书名：Azure for Architects
作者名：Ritesh Modi
本章字数：427字
更新时间：2021-07-02 13:17:18

Azure SQL

SQL Server stores relational data on Azure. It is a SaaS that provides a highly available, scalable, performance-centric, and secure platform for storing data. It is accessible from anywhere, with any programming language and platform. Clients need a connection string comprising the server, database, and security information to connect to it.

SQL Server provides firewall settings that prevent access to anyone by default. IP addresses and ranges should be whitelisted to access SQL Server. Only IP addresses that architects are confident belong to customers or partners should be whitelisted. There are deployments in Azure for which either there are a lot of IP addresses or the IP addresses are not known, such as applications deployed in Azure Functions or Logic Apps. For such applications to access Azure SQL, Azure SQL allows whitelisting of all IP addresses to Azure services across subscriptions.

It is to be noted that firewall configuration is at the server level and not the database level. This means any changes here affect all databases within a server.

Azure SQL also provides enhanced security by encrypting data at rest. This ensures that nobody, including the Azure data center administrators, can view the data stored in SQL Server. The technology used by SQL Server for encrypting data at rest is known as Transparent Data Encryption (TDE). There are no changes required at the application level to implement TDE. SQL Server encrypts and decrypts data transparently when the user saves and reads data. This feature is available at the database level.

SQL Server also provides Dynamic Data Masking (DDM), which is especially useful for masking certain types of data, such as credit cards or user PII data. Masking is not the same as encryption. Masking does not encrypt data, but only masks, which ensures that data is not in human-readable format. Users should mask and encrypt sensitive data in the Azure SQL server.

SQL Server also provides an Auditing & Threat Detection service for all servers. There are advanced data collection and intelligence services running on top of these databases to discover threats and vulnerabilities and alert users to them. Audit logs are maintained by Azure in storage accounts and can be viewed by administrators for action. Threads such as SQL injection and anonymous client logins can generate alerts that administrators can be informed about over email.

Data can be masked in Azure SQL. This helps us store data in a format that does not make sense:

Azure SQL also provides Transparent data encryption to encrypt data at rest, as shown in the following screenshot: