Azure SQL MI – Best Practices and Microsoft Recommendations
This article describes security best practices for Azure SQL MI. This recommendations are not limited to Azure but can also apply to other cloud platforms like AWS or GCP.
The best practices are based on Azure recommendations as well as my experience in Azure. Because technologies can change over time, there will be some additional recommendations and will try to update KB to reflect those changes. Azure have a set of best practices that are designed to help protect your workloads to keep them safe from constantly evolving threats. This blog will share the most important security best practices to help protect your resources.
There are 3 different SQL options are available in Azure and each option has different recommendations as below :
Azure SQL Managed Instance: – (PAAS) – Azure SQL Managed Instancefalls into the industry category of Platform-as-a-Service (PaaS), and is best for most migrations to the cloud. SQL Managed Instance is a collection of system and user databases with a shared set of resources that is lift-and-shift ready. SQL Managed Instance supports database migration from on-premises with minimal to no database change. This option provides all of the PaaS benefits of Azure SQL Database but adds capabilities that were previously only available in SQL Server VMs.
- Use Azure Ad authentication for SQL managed instance
- Enable Transparent data encryption (TDE) encrypts your databases, backups, and logs with CMK
- Enable Microsoft Defender for SQL MI
- Disable public endpoint for SQL MI
- Enable virtual network integration for secure communication to SQL MI.
- Appropriate Tags to identify owners, application, environment, BU, chargeback, requester, date created etc.
- Turn ON SQL Auditing and Diagnostic logging: – Enabling logging for Azure SQL DB to store all logs, Audit and Metrics in to log analytics.
- Active geo-replication is not supported by Azure SQL Managed Instance. – need to verify – get dates for GEO, size issue, Zone support, distributed always on,