Archives For sql azure

Screencast for Minimizing SQL Azure’s Attack Surface

June 18, 2012


A few weeks ago I wrote about the importance of minimizing SQL Azure’s attack surface. My point was to bring awareness to the fact that when you check the “Allow other Windows Azure services to access this server” check box when creating a SQL Azure server you’re opening the server up to potential attacks from within the data center. The solution, as I wrote is fairly simple. All you need to do is uncheck the box and add a rule to the SQL Azure firewall that only allows traffic through from you Azure service’s virtual IP address (VIP). To drive the point home I thought I’d create a screencast to show you exactly what I do. Click on the image below to watch and enjoy!

 


ag

In azure , , , , , ,
permalink

Minimizing SQL Azure’s Attack Surface

May 24, 2012

I was running a Windows Azure Boot Camp earlier this week in Houston, TX when one attendee brought up, what I consider to be, SQL Azure’s dirty little secret. It’s this checkbox:

sql_azure_attack

By default SQL Azure is very secure. Think of it as a server in a block of concrete at the bottom of the ocean, no one is allowed access to it. However, If check this checkbox, it enables other Windows Azure services from within the data center to access my database. If I want to use the online Microsoft SQL Azure – Management Portal (an online equivalent of SQL Server Management Studio) I need to check the box, but what are the security implications of doing so? After all other people, some of whom may not have the nicest of intentions, are hosting their apps in the same data center. Have I just opened an attack vector on my database? Could someone write an app that tries to sniff out and attach other SQL Azure databases running in the same data center? Yes and yes!

What to do, what to do?

I then came up with an idea that I wanted to test out. The first thing I did was to create a SQL Azure database, keeping the checkbox, checked, adding a table and loading a few rows into the table. I then created a second rule in the firewall to allow my laptop to connect. Next I used Visual Studio to create an Azure project with a single ASP.NET Web role that utilized Entity Framework to display the data from the single table on a page. Once I verified that it worked I packaged and deployed the web role and removed all firewall rules.

sql_azure_no_fw_rules

While I waited for the web role to deploy I tried to connect to the database using the online Microsoft SQL Azure – Management Portal, which failed (as expected):

sql__azure_mgmt_portal_error

Once my app was up and running I browsed to it and received the following page (as expected):

sql_azure_ysod

So far so good, but how can I let my Windows Azure service access the database while preventing other Azure services from accessing it? The answer is simple. Using the properties section of the Windows Azure management portal for my hosted service, I found the Virtual IP (VIP) address for my service:

sql_azure_vip

Once I had the VIP, I added a rule to my SQL Azure firewall to only allow traffic from this address:

sql_azure_fw_rule

I then tried to access my page again and presto! The data appeared:

sql_azure_success

What I’ve done is enable by Windows Azure service to access a SQL Azure database, while, at the same, time significantly shrinking the attack surface on my SQL Azure database from all Windows Azure services to the VIP address associated with my service. I’d call that a win.

If you decide to go with this approach, which I think you should in a production environment, keep in mind that if you delete your Windows Azure deployment running in the production slot and then deploy a new version of the app, you more than likely will not get the same VIP address, so you’ll want to update your SQL Azure firewall rules. Of course, you could use the Windows Azure Powershell Cmdlets to automate the deployment and firewall update process, but that’s for another post.

ag

In azure , , ,
permalink

Cloud.Compile() for the Week of April 9, 2012

April 13, 2012

{News and Analysis}

Amazon Web Services (AWS)

Apprenda

Eucalyptus

Microsoft

Rackspace

ag

In compile , , , , , , , , , , , ,
permalink

Windows Azure Tools FAQ

December 13, 2011

Over the past twelve months I’ve conducted a number of Windows Azure Boot Camps  around the country with Microsoft’s Mike Benkovich. One of the biggest challenges we notice developers facing is simply getting all of the necessary components installed and configured so they can start developing for Azure. After the latest boot camp in Tulsa, Alex Culp (a colleague of mine at RBA) decided to put together a FAQ to help folks get up and running.  Below are the most common questions (and answers) we’ve encountered this past year. I hope it helps.

Which versions and editions of Windows are supported for development?

Windows 7 (Ultimate, Professional, and Enterprise Editions)
Windows Server 2008
Windows Server 2008 R2
Windows Vista (Ultimate, Business, and Enterprise Editions) with Service Pack 1 or Service Pack 2

Please note the following operating systems are not supported:
Windows XP
Windows Vista/7 Starter, Home Basic, and Home Premium editions

Why do the Windows Azure SDK and tools for Visual Studio fail to install?

In order to install the Windows Azure SDK and tools for Visual Studio you must install Service Pack 1 for Visual Studio 2010.

How do I change the instance of SQL the Windows Azure storage emulator uses?

You can use the DSInit Command-Line Tool to specify which instance of SQL the Windows Azure storage emulator uses on your development machine. If you installed the Windows Azure SDK in the default location, DSInit can be found at C:\Program Files\Windows Azure SDK\<SDK version>\bin\devstore\. Below is an example of how to use DSInit to configure the Windows Azure storage emulator to use the default (unnamed) instance of SQL Server on the local machine.

  1. Run a command prompt as an administrator.
  2. Change the working directory to C:\Program Files\Windows Azure SDK\<SDK version>\bin\devstore\.
  3. Type the following DSInit /sqlinstance:. /forcecreate
  4. Press Enter

To view the most current option list, type DSInit /? at the command prompt from the installed location.
 
(For more information on DSInit, please refer to this MSDN article: http://msdn.microsoft.com/en-us/library/windowsazure/gg433005.aspx)

What if I receive an error message that one or more ports used by the Compute Emulator are currently used by other processes?

  1. Determine if any of the following ports are being used by a non-Windows service: 15095, 15096, 15097, 15098, 15099, or 15100. You can run netstat –an from the command line to determine which ports are currently in use.
  2. Navigate to the installation directory of the Compute Emulator. By default the Compute Emulator is installed at C:\Program Files\Windows Azure Emulator\emulator\devfabric.
  3. In the DevFc.exe.config file, locate the add port entry that contains the conflicting port value and modify the value to use a non-conflicting port. The DevFc.exe.config file entries that can be affected are:
    <add key=”ManagementServicePort” value=”15095″ />
    <add key=”RepositoryServicePort” value=”15096″ />
    <add key=”AgentCallbackPort” value=”15097″ />
    <add key=”AgentPort” value=”15098″ />
    <add key=”PxeResponderPort” value=”15100″ />
  4. In the DfService.exe.config file, locate the dfservice element and modify the ManagementServicePort or RepositoryServicePort attribute to use a non-conflicting port.
    <dfservice ManagementServicePort=”15095″ RepositoryServicePort=”15096″ />
  5. Press F5 to restart the application or run the CSRun Command-Line Tool.

(For more information see the following MSDN article: http://msdn.microsoft.com/en-us/library/windowsazure/hh472164.aspx)

What if I receive an “Unable to connect to dfService” error message?

There are two potential causes of this problem. The first could be that a non-Windows Azure service is listening on a port Windows Azure requires. To resolve this, take the following steps:

  1. Identify any non-Windows Azure service that is listening on the following ports: 12000, 12001, 12002, 808, 16001, or 15100.
  2. Stop the identified service.
  3. Press F5 to restart the application.

(For more information see the following MSDN article: http://msdn.microsoft.com/en-us/library/windowsazure/hh472164.aspx)
 
The second cause of this issue could be due to a space in the Windows name of the user trying to run the service. To resolve this, take the following steps:

  1. Open a Windows Azure command prompt.
  2. Set the environment variable _CSRUN_STATE_DIRECTORY to a path that does not contain spaces. (For example, _CSRUN_STATE_DIRECTORY=c:\dftemp)
  3. Use CSRun.exe /devfabric:start to start the emulator.

(For more information see the following MSDN article: http://msdn.microsoft.com/en-us/library/windowsazure/hh472165.aspx)

Why can’t I connect to SQL Azure from SQL Server Management Studio?

In order to connect to SQL Azure from SQL Server Management Studio, you need to be running SQL Server Management Studio 2008 R2 (Express or full edition). You can download the Express edition here: http://www.microsoft.com/sqlserver/en/us/editions/express.aspx. Be sure to select the download that includes the tools.
 
In order to connect to SQL Azure you also need to ensure that you’ve configured the SQL Azure firewall to accept traffic from your machine. You can find instructions on how to configure the SQL Azure firewall here: http://msdn.microsoft.com/en-us/library/windowsazure/ee621783.aspx

In azure , , ,
permalink

Removing the ASP.net membership provider from sql azure

May 19, 2011

Currently I’m working on an article for MSDN that discusses the various ways you can secure ASP.NET running in Windows Azure with forms based authentication. The second part of the article discusses how you can use the SqlMembershipProvider and SQL Azure for forms based authentication.

As you may be aware, to prep an on-premises SQL Server database you need to use the Aspnet_regsql.exe utility with a command line similar to the following to install the membership and role services:

aspnet_regsql -S [your server name].database.windows.net -d [your database name] -U [your user name]@[your server name] -P [your password] -A mr

However, if you attempt to run this same command line against a SQL Azure database you will receive the following error message:

An error occurred during the execution of the SQL file ‘InstallCommon.sql’. The SQL error number is 40508 and the SqlException message is: USE statement is not supported to switch between databases. Use a new connection to connect to a different Database.

SQL Server: [your server name].database.windows.net

Database: [your database name]

SQL file loaded:

InstallCommon.sql

This error is due to the fact that SQL Azure does not support the USE statement to switch database context when executing commands against SQL Azure databases. To work around this SQL Azure limitation, Microsoft created a hotfix to enable developers to prepare SQL Azure databases for use by the SqlMembershipProvider and SqlRoleProvider. You can download the hotfix here. To prepare the SQL Azure database you simply run the following command line:

aspnet_regsqlazure -s [your server name].database.windows.net -d [your database name] -u [your user name]@[your server name] -p [your password] -a mr

As I was writing the article, I wanted to test the command line several times, so I thought I would just remove the components from the SQL Azure database with the following command line:

aspnet_regsqlazure -s [your server name].database.windows.net -d [your database name] -u [your user name]@[your server name] -p [your password] -R mr

Unfortunately the hotfix does not support the removal of the services from the SQL Azure database. I could have just deleted the database and created a new one, but what if I had data other than just the role and membership information required by ASP.NET? In that scenario, dropping the database is not an option. So I decided to write a quick script to clear out the services for me. You can get the script here if you need it.

In azure , , , ,
permalink

Upcoming Cloud Computing Events

March 10, 2010

I just wanted to make you aware of the meetings planned for the Twin Cities Cloud Computing User Group for the next 4 months. These are some great topics and speakers that you’re not going to want to miss.

April 8, 2010
Dynamics CRM Online
Presented by Shikhar Agarwal, Sogeti
Register here

May 13, 2010
Custom Applications and SharePoint Online
Presented by Frank Shink, Magenic
Register here

June 10, 2010
SQL Azure
Presented by Mike Benkovich, Microsoft
Register here

July 8, 2010
Azure Storage
Presented by Brent Stineman, Sogeti
Register here

Hope to see you there!

In azure, cloud computing, Community, sql azure , , ,
permalink

Azure Tooling Update – November 2009

November 16, 2009

There were a couple of Microsoft releases last week that provided updates to Windows Azure tooling that I wanted to make you aware of in case you hadn’t see the news.

First Microsoft released the November CTP of SQL Server 2008 R2. This is an important release on the SQL Azure front because SSMS now supports SQL Azure. There are a number of limitations (i.e. no designer support), but it’s a step in the right direction of making easier to work with SQL Azure.

You can download the CTP here.
Brent Ozar has a great overview of SQL Azure and SSMS support here.

Second the Cloud Computing Tools Team released Windows Azure Tools and SDK v1.0 last Friday. Highlights include:

  • Support for Visual Studio 2010 Beta 2
  • Better interface for handling role configuration
  • New role templates including: ASP.NET MVC 2 (2010 only), F# worker roles (2010 only), WCF Service Application web roles
  • Dynamic table creation support

You can download the tools here.

You can download code samples here.

You can read more about the tools on the team’s blog here or on MSDN here.

In azure, cloud computing, sql azure, windows azure , , ,
permalink