https://portal.azure.c
om/
Public
Cloud Data
Center
Public Cloud
Hybrid
Cloud
Private Cloud
Your
Company
Data Center
1. Server Management so easy - not available!
You control schema, indexes, users, etc. as usual
PaaS model
2. 99.95% uptime SLA (one instance)
3. Geo-DR/FO/BC (Active/Passive)
4. Geo-Replication (Active/Active RO)
5. Backups, PiTR
6. ARM
@codingoutloud
1. Data Lakes, Pooled SQL Instances
Elastic database tools
2. Data Warehouse
3. Hadoop Connector
4. Blob Storage – files
5. Table Storage, DocumentDB - NoSQL
6. Third Party Storage Solutions (e.g., Mongo)
@codingoutloud
https://azure.microsoft.com/en-us/services/#
@codingoutloud
Performance
@codingoutloud
https://azure.microsoft.com/en-us/documentation/articles/sql-databasemonitoring-with-dmvs/
@codingoutloud
http://dtucalculator.azurewebsites.net/
Demo: DTU definition
https://azure.microsoft.com/enus/documentation/articles/sql-databaseservice-tiers/#understanding-dtus
@codingoutloud
Pricing
@codingoutloud
Demo: Pricing options
https://azure.microsoft.com/en-us/pricing/
https://azure.microsoft.com/en-us/documentation/articles/sql-database-service-
tiers/
@codingoutloud
“[Cloud security] is a
shared responsibility
between the customer
and the cloud vendor.”
Mark Russinovich, Microsoft Azure CTO
@codingoutloud
https://www.rsaconference.com/writable/presentations/file_upload/exp-
2. Ransom demand
3. Security breach noticed
4. Fighting back
5. Malicious destruction
of assets
6. Security & Business #fail
ELAPSED TIME:
12 HOURS
1. DDoS
https://aws.amazon.com/iam/details/mfa/
@codingoutloud
http://arstechnica.com/security/2014/06/aws-console-breach-leads-to-demise-of-service-with-proven-backup-plan/
“Code Spaces has a
full recovery plan that
has been proven to
work and is, in fact,
practiced.”
Data plane (data access)
vs. mgmt/control
plane (Portal, APIs,
PowerShell)
Risk
Mitigation
Internet Exposed RDP or SSH Endpoints
Network ACLs or Host-based Firewall; Strong passwords; VPN or SSH
Tunnels
Virtual Machine Missing Security Patches
Keep Automatic Updates Enabled;
Web Application Vulnerability
Securing Azure Web Applications; Vulnerability scan/penetration test
Weak Admin/Co-Admin Credentials
Azure Multi-Factor Authentication; Subscription Management
Certificate
Unrestricted SQL Endpoint
Azure SQL Firewall
Storage Key Disclosure
Manage Access to Storage Resources
Insufficient Security Monitoring
Azure Security and Log Management;
https://www.rsaconference.com/writable/presentations/file_upload/expw01_assume-breach-an-inside-look-at-cloud-service-provider-security.pdf
• Co-Admin only option on Classic Portal
• RBAC only available on portal.azure.com
• New portal support not 100%
• Demo: Add a Reader to Azure SQL DB Server
• Resources:
• https://azure.microsoft.com/en-us/documentation/articles/role-based-access-built-in-roles/
• https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure/
@codingoutloud
1. Research & Development – “Microsoft
invests >$1B dollars in security R&D, every
year.” –Satya Nadella, CEO, Microsoft
2. Microsoft Acquisitions – Adallom, Aorato,
others
@codingoutloud
http://blogs.microsoft.com/blog/2015/11/17/enterprise-security-for-our-mobile-first-cloud-first-world/
Protecting the
Management/Control
Plane
@codingoutloud
• Demo: MFA:
https://account.activedirectory.windowsazure.com/User
Management/MultifactorVerification.aspx
• Demo: App Passwords:
https://account.activedirectory.windowsazure.com/User
Management/MfaSettings.aspx
• Demo: App Password Configuration:
https://account.activedirectory.windowsazure.com/App
Passwords.aspx
@codingoutloud
Managing the
Control Plane
@codingoutloud
• Azure Account contains…
• Azure Subscription contains…
• Azure Resource Group contains…
• SQL Database Server contains…
• Logical construct
• Anchored in single region
• But RG can span many resources,
many regions
• SQL Database
• Physical construct
@codingoutloud
Protecting Your
SQL Database
@codingoutloud
Azure Security Center is a Service – “Azure Security
Center, now in private preview, works with companies like
Barracuda, Checkpoint, Cisco Systems Inc., CloudFlare, F5
Networks, Fortinet, Imperva, Incapsula, and Trend Micro
Inc. to offer advanced, analytics-driven threat detection
that helps you protect, detect and respond to security
threats in real-time.”
Alert: “VM X and DB Y are not secure”
Alert: “Asset Z has been compromised”
@codingoutloud
http://blogs.microsoft.com/blog/2015/11/17/enterprise-security-for-our-mobile-first-cloud-first-world/
• Demo: RBAC Permissions
• Demo: Azure Security Center
• Demo: Delete a Resource Group
@codingoutloud
https://azure.microsoft.com/enus/documentation/security/#
@codingoutloud
• Demo: SQL DB Server
• Database Level: sp_set_firewall_rule
@codingoutloud
• Dynamic Data Masking: https://azure.microsoft.com/enus/documentation/articles/sql-database-dynamic-data-masking-get-started/
• Server-side
@codingoutloud
• Demo: Transparent Data Encryption
• Server-side
• Always Encrypted: https://azure.microsoft.com/en-
us/updates/public-preview-always-encrypted-for-azure-sql-database/
• Client-side
@codingoutloud
Blob Storage &
Azure Key Vault
@codingoutloud
More
Blob Storage &
Azure Key Vault
@codingoutloud
Disaster Recovery and
Business Continuity
@codingoutloud
https://portal.azure.com/#blade/Microsoft_Azure_Sec
urity/SecurityMenuBlade/0
@codingoutloud
Privacy &
Compliance
@codingoutloud
Compliance
Privacy
• Security vs.
• Dublin Email Microsoft (+10
Compliance
• Microsoft, Azure,
Azure Government
strong compliance story
• https://www.microsoft.com/en-
us/TrustCenter/Compliance/
@codingoutloud
amicus briefs) fighting a US Gov’t SCA
extra-territorial subpoena for customer
email data in Dublin (since 2013)
• Data Trustee Model
“German data trustee, Deutsche Telekom,
will control and oversee all access to
customer data” for Microsoft
https://news.microsoft.com/europe/
2015/11/11/45283/
@codingoutloud
Where’s My Azure?
@codingoutloud
• Demo: (as mentioned earlier) Delete all
demo resources at once
@codingoutloud
Find this
slide deck
here
Bill Wilder
@codingoutloud
[email protected]
blog.codingoutloud.com
linkedin.com/in/billwilder
See you at
Boston
Azure
bostonazure.org