gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-27 13:13:06 -08:00
Code Issues Packages Projects Releases Wiki Activity

az sql

Browse Source
This commit is contained in:
Carlos Polop
2025-02-19 02:27:59 +01:00
parent 5e48ce18e0
commit 0828130954
1 changed files with 56 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

166
src/pentesting-cloud/azure-security/az-services/az-sql.md
View File

@@ -4,150 +4,96 @@
## Azure SQL
Azure SQL is a family of managed, secure, and intelligent products that use the **SQL Server database engine in the Azure cloud**. This means you don't have to worry about the physical administration of your servers, and you can focus on managing your data.
Azure SQL is a family of managed database products that use the **SQL Server database** engine in the Azure cloud. This means you don't have to worry about the physical administration of your servers, and you can focus on managing your data.
Assigned domain: `<server-name>.database.windows.net`
Azure SQL consists of four main offerings:
1. **Azure SQL Server**: Azure SQL Server is a managed relational database service on that simplifies the deployment and management of SQL Server databases, with built-in security and performance features.
2. **Azure SQL Database**: This is a **fully-managed database service**, which allows you to host individual databases in the Azure cloud. It offers built-in intelligence that learns your unique database patterns and provides customized recommendations and automatic tuning.
3. **Azure SQL Managed Instance**: This is for larger scale, entire SQL Server instance-scoped deployments. It provides near 100% compatibility with the latest SQL Server on-premises (Enterprise Edition) Database Engine, which provides a native virtual network (VNet) implementation that addresses common security concerns, and a business model favorable for on-premises SQL Server customers.
4. **Azure SQL Server on Azure VMs**: This is Infrastructure as a Service (IaaS) and is best for migrations where you want **control over the operating system and SQL Server instance**, like it was a server running on-premises.
1. **Azure SQL Server**: A server is needed for the **deployment and management** of SQL Server databases.
2. **Azure SQL Database**: This is a **fully-managed database service**, which allows you to host individual databases in the Azure cloud.
3. **Azure SQL Managed Instance**: This is for larger scale, entire SQL Server instance-scoped deployments.
4. **Azure SQL Server on Azure VMs**: This is best for architectures where you want **control over the operating system **and SQL Server instance.
### Azure SQL Server
## Azure SQL Server
Azure SQL Server is relational database management system (RDBMS) that uses Transact-SQL for data operations and is built to handle enterprise-level systems. It offers robust features for performance, security, scalability, and integration with various Microsoft applications. Azure SQL databases rely on this server, as these are built on this servers and it is the entrypoint for user to access the databases.
#### Network
### SQL Server Security Features
**Network Connectivity**: Choose whether to enable access via public endpoint or private endpoint. If you select No access, no endpoints are created until is configured manualy:
- No access: No endpoints are configured, blocking incoming connections until manually set up.
- Public endpoint: Allows direct connections over the public internet, subject to firewall rules and other security configurations.
- Private endpoint: Restricts connectivity to a private network.
**Network access:**
**Connection Policy**: Define how clients communicate with the SQL database server:
- Default: Uses a Redirect policy for all client connections from inside Azure (except those using Private Endpoints) and a Proxy policy for connections from outside Azure.
- Proxy: Routes all client connections through the Azure SQL Database gateway.
- Redirect: Clients connect directly to the node hosting the database.
- Public endpoint (can limit access to specific networks).
- Private endpoints.
- Its also possible to restrict connections based on domain names.
- Its also possible to allow Azure services to access it (like to use the Query editor in the portal or to allow an Azure VM to connect).
#### Authentication Methods
Azure SQL supports various authentication methods to secure database access:
**Authentication Methods:**
- **Microsoft Entra-only authentication**: Uses Microsoft Entra (formerly Azure AD) for centralized identity management and single sign-on.
- **Both SQL and Microsoft Entra authentication**: Allows you to use traditional SQL authentication alongside Microsoft Entra.
- **SQL authentication**: Relies solely on SQL Server usernames and passwords.
- Microsoft **Entra-only** authentication: You need to indicate the Entra principals that will have access to the service.
- **Both SQL and Microsoft Entra** authentication: Traditional SQL authentication with username and password alongside Microsoft Entra.
- **Only SQL** authentication: Only allow access via database users.
#### Security features
Note that if any SQL auth is allowed an admin user (username + password) needs to be indicated and if Entra ID auth is selected its also needed to indicate at least one principal with admin access.
SQL servers have **Managed Identities**. Managed identities allow your server to securely authenticate with other Azure services without storing credentials. It allow to access other services which would be System assigned managed identity and be accessed by other services with other identities which is User assigned managed identity. Some of the services that SQL can access are Azure Storage Account(V2), Azure Data Lake Storage Gen2, SQL Server, Oracle, Teradata, MongoDB or Cosmos DB API for MongoDB, Generic ODBC, Bulk Operations and S3-compatible object storage.
**Encryption:**
Other security features that SQL server has are:
- Its called “Transparent data encryption” and it encrypts databases, backups, and logs at rest.
- As always, an Azure managed key is used by default but a customer managed encryption key (CMEK) could also be used.
**Managed Identities:**
- **Firewall Rules**: Firewall rules control access to your server by restricting or allowing traffic. This is a feature of the databases itself too.
- **Transparent Data Encryption (TDE)**: TDE encrypts your databases, backups, and logs at rest to protect your data even if the storage is compromised. It can be done with a service-managed key or a customer -managed key.
- **Microsoft Defender for SQL**: Microsoft Defender for SQL can be enabled offering vulnerability assessments and advanced threat protection for a server.
- Its possible to assign system and user managed MIs.
- Used to access the encryption key (is a CMEK is used) and other services from the databases.
- If more than one UMI is assigned, Its possible to indicate the default one to use.
- Its possible to configure a federated client identity for cross-tenant access.
#### Deployment Models
**Microsoft Defender:**
Azure SQL Database supports flexible deployment options to suit various needs:
- Useful for “mitigating potential database vulnerabilities, and detecting anomalous activities”
- We will talk about Defender in its own lesson (it can be enabled in several other Azure services)
- **Single Database**:
- A fully isolated database with its own dedicated resources.
- Great for microservices or applications requiring a single data source.
- **Elastic Pool**:
- Allows multiple databases to share resources within a pool.
- Cost-efficient for applications with fluctuating usage patterns across multiple databases.
**Backups:**
- Backup frequency is managed in the retention policies.
### Azure SQL Database
**Deleted databases:**
- Its possible to restore DBs that have been deleted from existing backups.
## Azure SQL Database
**Azure SQL Database** is a **fully managed database platform as a service (PaaS)** that provides scalable and secure relational database solutions. It's built on the latest SQL Server technologies and eliminates the need for infrastructure management, making it a popular choice for cloud-based applications.
#### Key Features
To create a SQL database its needed to indicate the SQL server where itll be hosted.
### SQL Database Security Features
- **Always Up-to-Date**: Runs on the latest stable version of SQL Server and Receives new features and patches automatically.
- **PaaS Capabilities**: Built-in high availability, backups, and updates.
- **Data Flexibility**: Supports relational and non-relational data (e.g., graphs, JSON, spatial, and XML).
#### Network
**Network Connectivity**: Choose whether to enable access via public endpoint or private endpoint. If you select No access, no endpoints are created until is configured manualy:
- No access: No endpoints are configured, blocking incoming connections until manually set up.
- Public endpoint: Allows direct connections over the public internet, subject to firewall rules and other security configurations.
- Private endpoint: Restricts connectivity to a private network.
**Connection Policy**: Define how clients communicate with the SQL database server:
- Default: Uses a Redirect policy for all client connections from inside Azure (except those using Private Endpoints) and a Proxy policy for connections from outside Azure.
- Proxy: Routes all client connections through the Azure SQL Database gateway.
- Redirect: Clients connect directly to the node hosting the database.
#### Security Features
- **Microsoft Defender for SQL**: can be enabled offering vulnerability assessments and advanced threat protection.
- **Ledger**: cryptographically verifies the integrity of data, ensuring that any tampering is detected.
- **Server Identity**: uses system-assigned and user-assigned managed identities to enable centralized access
- **Transparent Data Encryption Key Management**: encrypts databases, backups, and logs at rest without requiring any changes to the application. Encryption can be enabled on each database, and if configured at the database level, these settings override the server-level configuration.
- **Always Encrypted**: is a suite of advanced data protection features that separates data ownership from data management. This ensures that administrators or operators with high privileges cannot access sensitive data.
- **Inherited SQL Server security features:**
- Authentication (SQL and/or Entra ID)
- Assigned Managed Identities
- Network restrictions
- Encryption
- Backups
-
- **Data redundancy:** Options are local, zone, Geo or Geo-Zone redundant.
- **Ledger:** It cryptographically verifies the integrity of data, ensuring that any tampering is detected. Useful to financial, medical and any organization managing sensitive data.
#### Purchasing Models / Service Tiers
- **vCore-based**: Choose compute, memory, and storage independently. For General Purpose, Business Critical (with high resilience and performance for OLTP apps), and scales up to 128 TB storag
- **DTU-based**: Bundles compute, memory, and I/O into fixed tiers. Balanced resources for common tasks.
- Standard: Balanced resources for common tasks.
- Premium: High performance for demanding workloads.
#### Scalable performance and pools
- **Single Databases**: Each database is isolated and has its own dedicated compute, memory, and storage resources. Resources can be scaled dynamically (up or down) without downtime (1128 vCores, 32 GB4 TB storage, and up to 128 TB).
- **Elastic Pools**: Share resources across multiple databases in a pool to maximize efficiency and save costs. Resources can also be scaled dynamically for the entire pool.
- **Service Tier Flexibility**: Start small with a single database in the General Purpose tier. Upgrade to Business Critical or Hyperscale tiers as needs grow.
- **Scaling Options**: Dynamic Scaling or Autoscaling Alternatives.
#### Built-In Monitoring & Optimization
- **Query Store**: Tracks performance issues, identifies top resource consumers, and offers actionable recommendations.
- **Automatic Tuning**: Proactively optimizes performance with features like automatic indexing and query plan corrections.
- **Telemetry Integration**: Supports monitoring through Azure Monitor, Event Hubs, or Azure Storage for tailored insights.
#### Disaster Recovery & Availavility
- **Automatic backups**: SQL Database automatically performs full, differential, and transaction log backups of databases
- **Point-in-Time Restore**: Recover databases to any past state within the backup retention period.
- **Geo-Redundancy**
- **Failover Groups**: Simplifies disaster recovery by grouping databases for automatic failover across regions.
A SQL database could be part of an **elastic Pool**. Elastic pools are a cost-effective solution for managing multiple databases by sharing configurable compute (eDTUs) and storage resources among them, with pricing based solely on the resources allocated rather than the number of databases.
### Azure SQL Managed Instance
**Azure SQL Managed Instance** is a Platform as a Service (PaaS) database engine that offers near 100% compatibility with SQL Server and handles most management tasks (e.g., upgrading, patching, backups, monitoring) automatically. It provides a cloud solution for migrating on-premises SQL Server databases with minimal changes.
#### Service Tiers
- **General Purpose**: Cost-effective option for applications with standard I/O and latency requirements.
- **Business Critical**: High-performance option with low I/O latency for critical workloads.
#### Advanced Security Features
* **Threat Protection**: Advanced Threat Protection alerts for suspicious activities and SQL injection attacks. Auditing to track and log database events for compliance.
* **Access Control**: Microsoft Entra authentication for centralized identity management. Row-Level Security and Dynamic Data Masking for granular access control.
* **Backups**: Automated and manual backups with point-in-time restore capability.
**Azure SQL Managed Instances** are for larger scale, entire SQL Server instance-scoped deployments. It provides near 100% compatibility with the latest SQL Server on-premises (Enterprise Edition) Database Engine, which provides a native virtual network (VNet) implementation that addresses common security concerns, and a business model favorable for on-premises SQL Server customers.
### Azure SQL Virtual Machines
**Azure SQL Virtual Machines** is best for migrations where you want **control over the operating system and SQL Server instance**, like it was a server running on-premises. It can have different machine sizes, and a wide selection of SQL Server versions and editions.
**Azure SQL Virtual Machines** allows to **control the operating system** and the SQL Server instance, as a VM will be spawn in the VM service running the SQL server.
#### Key Features
When a SQL Virtual Machine is created its possible to **selected all the settings of the VM** (as shown the VM lesson) that will be hosting the SQL server.
- This means that the VM will be accessing some VNet(s), might have **Managed Identities attached** to it, could have file shares mounted… making a **pivoting from the SQL** to the VM super interesting.
- Moreover, its possible to configure an app id and secret to **allow the SQL to access an specific key vault**, which could contain sensitive info.
**Automated Backup**: Schedule backups for SQL databases.
**Automatic Patching**: Automates the installation of Windows and SQL Server updates during a maintenance window.
**Azure Key Vault Integration**: Automatically configures Key Vault for SQL Server VMs.
**Defender for Cloud Integration**: View Defender for SQL recommendations in the portal.
**Version/Edition Flexibility**: Change SQL Server version or edition metadata without redeploying the VM.
#### Security Features
**Microsoft Defender for SQL**: Security insights and alerts.
**Azure Key Vault Integration**: Secure storage of credentials and encryption keys.
**Microsoft Entra (Azure AD)**: Authentication and access control.
It's also possible to configure things like **automatic SQL updates**, **automatic backups**, **Entra ID authentication** and most of the features of the other SQL services.
## Enumeration