Azure SQL usage seems to be easy and straightforward, but there are set of steps to make it truly reliable and properly secured. This talk is about following three important topics.
IaaS is essential part of Azure and proper set of the environment scripts can really save the day, also you can do useful stuff with T-SQL instead of Azure portal.
Are you ready for disaster, are your team take a proper drill? I`m sure you do, but in case you need a few tips and check list - you will obtain it. Usually, proper monitoring(including network impact), profiling and alerts are introduced after the first production issue.
Security seems to be hot topic these days and there are few steps to secure your Elastic cluster proper way, plain Azure SQL Server firewall might be not enough. Security measures overview with best practices, vNet, user roles isolation, encryption at rest, secret maintenance with KeyVault, Security center.
Architecture decision records - How not to get lost in the past
Securing and maintaining azure sql
1. Securing and maintaining Azure SQL
Stanislav Lebedenko
Senior software developer @ Sigma Software
2. SQLSat Kyiv Team
Eugene Polonichko
Mykola Pobyivovk
Yevhen
Nedashkivskyi
Oksana
Tkach
Oksana Borysenko
Denis Reznik
Anton Artomov
3. Sponsor Sessions are at 12:30 and 13:00
Don’t miss them, they might be providing
some interesting and valuable information!
12:30 Congress Hall DevArt
12:30 Conference Hall Infopulse
12:30 Room AC Materialize
13:00 Congress Hall DB Best
13:00 Conference Hall Eleks
5. Session will begin very soon :)
Please complete the electronic evaluation form for this session and for the
event. Your feedback will help us to improve future conferences and speakers
will appreciate your feedback!
Enjoy the conference!
8. Script them all
Don't rely on UI
Script your environments
Script your processes
Test all your infrastructure
scripts.
9. Know business continuity requirements
01 | Point in time recovery (PITR).
02 | Long time backup retention (LTR).
03 | Mean time to recovery (MTTR).
04 | Restore of the deleted database.
05 | How long are backups kept.
06 | Active geo-replication.
07 | Auto-failover groups.
08 | Script them all :).
10.
11. Use T-SQL for platform maintenance
01 | Scale up and scale down with plain Transact SQL
ALTER DATABASE MyAzureDb MODIFY (Edition='basic', Service_objective='basic')
02 | Know your options, i.e. special views in master DB
Sys.dm_operation_status
03 | Setup your Azure firewall via T-SQL
Sys.firewall_rules
04 | Always test your T-SQL on copy
Clone and test your system T-SQL scripts on periodic basis.
12. Know the difference
Easiest of three
Portal
Primary tool
Azure CLI
Command line interface via bash
For all other cases
Powershell
Actually have everything you
need, but result code is lengthier
13. Understand your workloads
Disable Automatic tuning if
you have any doubts
Adjust tune levels via stored
procedures.
Run auto tuning on DB
clones
14. Understand key impact factors
01 | Performance tier
02 | Performance optimization
03 | Network issues
05 | Choose your metrics
06 | Identify what you don't measure.
17. Database monitoring
1 Create dedicated Azure Log Analytics workspaces.
2 Enable diagnostics telemetry and stream it.
3 Setup audit logging and disable after setup.
4 Add your custom metrics and alerts
5 Same steps for SQL Server too
6 Disable everything you don't need, to save costs.
18. Database auditing
1 Use separate Azure Log Analytics workspace.
2 Relatively lower impact.
3 Setup audit logging and disable after setup.
4 Enable Advanced Data Security.
5 Create alerts for your metrics.
6 Consider impact and cost twice, before disabling Audit.
24. High availability and disaster recovery HADR
01 | Check your SLA! Start with simple and cheap disaster recovery plans.
02 | Use basic backups with PTR, LTR and different region LTR.
03 | Prepare automated restore and validation jobs with infrastructure scripts.
04 | Run this jobs and receive reports on weekly basis.
05 | Design for high availability with LRS, ZRS, GRS and RA-GRS(but be realistic).
06 | Consider Geo-replication and Auto-failover groups.
07 | Test your mean time to recovery MTTR with actual drills.
08 | Run drills for DBA, DevOps and Software engineers.
27. Azure security center
Global picture with gamification
Free and Standard tiers
Advanced cloud defence
Policy and compliance checks
Resource security hygiene
Threat protection and alerts
Automation via Playbooks
29. 01 | Double check encryption at rest
02 | Make sure that blob storage is secured
03 | Test security alerts.
04 | SQL Server firewall is not enough
05 | Keep user access rights at minimum
06 | Use Network Security Groups (NSGs)
Securing your Azure SQL
32. Azure key vault
Keep your secrets safe
All-in-one solution for secrets
Store connection strings
Logins and passwords
Use Azure managed identity
for application access to keys
Create your own KeyVault
in separate resource group
33. Network security
01 | Think and Plan before Deploy NSG.
02 | Get in touch with your team.
03 | Prepare security rule set.
04 | Setup alerts
05 | Run load tests and measure
response time
35. Summary
Monitor you solution
Setup proper monitoring and
multi level proactive alerts
Prepare HADR solution
Know you SLA. Prepare adequate high
availability and data recovery solution
Security is a challenge
Securing only Azure SQL Server in not
enough anymore, learn to use tools
and practices provided by Azure
Be ready to troubleshoot
Prepare tools and troubleshoot
scenarios firsthand, dont wait for
disaster to do it
01
02
03
04