Azure Boot Camp 21.04.2018 SQL Server in Azure Iaas PaaS on-prem Lars Platzdasch
2 likes•303 views
This document provides an overview and comparison of SQL Server hosting options in Azure, including Azure SQL Database (PaaS) and SQL Server in Azure VMs (IaaS). It discusses the key differences between the two options, highlighting that Azure SQL Database is fully managed while SQL Server in VMs gives more control. It also covers topics like manageability, performance metrics, pricing tiers, security best practices, and demos of the Azure portal. The document aims to help audiences choose between the "red pill" of Azure SQL Database or the "blue pill" of SQL Server in Azure VMs.
![Securing SQL Azure
“[Cloud security] is a shared
responsibility between the customer
and the cloud vendor.”
Mark Russinovich, Microsoft Azure CTO
https://www.rsaconference.com/writable/presentations/file_upload/exp-w01_assume-
breach-an-inside-look-at-cloud-service-provider-security.pdf](https://image.slidesharecdn.com/azurebootcamp21-180421144944/85/Azure-Boot-Camp-21-04-2018-SQL-Server-in-Azure-Iaas-PaaS-on-prem-Lars-Platzdasch-17-320.jpg)
Azure Boot Camp 21.04.2018 SQL Server in Azure Iaas PaaS on-prem Lars Platzdasch
- 1. SQL Server in Azure IaaS, Paas, on-Prem Planning and Business Continuity or more like Take the Red or the Blue Pill Lars Platzdasch MCT,MCSE SQL, MCSE SharePoint
- 2. Sprecher: Lars Platzdasch Twitter @LarsPlatzdasch Xing /Lars_Platzdasch LinkedIn LarsPlatzdasch Web www.platzdasch.de www.3perspektiven.de MCT: SQL, SharePoint, .net MCSE: SQL Server Data Platform MCSE: SharePoint MCITP: SharePoint 2010, Administrator MCITP: SharePoint 2010, Developer Microsoft Certified Application Developer: .NET Certified Ethical Hacker (CEH) - EC-Council platzdasch netConsult GmbH & Co. KG | ISV 24/7 Support für SQL / SharePoint 3 Perspektiven GmbH | MBS 22 IT, 21 Jahre SQL Server, 14 Jahre SharePoint Gold
- 3. About the Audience • DBAs • Developers • SQL AlwaysOn Availability Groups Experience? • System Administrators • Azure Lovers ;-) • and …
- 4. The Plan 1. High Level Comparison to SQL Server 2. Most Important Slide about the differences 3. Drill into random interesting capabilities 4. Securing 5. Some demos 6. Tips for Iaas
- 5. Hosting Choices for SQL
- 6. Azure SQL DB is SQL Server Except… Common SQL Server “Just change the connection string…” https://azure.microsoft.com/en-us/documentation/articles/sql-database-transact-sql-information/ Additional information on Differences: Azure SQL DB
- 7. Demos • Demo: Meet the Portal (portal.azure.com) • Demo: Create a SQL Database .
- 8. What’s the Same 1. Team 2. Core Code Base 3. Transact-SQL ▪ Yes, full support ▪ https://feedback.azure.com/ 4. Most of the features 5. Mature .
- 9. What’s Missing (or is it?) in Azure SQL DB Category 1: Takes a Different Approach ▪ Example: SQL Agent Category 2: On the way ▪ Network Support ▪ But in the works… Category 3: No plan (?) https://feedback.azure.com/ .
- 10. You access a DB DB is fully managed: High Availability, Backups, Patching Runs latest SQL Server version, based on Enterprise ed. New paradigm of databases and modern app building Different DB sizes: Basic (2GB, 5DTUs) to Premium (1TB, 4000DTUs DB availability SLA: 99.99% 4000DTUs .. Premium) Azure SQL Database SQL Server in Azure VM You access a VM with SQL Server You manage SQL Server and Windows: High Availability, Backups, Patching (automation available) You can run any SQL Server version and edition Full on-premises compatibility Different VM sizes: A0 (1 core, 1GB mem, 100GB) to G5 ( .. ) VM availability SLA: 99.95%: In practice SQL AlwaysOn provides higher availability (~99.99%) Reuse on-premises infrastructure (e.g. Active Directory) Differences :
- 11. SQL Server View on ‘Managed’ Azure SQL Database Low Control | Low Maintenance Shared Lowercost Dedicated Highercost High Control | High Maintenance Hybrid Physical Virtual PaaS SaaS IaaS On premises Off premises SQL Server Physical Machines SQL Server Private Cloud Virtualized Machines SQL Server in Azure VM Virtualized Machines Virtualized Databases Cloud
- 12. Manageability ( Azure SQL DB ) 1. Server Management so easy - not available! ▪ You control schema, indexes, users, etc. as usual ▪ PaaS model 2. 99.95% uptime SLA (one instance) 3. Geo-DR/FO/BC (Active/Passive) 4. Geo-Replication (Active/Active RO) 5. Backups, PiTR .
- 13. DMV Views (https://azure.microsoft.com/en-us/documentation/articles/sql-database-monitoring-with-dmvs/ ) DTU (https://docs.microsoft.com/de-de/azure/sql-database/sql-database-what-is-a-dtu ) eDTU ( elastic Pool DTU) Performance ( Azure DB ) . Data Throughput Unit
- 14. Data Throughput Unit ▪ http://dtucalculator.azurewebsites.net/ ▪ Demo: DTU definition https://azure.microsoft.com/en- us/documentation/articles/sql-database-service- tiers/#understanding-dtus
- 15. SQL / Space / DTU Pools Geo Repl Pricing ( Azure DB )
- 16. Pricing in Tiers and Pools ▪ Demo: Pricing options https://azure.microsoft.com/en-us/pricing/ ▪ https://azure.microsoft.com/en- us/documentation/articles/sql-database- service-tiers/
- 17. Securing SQL Azure “[Cloud security] is a shared responsibility between the customer and the cloud vendor.” Mark Russinovich, Microsoft Azure CTO https://www.rsaconference.com/writable/presentations/file_upload/exp-w01_assume- breach-an-inside-look-at-cloud-service-provider-security.pdf
- 18. A Cautionary Tale: Code SpaceS 1. DDoS 2. Ransom demand 3. Security breach noticed 4. Fighting back 5. Malicious destruction of assets 6. Security & Business #fail “Code Spaces has a full recovery plan that has been proven to work and is, in fact, practiced.” Data plane (data access) vs. mgmt/control plane (Portal, APIs, PowerShell)ELAPSEDTIME: 12HOURShttp://arstechnica.com/security/2014/06/aws-console-breach-leads-to-demise-of-service-with-proven-backup-plan/
- 19. Risk Mitigation Internet Exposed RDP or SSH Endpoints Network ACLs or Host-based Firewall; Strong passwords; VPN or SSH Tunnels Virtual Machine Missing Security Patches Keep Automatic Updates Enabled; Web Application Vulnerability Securing Azure Web Applications; Vulnerability scan/penetration test Weak Admin/Co-Admin Credentials Azure Multi-Factor Authentication; Subscription Management Certificate Unrestricted SQL Endpoint Azure SQL Firewall Storage Key Disclosure Manage Access to Storage Resources Insufficient Security Monitoring Azure Security and Log Management; Top Azure Risks Leading to Tenant Breach https://www.rsaconference.com/writable/presentations/file_upload/exp-w01_assume- breach-an-inside-look-at-cloud-service-provider-security.pdf
- 20. SSO for Built-In Services Use same AAD where makes sense across • Azure • Office 365 • Visual Studio Team Services • Windows 10 (Intune) • Azure SQL Database (!)
- 21. Prefer RBAC to Co-Admin • Co-Admin only option on Classic Portal • RBAC only available on portal.azure.com • New portal support not 100% • https://azure.microsoft.com/en-us/documentation/articles/role-based-access-built-in- roles/ • https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control- configure/ RBAC : Role Based Access Control ( IAM )
- 22. 1. Always Encrypted 2. TDE, CLE 3. Data Masking 4. Auditing 5. Firewall Protecting Your SQL Database ( Demo )
- 23. Firewalls • SQL DB Server • Database Level: sp_set_firewall_rule • Or SSMS beim Login
- 24. Data Masking • Dynamic Data Masking: • https://azure.microsoft.com/en-us/documentation/articles/sql-database-dynamic-data-masking- get-started/ • Server-side
- 25. SQL DB Data Encryption Always Encrypted • Transparent Data Encryption • Server-side • Always Encrypted: https://azure.microsoft.com/en- us/updates/public-preview-always-encrypted- for-azure-sql-database/ • Client-side
- 26. • GEO-REPL Backup / Point In Time Recovery Disaster Recovery and Business Continuity
- 27. SQL Server Iaas
- 28. Some Best Practices (Azure Iaas) • Start the deployment with Lower Specification. • Use DS Series VMs and User Premium storage for higher throughput • Disable geo-redundant storage on the storage accounts. • Enable read caching on the disks hosting the data files and TempDB. • Disable caching on the logs disk. • Strip multiple disks to achieve higher IOPs. • Move all databases to separate disks. (Not in OS disks) • Disable autogrow • Enable instant file initialization for data files.
- 29. • • • • Blue or Red? Azure SQL Database SQL Server in Azure VM
- 30. Resources • Pass or Iaas https://docs.microsoft.com/en-us/azure/sql- database/sql-database-paas-vs-sql-server-iaas
- 31. Q & A Vielen Dank für eure Zeit. @LarsPlatzdasch http://blog.platzdasch.de