gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-14 22:03:11 -08:00
Code Issues Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Jimmy
2025-02-17 12:41:24 +01:00
parent 90a2f79a0f
commit 5f47797e6a
13 changed files with 382 additions and 158 deletions
Download Patch File Download Diff File Expand all files Collapse all files

94
src/pentesting-cloud/azure-security/az-services/az-sql.md
View File

@@ -6,28 +6,45 @@
Azure SQL is a family of managed, secure, and intelligent products that use the **SQL Server database engine in the Azure cloud**. This means you don't have to worry about the physical administration of your servers, and you can focus on managing your data.
Azure SQL consists of three main offerings:
Azure SQL consists of four main offerings:
1. **Azure SQL Database**: This is a **fully-managed database service**, which allows you to host individual databases in the Azure cloud. It offers built-in intelligence that learns your unique database patterns and provides customized recommendations and automatic tuning.
2. **Azure SQL Managed Instance**: This is for larger scale, entire SQL Server instance-scoped deployments. It provides near 100% compatibility with the latest SQL Server on-premises (Enterprise Edition) Database Engine, which provides a native virtual network (VNet) implementation that addresses common security concerns, and a business model favorable for on-premises SQL Server customers.
3. **Azure SQL Server on Azure VMs**: This is Infrastructure as a Service (IaaS) and is best for migrations where you want **control over the operating system and SQL Server instance**, like it was a server running on-premises.
1. **Azure SQL Server**: Azure SQL Server is a managed relational database service on that simplifies the deployment and management of SQL Server databases, with built-in security and performance features.
2. **Azure SQL Database**: This is a **fully-managed database service**, which allows you to host individual databases in the Azure cloud. It offers built-in intelligence that learns your unique database patterns and provides customized recommendations and automatic tuning.
3. **Azure SQL Managed Instance**: This is for larger scale, entire SQL Server instance-scoped deployments. It provides near 100% compatibility with the latest SQL Server on-premises (Enterprise Edition) Database Engine, which provides a native virtual network (VNet) implementation that addresses common security concerns, and a business model favorable for on-premises SQL Server customers.
4. **Azure SQL Server on Azure VMs**: This is Infrastructure as a Service (IaaS) and is best for migrations where you want **control over the operating system and SQL Server instance**, like it was a server running on-premises.
### Azure SQL Database
### Azure SQL Server
**Azure SQL Database** is a **fully managed database platform as a service (PaaS)** that provides scalable and secure relational database solutions. It's built on the latest SQL Server technologies and eliminates the need for infrastructure management, making it a popular choice for cloud-based applications.
Azure SQL Server is relational database management system (RDBMS) that uses Transact-SQL for data operations and is built to handle enterprise-level systems. It offers robust features for performance, security, scalability, and integration with various Microsoft applications. Azure SQL databases rely on this server, as these are built on this servers and it is the entrypoint for user to access the databases.
#### Key Features
#### Network
- **Always Up-to-Date**: Runs on the latest stable version of SQL Server and Receives new features and patches automatically.
- **PaaS Capabilities**: Built-in high availability, backups, and updates.
- **Data Flexibility**: Supports relational and non-relational data (e.g., graphs, JSON, spatial, and XML).
**Network Connectivity**: Choose whether to enable access via public endpoint or private endpoint. If you select No access, no endpoints are created until is configured manualy:
- No access: No endpoints are configured, blocking incoming connections until manually set up.
- Public endpoint: Allows direct connections over the public internet, subject to firewall rules and other security configurations.
- Private endpoint: Restricts connectivity to a private network.
#### Purchasing Models / Service Tiers
**Connection Policy**: Define how clients communicate with the SQL database server:
- Default: Uses a Redirect policy for all client connections from inside Azure (except those using Private Endpoints) and a Proxy policy for connections from outside Azure.
- Proxy: Routes all client connections through the Azure SQL Database gateway.
- Redirect: Clients connect directly to the node hosting the database.
- **vCore-based**: Choose compute, memory, and storage independently. For General Purpose, Business Critical (with high resilience and performance for OLTP apps), and scales up to 128 TB storag
- **DTU-based**: Bundles compute, memory, and I/O into fixed tiers. Balanced resources for common tasks.
- Standard: Balanced resources for common tasks.
- Premium: High performance for demanding workloads.
#### Authentication Methods
Azure SQL supports various authentication methods to secure database access:
- **Microsoft Entra-only authentication**: Uses Microsoft Entra (formerly Azure AD) for centralized identity management and single sign-on.
- **Both SQL and Microsoft Entra authentication**: Allows you to use traditional SQL authentication alongside Microsoft Entra.
- **SQL authentication**: Relies solely on SQL Server usernames and passwords.
#### Security features
SQL servers have **Managed Identities**. Managed identities allow your server to securely authenticate with other Azure services without storing credentials. It allow to access other services which would be System assigned managed identity and be accessed by other services with other identities which is User assigned managed identity. Some of the services that SQL can access are Azure Storage Account(V2), Azure Data Lake Storage Gen2, SQL Server, Oracle, Teradata, MongoDB or Cosmos DB API for MongoDB, Generic ODBC, Bulk Operations and S3-compatible object storage.
Other security features that SQL server has are:
- **Firewall Rules**: Firewall rules control access to your server by restricting or allowing traffic. This is a feature of the databases itself too.
- **Transparent Data Encryption (TDE)**: TDE encrypts your databases, backups, and logs at rest to protect your data even if the storage is compromised. It can be done with a service-managed key or a customer -managed key.
- **Microsoft Defender for SQL**: Microsoft Defender for SQL can be enabled offering vulnerability assessments and advanced threat protection for a server.
#### Deployment Models
@@ -40,6 +57,44 @@ Azure SQL Database supports flexible deployment options to suit various needs:
- Allows multiple databases to share resources within a pool.
- Cost-efficient for applications with fluctuating usage patterns across multiple databases.
### Azure SQL Database
**Azure SQL Database** is a **fully managed database platform as a service (PaaS)** that provides scalable and secure relational database solutions. It's built on the latest SQL Server technologies and eliminates the need for infrastructure management, making it a popular choice for cloud-based applications.
#### Key Features
- **Always Up-to-Date**: Runs on the latest stable version of SQL Server and Receives new features and patches automatically.
- **PaaS Capabilities**: Built-in high availability, backups, and updates.
- **Data Flexibility**: Supports relational and non-relational data (e.g., graphs, JSON, spatial, and XML).
#### Network
**Network Connectivity**: Choose whether to enable access via public endpoint or private endpoint. If you select No access, no endpoints are created until is configured manualy:
- No access: No endpoints are configured, blocking incoming connections until manually set up.
- Public endpoint: Allows direct connections over the public internet, subject to firewall rules and other security configurations.
- Private endpoint: Restricts connectivity to a private network.
**Connection Policy**: Define how clients communicate with the SQL database server:
- Default: Uses a Redirect policy for all client connections from inside Azure (except those using Private Endpoints) and a Proxy policy for connections from outside Azure.
- Proxy: Routes all client connections through the Azure SQL Database gateway.
- Redirect: Clients connect directly to the node hosting the database.
#### Security Features
- **Microsoft Defender for SQL**: can be enabled offering vulnerability assessments and advanced threat protection.
- **Ledger**: cryptographically verifies the integrity of data, ensuring that any tampering is detected.
- **Server Identity**: uses system-assigned and user-assigned managed identities to enable centralized access
- **Transparent Data Encryption Key Management**: encrypts databases, backups, and logs at rest without requiring any changes to the application. Encryption can be enabled on each database, and if configured at the database level, these settings override the server-level configuration.
- **Always Encrypted**: is a suite of advanced data protection features that separates data ownership from data management. This ensures that administrators or operators with high privileges cannot access sensitive data.
#### Purchasing Models / Service Tiers
- **vCore-based**: Choose compute, memory, and storage independently. For General Purpose, Business Critical (with high resilience and performance for OLTP apps), and scales up to 128 TB storag
- **DTU-based**: Bundles compute, memory, and I/O into fixed tiers. Balanced resources for common tasks.
- Standard: Balanced resources for common tasks.
- Premium: High performance for demanding workloads.
#### Scalable performance and pools
- **Single Databases**: Each database is isolated and has its own dedicated compute, memory, and storage resources. Resources can be scaled dynamically (up or down) without downtime (1128 vCores, 32 GB4 TB storage, and up to 128 TB).
@@ -60,6 +115,7 @@ Azure SQL Database supports flexible deployment options to suit various needs:
- **Geo-Redundancy**
- **Failover Groups**: Simplifies disaster recovery by grouping databases for automatic failover across regions.
### Azure SQL Managed Instance
**Azure SQL Managed Instance** is a Platform as a Service (PaaS) database engine that offers near 100% compatibility with SQL Server and handles most management tasks (e.g., upgrading, patching, backups, monitoring) automatically. It provides a cloud solution for migrating on-premises SQL Server databases with minimal changes.
@@ -71,9 +127,9 @@ Azure SQL Database supports flexible deployment options to suit various needs:
#### Advanced Security Features
* **Threat Protection**: Advanced Threat Protection alerts for suspicious activities and SQL injection attacks. Auditing to track and log database events for compliance.
* **Access Control**: Microsoft Entra authentication for centralized identity management. Row-Level Security and Dynamic Data Masking for granular access control.
* **Backups**: Automated and manual backups with point-in-time restore capability.
* **Threat Protection**: Advanced Threat Protection alerts for suspicious activities and SQL injection attacks. Auditing to track and log database events for compliance.
* **Access Control**: Microsoft Entra authentication for centralized identity management. Row-Level Security and Dynamic Data Masking for granular access control.
* **Backups**: Automated and manual backups with point-in-time restore capability.
### Azure SQL Virtual Machines
@@ -100,7 +156,7 @@ Azure SQL Database supports flexible deployment options to suit various needs:
```bash
# List Servers
az sql server list # --output table
az sql server list # managed identities are enumerated here too
## List Server Usages
az sql server list-usages --name <server_name> --resource-group <resource_group>
## List Server Firewalls