SQL on Azure VM (IAAS) – Best Practices and Microsoft Recommendations.
This article describes security best practices for Azure SQL on Azure VM. This recommendations are not limited to Azure but can also apply to other cloud platforms like AWS or GCP.
The best practices are based on Azure recommendations as well as my experience in Azure. Because technologies can change over time, there will be some additional recommendations and will try to update KB to reflect those changes. Azure have a set of best practices that are designed to help protect your workloads to keep them safe from constantly evolving threats. This blog will share the most important security best practices to help protect your resources.
There are 3 different SQL options are available in Azure and each option has different recommendations as below :
1> Azure SQL DB – Best Practices and Microsoft Recommendations
2> Azure SQL MI – Best Practices and Microsoft Recommendations
3> SQL on Azure VM (IAAS) – Best Practices and Microsoft Recommendations
SQL Server on Azure VM (IaaS):Allows to run SQL Server inside a fully managed virtual machine (VM) in Azure. This option is preferred if SQL server running on legacy versions and required by application. This option is same as On prem environments with additional Security with High Availability Disaster recovery options on Infra level , and high performance and more Securable . Recommendations:
- Must follow all Virtual Machine recommendation including disk encryption, no public ip, ASG+NSG for segmentation,
- Encryption virtual machine with CMK
- Enable Microsoft Defender for Azure VM
- Disable public access to SQL VM
- Appropriate Tags to identify owners, application, environment, BU, chargeback, requester, date created etc.
- Turn ON Diagnostic logging: – Enabling logging for Azure SQL DB to store all logs, Audit and Metrics in to log analytics.
- Configure HA and DR options for production instances
