Microsoft’s database offering on its cloud computing platform, SQL Azure, offers cost-effective, easily scalable, highly available database functionality with almost no management overhead.
While Microsoft offers tools to ease the development of SQL Azure applications, it is important to not forget security considerations to make sure the application is reliable and secure.
It is important to know that SQL Azure (based on SQL Server engine) uses the Tabular Data Stream protocol, which means it is only accessible by TCP on port 1433.
SQL Azure provides encrypted SQL communication between the cloud database and the host. All communication requires encryption at all types. Firewall rules help restrict communication to certain machines/IPs. Additionally, SQL Azure supports account level access.
Machines running client applications will need to open up port 1433 over TCP to allow outbound connections to SQL Azure databases. Even though a SQL Azure instance might appear to reside at a particular address, it is wise to whitelist all of the Microsoft public network addresses, in case operational considerations require reassignment of IP address. The Microsoft public address range is from 220.127.116.11 to 18.104.22.168.
On the server side, we can use the Windows Azure Management Portal to specify permitted IPs on the server side.
When we create a new server, you can specify an IP range that is authorized/denied permission to connect to the server.
Windows Azure: Create Server
You can also permit other Windows Azure services to access the server by selecting the checkbox.
To specify an IP range, click Add button.
Specify an IP range
You can specify the rule name and the IP range you want to allow access to the server.
Once you specify an IP range, that IP range will be permitted to access the server. If you have a SQL Azure client application, you can specify your external IP and test that the server side firewall allows your IP. If you try to access the SQL Azure database from other IP addresses, you will not be allowed.
Note that once you specify a firewall rule, it will take up to 5 minutes before the rule will be enforced.
Common Troubleshooting Tips
NAT Translation: If you are having issues connecting, make sure your NAT is set up properly.
Unauthorized user: If the user is not allowed read permission on the SQL Azure server, the connection can be denied.
In this article, we learned about ways we can secure a SQL Azure application. I hope you have found this information useful.