Azure SQL DB – Best Practices and Microsoft Recommendations
This article describes security best practices for Azure SQL DB. This recommendations are not limited to Azure but can also apply to other cloud platforms like AWS or GCP.
The best practices are based on Azure recommendations as well as my experience in Azure. Because technologies can change over time, there will be some additional recommendations and will try to update KB to reflect those changes. Azure have a set of best practices that are designed to help protect your workloads to keep them safe from constantly evolving threats. This blog will share the most important security best practices to help protect your resources.
There are 3 different SQL options are available in Azure and each option has different recommendations as below :
Azure SQL Database is a relational database-as-a-service (DBaaS) hosted in Azure that falls into the industry category of Platform-as-a-Service (PaaS) Best for modern cloud applications that want to use the latest stable SQL Server features, it is a fully managed SQL Server database engine, based on the latest stable Enterprise Edition of SQL Server. Azure SQL Database offers single database with its own set of resources managed via a logical SQL server. Elastic pools provide a cost-effective solution for managing the performance of multiple databases that have variable usage patterns. Recommendations:
- Use Azure Ad authentication for SQL DB
- Enable Transparent data encryption (TDE) encrypts your databases, backups, and logs with CMK
- Enable Microsoft Defender for SQL DB
- Disable public endpoint for SQL DB
- Enable Private endpoint for secure communication to SQL DB, redirect connection type can be selected with private endpoint for direct connection to SQL db node.
- Appropriate Tags to identify owners, application, environment, BU.
- Turn ON SQL Auditing and Diagnostic logging: – Enabling logging for Azure SQL DB to store all logs, Audit and Metrics in to log analytics.
- Storage redundancy support LRS, ZRS, GRS, Geo restore or ability to recover from regional outage is only available when geo-redundant storage is selected